CVE-2018-0735

Name
CVE-2018-0735
Description
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://www.openssl.org/news/secadv/20181029.txt
Patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
Patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1
Third Party Advisory http://www.securitytracker.com/id/1041986
Third Party Advisory http://www.securityfocus.com/bid/105750
Third Party Advisory https://security.netapp.com/advisory/ntap-20181105-0002/
Mailing List https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html
Third Party Advisory https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
Third Party Advisory https://www.debian.org/security/2018/dsa-4348
Third Party Advisory https://usn.ubuntu.com/3840-1/
Patch https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Patch https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
REDHAT https://access.redhat.com/errata/RHSA-2019:3700
MISC https://www.oracle.com/security-alerts/cpujan2020.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:* openssl == None == 1.1.1
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* openssl >= 1.1.0 <= 1.1.0i

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openssl3 edge-main 1.1.1a-r0 None fixed
openssl1.1-compat edge-main 1.1.1a-r0 None fixed
openssl1.1-compat edge-community 1.1.1a-r0 None fixed
openssl1.1-compat 3.18-community 1.1.1a-r0 None fixed
openssl1.1-compat 3.17-community 1.1.1a-r0 None fixed
openssl edge-main 1.1.1a-r0 None fixed
openssl 3.22-main 1.1.1a-r0 None fixed
openssl 3.21-main 1.1.1a-r0 None fixed
openssl 3.20-main 1.1.1a-r0 None fixed
openssl 3.19-main 1.1.1a-r0 None fixed
openssl 3.18-main 1.1.1a-r0 None fixed
openssl 3.17-main 1.1.1a-r0 None fixed
openssl 3.12-main 1.1.1a-r0 None fixed
openssl 3.11-main 1.1.1a-r0 None fixed
openssl 3.10-main 1.1.1a-r0 None fixed
nodejs-current edge-community 11.3.0-r0 None fixed
nodejs-current 3.22-community 11.3.0-r0 None fixed
nodejs-current 3.21-community 11.3.0-r0 None fixed
nodejs-current 3.20-community 11.3.0-r0 None fixed
nodejs-current 3.19-community 11.3.0-r0 None fixed
nodejs-current 3.18-community 11.3.0-r0 None fixed
nodejs-current 3.17-community 11.3.0-r0 None fixed
nodejs edge-main 10.14.0-r0 None fixed
nodejs 3.22-main 10.14.0-r0 None fixed
nodejs 3.21-main 10.14.0-r0 None fixed
nodejs 3.20-main 10.14.0-r0 None fixed
nodejs 3.19-main 10.14.0-r0 None fixed
nodejs 3.18-main 10.14.0-r0 None fixed
nodejs 3.17-main 10.14.0-r0 None fixed
nodejs 3.12-main 10.14.0-r0 None fixed
nodejs 3.11-main 10.14.0-r0 None fixed
nodejs 3.10-main 10.14.0-r0 None fixed