Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2018-0734

Disclosure Date: October 30, 2018
CVE-2018-0734 CVSS v3 Base Score: 5.9
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
OpenSSL Fixed in OpenSSL 1.1.1a (Affected 1.1.1)
OpenSSL Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)
OpenSSL Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • canonical,
  • debian,
  • netapp,
  • nodejs,
  • openssl,
  • oracle

Products

  • api gateway 11.1.2.4.0,
  • cloud backup -,
  • cn1610 firmware -,
  • debian linux 9.0,
  • e-business suite technology stack 0.9.8,
  • e-business suite technology stack 1.0.0,
  • e-business suite technology stack 1.0.1,
  • enterprise manager base platform 12.1.0.5.0,
  • enterprise manager base platform 13.2.0.0.0,
  • enterprise manager base platform 13.3.0.0.0,
  • enterprise manager ops center 12.3.3,
  • mysql enterprise backup,
  • node.js,
  • node.js 10.13.0,
  • oncommand unified manager,
  • openssl,
  • openssl 1.1.1,
  • peoplesoft enterprise peopletools 8.55,
  • peoplesoft enterprise peopletools 8.56,
  • peoplesoft enterprise peopletools 8.57,
  • primavera p6 professional project management,
  • primavera p6 professional project management 15.1,
  • primavera p6 professional project management 15.2,
  • primavera p6 professional project management 16.1,
  • primavera p6 professional project management 16.2,
  • primavera p6 professional project management 18.8,
  • primavera p6 professional project management 8.4,
  • santricity smi-s provider -,
  • snapcenter -,
  • steelstore -,
  • storage automation store -,
  • tuxedo 12.1.1.0.0,
  • ubuntu linux 14.04,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 18.10

References

Canonical
CVE-2018-0734 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734)
BID-105758 (http://www.securityfocus.com/bid/105758)
Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
USN-3840-1 (https://usn.ubuntu.com/3840-1)
DSA-4355 (https://www.debian.org/security/2018/dsa-4355)
https://security.netapp.com/advisory/ntap-20181105-0002
https://git.openssl.org/gitweb?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f
https://www.tenable.com/security/tns-2018-17
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases
https://www.tenable.com/security/tns-2018-16
https://git.openssl.org/gitweb?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7
DSA-4348 (https://www.debian.org/security/2018/dsa-4348)
https://git.openssl.org/gitweb?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac
https://www.openssl.org/news/secadv/20181030.txt
https://security.netapp.com/advisory/ntap-20190118-0002
https://security.netapp.com/advisory/ntap-20190423-0002
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html
https://access.redhat.com/errata/RHSA-2019:2304
FEDORA-2019-db06efdea1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM)
FEDORA-2019-00c25b9379 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V)
FEDORA-2019-9a0a7c0986 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z)
https://access.redhat.com/errata/RHSA-2019:3700
https://access.redhat.com/errata/RHSA-2019:3933
https://access.redhat.com/errata/RHSA-2019:3935
https://access.redhat.com/errata/RHSA-2019:3932
Miscellaneous
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuapr2020.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis