csaf_redhat - rhsa-2019

rhsa-2019_3700

Vulnerability from csaf_redhat

Published

2019-11-05 22:28

Modified

2024-09-16 02:31

Summary

Red Hat Security Advisory: openssl security, bug fix, and enhancement update

Notes

Topic

An update for openssl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. The following packages have been upgraded to a later upstream version: openssl (1.1.1c). (BZ#1643026) Security Fix(es): * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734) * openssl: timing side channel attack in the ECDSA signature generation (CVE-2018-0735) * openssl: ChaCha20-Poly1305 with long nonces (CVE-2019-1543) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for openssl is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.\n\nThe following packages have been upgraded to a later upstream version: openssl (1.1.1c). (BZ#1643026)\n\nSecurity Fix(es):\n\n* openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)\n\n* openssl: timing side channel attack in the ECDSA signature generation (CVE-2018-0735)\n\n* openssl: ChaCha20-Poly1305 with long nonces (CVE-2019-1543)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2019:3700",
        "url": "https://access.redhat.com/errata/RHSA-2019:3700"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/"
      },
      {
        "category": "external",
        "summary": "1644356",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1644356"
      },
      {
        "category": "external",
        "summary": "1644364",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1644364"
      },
      {
        "category": "external",
        "summary": "1668880",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668880"
      },
      {
        "category": "external",
        "summary": "1686058",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686058"
      },
      {
        "category": "external",
        "summary": "1686548",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686548"
      },
      {
        "category": "external",
        "summary": "1695954",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695954"
      },
      {
        "category": "external",
        "summary": "1697915",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1697915"
      },
      {
        "category": "external",
        "summary": "1706104",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1706104"
      },
      {
        "category": "external",
        "summary": "1706915",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1706915"
      },
      {
        "category": "external",
        "summary": "1712023",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712023"
      },
      {
        "category": "external",
        "summary": "1714245",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1714245"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2019/rhsa-2019_3700.json"
      }
    ],
    "title": "Red Hat Security Advisory: openssl security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2024-09-16T02:31:44+00:00",
      "generator": {
        "date": "2024-09-16T02:31:44+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2019:3700",
      "initial_release_date": "2019-11-05T22:28:48+00:00",
      "revision_history": [
        {
          "date": "2019-11-05T22:28:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-11-05T22:28:48+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-16T02:31:44+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux BaseOS (v. 8)",
                "product": {
                  "name": "Red Hat Enterprise Linux BaseOS (v. 8)",
                  "product_id": "BaseOS-8.1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:8::baseos"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-libs-1:1.1.1c-2.el8.aarch64",
                "product": {
                  "name": "openssl-libs-1:1.1.1c-2.el8.aarch64",
                  "product_id": "openssl-libs-1:1.1.1c-2.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs@1.1.1c-2.el8?arch=aarch64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
                "product": {
                  "name": "openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
                  "product_id": "openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debuginfo@1.1.1c-2.el8?arch=aarch64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-perl-1:1.1.1c-2.el8.aarch64",
                "product": {
                  "name": "openssl-perl-1:1.1.1c-2.el8.aarch64",
                  "product_id": "openssl-perl-1:1.1.1c-2.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-perl@1.1.1c-2.el8?arch=aarch64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-devel-1:1.1.1c-2.el8.aarch64",
                "product": {
                  "name": "openssl-devel-1:1.1.1c-2.el8.aarch64",
                  "product_id": "openssl-devel-1:1.1.1c-2.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-devel@1.1.1c-2.el8?arch=aarch64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debugsource-1:1.1.1c-2.el8.aarch64",
                "product": {
                  "name": "openssl-debugsource-1:1.1.1c-2.el8.aarch64",
                  "product_id": "openssl-debugsource-1:1.1.1c-2.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debugsource@1.1.1c-2.el8?arch=aarch64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-1:1.1.1c-2.el8.aarch64",
                "product": {
                  "name": "openssl-1:1.1.1c-2.el8.aarch64",
                  "product_id": "openssl-1:1.1.1c-2.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl@1.1.1c-2.el8?arch=aarch64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
                "product": {
                  "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
                  "product_id": "openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs-debuginfo@1.1.1c-2.el8?arch=aarch64\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-libs-1:1.1.1c-2.el8.x86_64",
                "product": {
                  "name": "openssl-libs-1:1.1.1c-2.el8.x86_64",
                  "product_id": "openssl-libs-1:1.1.1c-2.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs@1.1.1c-2.el8?arch=x86_64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
                "product": {
                  "name": "openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
                  "product_id": "openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debuginfo@1.1.1c-2.el8?arch=x86_64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-perl-1:1.1.1c-2.el8.x86_64",
                "product": {
                  "name": "openssl-perl-1:1.1.1c-2.el8.x86_64",
                  "product_id": "openssl-perl-1:1.1.1c-2.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-perl@1.1.1c-2.el8?arch=x86_64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-devel-1:1.1.1c-2.el8.x86_64",
                "product": {
                  "name": "openssl-devel-1:1.1.1c-2.el8.x86_64",
                  "product_id": "openssl-devel-1:1.1.1c-2.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-devel@1.1.1c-2.el8?arch=x86_64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debugsource-1:1.1.1c-2.el8.x86_64",
                "product": {
                  "name": "openssl-debugsource-1:1.1.1c-2.el8.x86_64",
                  "product_id": "openssl-debugsource-1:1.1.1c-2.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debugsource@1.1.1c-2.el8?arch=x86_64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-1:1.1.1c-2.el8.x86_64",
                "product": {
                  "name": "openssl-1:1.1.1c-2.el8.x86_64",
                  "product_id": "openssl-1:1.1.1c-2.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl@1.1.1c-2.el8?arch=x86_64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
                "product": {
                  "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
                  "product_id": "openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs-debuginfo@1.1.1c-2.el8?arch=x86_64\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-libs-1:1.1.1c-2.el8.i686",
                "product": {
                  "name": "openssl-libs-1:1.1.1c-2.el8.i686",
                  "product_id": "openssl-libs-1:1.1.1c-2.el8.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs@1.1.1c-2.el8?arch=i686\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debuginfo-1:1.1.1c-2.el8.i686",
                "product": {
                  "name": "openssl-debuginfo-1:1.1.1c-2.el8.i686",
                  "product_id": "openssl-debuginfo-1:1.1.1c-2.el8.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debuginfo@1.1.1c-2.el8?arch=i686\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-devel-1:1.1.1c-2.el8.i686",
                "product": {
                  "name": "openssl-devel-1:1.1.1c-2.el8.i686",
                  "product_id": "openssl-devel-1:1.1.1c-2.el8.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-devel@1.1.1c-2.el8?arch=i686\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debugsource-1:1.1.1c-2.el8.i686",
                "product": {
                  "name": "openssl-debugsource-1:1.1.1c-2.el8.i686",
                  "product_id": "openssl-debugsource-1:1.1.1c-2.el8.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debugsource@1.1.1c-2.el8?arch=i686\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
                "product": {
                  "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
                  "product_id": "openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs-debuginfo@1.1.1c-2.el8?arch=i686\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-libs-1:1.1.1c-2.el8.s390x",
                "product": {
                  "name": "openssl-libs-1:1.1.1c-2.el8.s390x",
                  "product_id": "openssl-libs-1:1.1.1c-2.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs@1.1.1c-2.el8?arch=s390x\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debuginfo-1:1.1.1c-2.el8.s390x",
                "product": {
                  "name": "openssl-debuginfo-1:1.1.1c-2.el8.s390x",
                  "product_id": "openssl-debuginfo-1:1.1.1c-2.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debuginfo@1.1.1c-2.el8?arch=s390x\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-perl-1:1.1.1c-2.el8.s390x",
                "product": {
                  "name": "openssl-perl-1:1.1.1c-2.el8.s390x",
                  "product_id": "openssl-perl-1:1.1.1c-2.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-perl@1.1.1c-2.el8?arch=s390x\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-devel-1:1.1.1c-2.el8.s390x",
                "product": {
                  "name": "openssl-devel-1:1.1.1c-2.el8.s390x",
                  "product_id": "openssl-devel-1:1.1.1c-2.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-devel@1.1.1c-2.el8?arch=s390x\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debugsource-1:1.1.1c-2.el8.s390x",
                "product": {
                  "name": "openssl-debugsource-1:1.1.1c-2.el8.s390x",
                  "product_id": "openssl-debugsource-1:1.1.1c-2.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debugsource@1.1.1c-2.el8?arch=s390x\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-1:1.1.1c-2.el8.s390x",
                "product": {
                  "name": "openssl-1:1.1.1c-2.el8.s390x",
                  "product_id": "openssl-1:1.1.1c-2.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl@1.1.1c-2.el8?arch=s390x\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
                "product": {
                  "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
                  "product_id": "openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs-debuginfo@1.1.1c-2.el8?arch=s390x\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-libs-1:1.1.1c-2.el8.ppc64le",
                "product": {
                  "name": "openssl-libs-1:1.1.1c-2.el8.ppc64le",
                  "product_id": "openssl-libs-1:1.1.1c-2.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs@1.1.1c-2.el8?arch=ppc64le\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
                "product": {
                  "name": "openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
                  "product_id": "openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debuginfo@1.1.1c-2.el8?arch=ppc64le\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-perl-1:1.1.1c-2.el8.ppc64le",
                "product": {
                  "name": "openssl-perl-1:1.1.1c-2.el8.ppc64le",
                  "product_id": "openssl-perl-1:1.1.1c-2.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-perl@1.1.1c-2.el8?arch=ppc64le\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-devel-1:1.1.1c-2.el8.ppc64le",
                "product": {
                  "name": "openssl-devel-1:1.1.1c-2.el8.ppc64le",
                  "product_id": "openssl-devel-1:1.1.1c-2.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-devel@1.1.1c-2.el8?arch=ppc64le\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
                "product": {
                  "name": "openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
                  "product_id": "openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debugsource@1.1.1c-2.el8?arch=ppc64le\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-1:1.1.1c-2.el8.ppc64le",
                "product": {
                  "name": "openssl-1:1.1.1c-2.el8.ppc64le",
                  "product_id": "openssl-1:1.1.1c-2.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl@1.1.1c-2.el8?arch=ppc64le\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
                "product": {
                  "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
                  "product_id": "openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-libs-debuginfo@1.1.1c-2.el8?arch=ppc64le\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-1:1.1.1c-2.el8.src",
                "product": {
                  "name": "openssl-1:1.1.1c-2.el8.src",
                  "product_id": "openssl-1:1.1.1c-2.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl@1.1.1c-2.el8?arch=src\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-1:1.1.1c-2.el8.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64"
        },
        "product_reference": "openssl-1:1.1.1c-2.el8.aarch64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-1:1.1.1c-2.el8.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le"
        },
        "product_reference": "openssl-1:1.1.1c-2.el8.ppc64le",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-1:1.1.1c-2.el8.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x"
        },
        "product_reference": "openssl-1:1.1.1c-2.el8.s390x",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-1:1.1.1c-2.el8.src as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src"
        },
        "product_reference": "openssl-1:1.1.1c-2.el8.src",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-1:1.1.1c-2.el8.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64"
        },
        "product_reference": "openssl-1:1.1.1c-2.el8.x86_64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debuginfo-1:1.1.1c-2.el8.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64"
        },
        "product_reference": "openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debuginfo-1:1.1.1c-2.el8.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686"
        },
        "product_reference": "openssl-debuginfo-1:1.1.1c-2.el8.i686",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debuginfo-1:1.1.1c-2.el8.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le"
        },
        "product_reference": "openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debuginfo-1:1.1.1c-2.el8.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x"
        },
        "product_reference": "openssl-debuginfo-1:1.1.1c-2.el8.s390x",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debuginfo-1:1.1.1c-2.el8.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64"
        },
        "product_reference": "openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debugsource-1:1.1.1c-2.el8.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64"
        },
        "product_reference": "openssl-debugsource-1:1.1.1c-2.el8.aarch64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debugsource-1:1.1.1c-2.el8.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686"
        },
        "product_reference": "openssl-debugsource-1:1.1.1c-2.el8.i686",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debugsource-1:1.1.1c-2.el8.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le"
        },
        "product_reference": "openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debugsource-1:1.1.1c-2.el8.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x"
        },
        "product_reference": "openssl-debugsource-1:1.1.1c-2.el8.s390x",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debugsource-1:1.1.1c-2.el8.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64"
        },
        "product_reference": "openssl-debugsource-1:1.1.1c-2.el8.x86_64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-devel-1:1.1.1c-2.el8.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64"
        },
        "product_reference": "openssl-devel-1:1.1.1c-2.el8.aarch64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-devel-1:1.1.1c-2.el8.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686"
        },
        "product_reference": "openssl-devel-1:1.1.1c-2.el8.i686",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-devel-1:1.1.1c-2.el8.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le"
        },
        "product_reference": "openssl-devel-1:1.1.1c-2.el8.ppc64le",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-devel-1:1.1.1c-2.el8.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x"
        },
        "product_reference": "openssl-devel-1:1.1.1c-2.el8.s390x",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-devel-1:1.1.1c-2.el8.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64"
        },
        "product_reference": "openssl-devel-1:1.1.1c-2.el8.x86_64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-1:1.1.1c-2.el8.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64"
        },
        "product_reference": "openssl-libs-1:1.1.1c-2.el8.aarch64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-1:1.1.1c-2.el8.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686"
