// For flags

CVE-2018-0734

Timing attack against DSA

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

Se ha demostrado que el algoritmo de firmas DSA en OpenSSL es vulnerable a un ataque de sincronización de canal lateral. Un atacante podría emplear variaciones en el algoritmo de firma para recuperar la clave privada. Se ha solucionado en OpenSSL 1.1.1a (afecta a 1.1.1). Se ha solucionado en OpenSSL 1.1.0j (afecta a 1.1.0-1.1.0i). Se ha solucionado en OpenSSL 1.0.2q (afecta a 1.0.2-1.0.2p).

*Credits: Samuel Weiser
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-11-30 CVE Reserved
  • 2018-10-30 CVE Published
  • 2024-05-01 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-385: Covert Timing Channel
CAPEC
References (31)
URL Tag Source
http://www.securityfocus.com/bid/105758 Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=43e6a58d4991a451daf4891ff05a48735df871ac X_refsource_confirm
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8abfe72e8c1de1b95f50aa0d9134803b4d00070f X_refsource_confirm
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ef11e19d1365eea2b1851e6f540a0bf365d303e7 X_refsource_confirm
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases Third Party Advisory
https://security.netapp.com/advisory/ntap-20181105-0002 Third Party Advisory
https://security.netapp.com/advisory/ntap-20190118-0002 Third Party Advisory
https://security.netapp.com/advisory/ntap-20190423-0002 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory
https://www.tenable.com/security/tns-2018-16 Third Party Advisory
https://www.tenable.com/security/tns-2018-17 Third Party Advisory
URL Date SRC
URL Date SRC
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html 2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html 2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html 2023-11-07
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2304 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3700 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3932 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3933 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3935 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V 2023-11-07
https://usn.ubuntu.com/3840-1 2023-11-07
https://www.debian.org/security/2018/dsa-4348 2023-11-07
https://www.debian.org/security/2018/dsa-4355 2023-11-07
https://www.openssl.org/news/secadv/20181030.txt 2023-11-07
https://access.redhat.com/security/cve/CVE-2018-0734 2019-11-20
https://bugzilla.redhat.com/show_bug.cgi?id=1644364 2019-11-20
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netapp
Search vendor "Netapp"
 Cn1610 Firmware
Search vendor "Netapp" for product "Cn1610 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
 Cn1610
Search vendor "Netapp" for product "Cn1610"
--
Safe
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 1.0.2 <= 1.0.2p
Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 <= 1.0.2p"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 1.1.0 <= 1.1.0i
Search vendor "Openssl" for product "Openssl" and version " >= 1.1.0 <= 1.1.0i"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.1.1
Search vendor "Openssl" for product "Openssl" and version "1.1.1"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 6.0.0 <= 6.8.1
Search vendor "Nodejs" for product "Node.js" and version " >= 6.0.0 <= 6.8.1"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 6.9.0 < 6.15.0
Search vendor "Nodejs" for product "Node.js" and version " >= 6.9.0 < 6.15.0"
lts
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 8.0.0 <= 8.8.1
Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 <= 8.8.1"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 8.9.0 < 8.14.0
Search vendor "Nodejs" for product "Node.js" and version " >= 8.9.0 < 8.14.0"
lts
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 10.0.0 <= 10.12.0
Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 <= 10.12.0"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 11.0.0 < 11.3.0
Search vendor "Nodejs" for product "Node.js" and version " >= 11.0.0 < 11.3.0"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 10.13.0
Search vendor "Nodejs" for product "Node.js" and version "10.13.0"
lts
Affected
Netapp
Search vendor "Netapp"
 Cloud Backup
Search vendor "Netapp" for product "Cloud Backup"
--
Affected
Netapp
Search vendor "Netapp"
 Oncommand Unified Manager
Search vendor "Netapp" for product "Oncommand Unified Manager"
*-
Affected
Netapp
Search vendor "Netapp"
 Santricity Smi-s Provider
Search vendor "Netapp" for product "Santricity Smi-s Provider"
--
Affected
Netapp
Search vendor "Netapp"
 Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Netapp
Search vendor "Netapp"
 Steelstore