        },
        "product_reference": "openssl-libs-1:1.1.1c-2.el8.i686",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-1:1.1.1c-2.el8.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le"
        },
        "product_reference": "openssl-libs-1:1.1.1c-2.el8.ppc64le",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-1:1.1.1c-2.el8.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x"
        },
        "product_reference": "openssl-libs-1:1.1.1c-2.el8.s390x",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-1:1.1.1c-2.el8.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64"
        },
        "product_reference": "openssl-libs-1:1.1.1c-2.el8.x86_64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64"
        },
        "product_reference": "openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686"
        },
        "product_reference": "openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le"
        },
        "product_reference": "openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x"
        },
        "product_reference": "openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64"
        },
        "product_reference": "openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-perl-1:1.1.1c-2.el8.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64"
        },
        "product_reference": "openssl-perl-1:1.1.1c-2.el8.aarch64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-perl-1:1.1.1c-2.el8.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le"
        },
        "product_reference": "openssl-perl-1:1.1.1c-2.el8.ppc64le",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-perl-1:1.1.1c-2.el8.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x"
        },
        "product_reference": "openssl-perl-1:1.1.1c-2.el8.s390x",
        "relates_to_product_reference": "BaseOS-8.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-perl-1:1.1.1c-2.el8.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
        },
        "product_reference": "openssl-perl-1:1.1.1c-2.el8.x86_64",
        "relates_to_product_reference": "BaseOS-8.1.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-0734",
      "cwe": {
        "id": "CWE-385",
        "name": "Covert Timing Channel"
      },
      "discovery_date": "2018-10-30T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1644364"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: timing side channel attack in the DSA signature algorithm",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-0734"
        },
        {
          "category": "external",
          "summary": "RHBZ#1644364",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1644364"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-0734",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-0734"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-0734",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0734"
        }
      ],
      "release_date": "2018-10-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
          "product_ids": [
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:3700"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: timing side channel attack in the DSA signature algorithm"
    },
    {
      "cve": "CVE-2018-0735",
      "cwe": {
        "id": "CWE-385",
        "name": "Covert Timing Channel"
      },
      "discovery_date": "2018-10-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1644356"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: timing side channel attack in the ECDSA signature generation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-0735"
        },
        {
          "category": "external",
          "summary": "RHBZ#1644356",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1644356"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-0735",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-0735"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-0735",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0735"
        }
      ],
      "release_date": "2018-10-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
          "product_ids": [
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:3700"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: timing side channel attack in the ECDSA signature generation"
    },
    {
      "cve": "CVE-2019-1543",
      "cwe": {
        "id": "CWE-323",
        "name": "Reusing a Nonce, Key Pair in Encryption"
      },
      "discovery_date": "2019-03-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1695954"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: ChaCha20-Poly1305 with long nonces",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
          "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
          "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-1543"
        },
        {
          "category": "external",
          "summary": "RHBZ#1695954",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695954"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-1543",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-1543"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-1543",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1543"
        }
      ],
      "release_date": "2019-03-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
          "product_ids": [
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:3700"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.src",
            "BaseOS-8.1.0:openssl-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-debugsource-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-devel-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.i686",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-libs-debuginfo-1:1.1.1c-2.el8.x86_64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.aarch64",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.ppc64le",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.s390x",
            "BaseOS-8.1.0:openssl-perl-1:1.1.1c-2.el8.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: ChaCha20-Poly1305 with long nonces"
    }
  ]
}