Search vendor "Netapp" for product "Steelstore"
--
Affected
Netapp
Search vendor "Netapp"
 Storage Automation Store
Search vendor "Netapp" for product "Storage Automation Store"
--
Affected
Oracle
Search vendor "Oracle"
 Api Gateway
Search vendor "Oracle" for product "Api Gateway"
 11.1.2.4.0
Search vendor "Oracle" for product "Api Gateway" and version "11.1.2.4.0"
-
Affected
Oracle
Search vendor "Oracle"
 E-business Suite Technology Stack
Search vendor "Oracle" for product "E-business Suite Technology Stack"
 0.9.8
Search vendor "Oracle" for product "E-business Suite Technology Stack" and version "0.9.8"
-
Affected
Oracle
Search vendor "Oracle"
 E-business Suite Technology Stack
Search vendor "Oracle" for product "E-business Suite Technology Stack"
 1.0.0
Search vendor "Oracle" for product "E-business Suite Technology Stack" and version "1.0.0"
-
Affected
Oracle
Search vendor "Oracle"
 E-business Suite Technology Stack
Search vendor "Oracle" for product "E-business Suite Technology Stack"
 1.0.1
Search vendor "Oracle" for product "E-business Suite Technology Stack" and version "1.0.1"
-
Affected
Oracle
Search vendor "Oracle"
 Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
 12.1.0.5.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "12.1.0.5.0"
-
Affected
Oracle
Search vendor "Oracle"
 Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
 13.2.0.0.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.2.0.0.0"
-
Affected
Oracle
Search vendor "Oracle"
 Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
 13.3.0.0.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.3.0.0.0"
-
Affected
Oracle
Search vendor "Oracle"
 Enterprise Manager Ops Center
Search vendor "Oracle" for product "Enterprise Manager Ops Center"
 12.3.3
Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.3.3"
-
Affected
Oracle
Search vendor "Oracle"
 Mysql Enterprise Backup
Search vendor "Oracle" for product "Mysql Enterprise Backup"
 >= 3.0 <= 3.12.3
Search vendor "Oracle" for product "Mysql Enterprise Backup" and version " >= 3.0 <= 3.12.3"
-
Affected
Oracle
Search vendor "Oracle"
 Mysql Enterprise Backup
Search vendor "Oracle" for product "Mysql Enterprise Backup"
 >= 4.0 <= 4.1.2
Search vendor "Oracle" for product "Mysql Enterprise Backup" and version " >= 4.0 <= 4.1.2"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
 8.55
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.55"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
 8.56
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.56"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
 8.57
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera P6 Professional Project Management
Search vendor "Oracle" for product "Primavera P6 Professional Project Management"
 >= 17.7 <= 17.12
Search vendor "Oracle" for product "Primavera P6 Professional Project Management" and version " >= 17.7 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera P6 Professional Project Management
Search vendor "Oracle" for product "Primavera P6 Professional Project Management"
 8.4
Search vendor "Oracle" for product "Primavera P6 Professional Project Management" and version "8.4"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera P6 Professional Project Management
Search vendor "Oracle" for product "Primavera P6 Professional Project Management"
 15.1
Search vendor "Oracle" for product "Primavera P6 Professional Project Management" and version "15.1"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera P6 Professional Project Management
Search vendor "Oracle" for product "Primavera P6 Professional Project Management"
 15.2
Search vendor "Oracle" for product "Primavera P6 Professional Project Management" and version "15.2"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera P6 Professional Project Management
Search vendor "Oracle" for product "Primavera P6 Professional Project Management"
 16.1
Search vendor "Oracle" for product "Primavera P6 Professional Project Management" and version "16.1"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera P6 Professional Project Management
Search vendor "Oracle" for product "Primavera P6 Professional Project Management"
 16.2
Search vendor "Oracle" for product "Primavera P6 Professional Project Management" and version "16.2"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera P6 Professional Project Management
Search vendor "Oracle" for product "Primavera P6 Professional Project Management"
 18.8
Search vendor "Oracle" for product "Primavera P6 Professional Project Management" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
 Tuxedo
Search vendor "Oracle" for product "Tuxedo"
 12.1.1.0.0
Search vendor "Oracle" for product "Tuxedo" and version "12.1.1.0.0"
-
Affected