cve-2018-0735

Vulnerability from cvelistv5

Published

2018-10-29 13:00

Modified

2024-09-16 19:10

Severity

Summary

Timing attack against ECDSA signature generation

References

URL	Tags
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1	x_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	x_refsource_CONFIRM
http://www.securityfocus.com/bid/105750	vdb-entry, x_refsource_BID
https://usn.ubuntu.com/3840-1/	vendor-advisory, x_refsource_UBUNTU
https://security.netapp.com/advisory/ntap-20181105-0002/	x_refsource_CONFIRM
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/	x_refsource_CONFIRM
http://www.securitytracker.com/id/1041986	vdb-entry, x_refsource_SECTRACK
https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html	mailing-list, x_refsource_MLIST
https://www.debian.org/security/2018/dsa-4348	vendor-advisory, x_refsource_DEBIAN
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4	x_refsource_CONFIRM
https://www.openssl.org/news/secadv/20181029.txt	x_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	x_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	x_refsource_MISC
https://access.redhat.com/errata/RHSA-2019:3700	vendor-advisory, x_refsource_REDHAT
https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC

Impacted products

Vendor	Product
OpenSSL	OpenSSL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:35:49.247Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "name": "105750",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105750"
          },
          {
            "name": "USN-3840-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3840-1/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20181105-0002/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
          },
          {
            "name": "1041986",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041986"
          },
          {
            "name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html"
          },
          {
            "name": "DSA-4348",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4348"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20181029.txt"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "name": "RHSA-2019:3700",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3700"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.1a (Affected 1.1.1)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Samuel Weiser"
        }
      ],
      "datePublic": "2018-10-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "lang": "eng",
              "url": "https://www.openssl.org/policies/secpolicy.html#Low",
              "value": "Low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Constant time issue",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-15T19:15:21",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "name": "105750",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105750"
        },
        {
          "name": "USN-3840-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3840-1/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20181105-0002/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
        },
        {
          "name": "1041986",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041986"
        },
        {
          "name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html"
        },
        {
          "name": "DSA-4348",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4348"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.openssl.org/news/secadv/20181029.txt"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
        },
        {
          "name": "RHSA-2019:3700",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3700"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        }
      ],
      "title": "Timing attack against ECDSA signature generation",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "openssl-security@openssl.org",
          "DATE_PUBLIC": "2018-10-29",
          "ID": "CVE-2018-0735",
          "STATE": "PUBLIC",
          "TITLE": "Timing attack against ECDSA signature generation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "OpenSSL",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)"
                          },
                          {
                            "version_value": "Fixed in OpenSSL 1.1.1a (Affected 1.1.1)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OpenSSL"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Samuel Weiser"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1)."
            }
          ]
        },
        "impact": [
          {
            "lang": "eng",
            "url": "https://www.openssl.org/policies/secpolicy.html#Low",
            "value": "Low"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Constant time issue"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1",
              "refsource": "CONFIRM",
              "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "105750",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105750"
            },
            {
              "name": "USN-3840-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3840-1/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20181105-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20181105-0002/"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
            },
            {
              "name": "1041986",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041986"
            },
            {
              "name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html"
            },
            {
              "name": "DSA-4348",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4348"
            },
            {
              "name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4",
              "refsource": "CONFIRM",
              "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4"
            },
            {
              "name": "https://www.openssl.org/news/secadv/20181029.txt",
              "refsource": "CONFIRM",
              "url": "https://www.openssl.org/news/secadv/20181029.txt"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "RHSA-2019:3700",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3700"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2018-0735",
    "datePublished": "2018-10-29T13:00:00Z",
    "dateReserved": "2017-11-30T00:00:00",
    "dateUpdated": "2024-09-16T19:10:32.005Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-0734

Vulnerability from cvelistv5

Published

2018-10-30 12:00

Modified

2024-09-16 23:10

Severity

Summary

Timing attack against DSA

References

URL	Tags
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	x_refsource_CONFIRM
https://usn.ubuntu.com/3840-1/	vendor-advisory, x_refsource_UBUNTU
https://www.debian.org/security/2018/dsa-4355	vendor-advisory, x_refsource_DEBIAN
https://security.netapp.com/advisory/ntap-20181105-0002/	x_refsource_CONFIRM
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8abfe72e8c1de1b95f50aa0d9134803b4d00070f	x_refsource_CONFIRM
https://www.tenable.com/security/tns-2018-17	x_refsource_CONFIRM
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/	x_refsource_CONFIRM
https://www.tenable.com/security/tns-2018-16	x_refsource_CONFIRM
http://www.securityfocus.com/bid/105758	vdb-entry, x_refsource_BID
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ef11e19d1365eea2b1851e6f540a0bf365d303e7	x_refsource_CONFIRM
https://www.debian.org/security/2018/dsa-4348	vendor-advisory, x_refsource_DEBIAN
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=43e6a58d4991a451daf4891ff05a48735df871ac	x_refsource_CONFIRM
https://www.openssl.org/news/secadv/20181030.txt	x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20190118-0002/	x_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20190423-0002/	x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html	vendor-advisory, x_refsource_SUSE
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html	vendor-advisory, x_refsource_SUSE
https://access.redhat.com/errata/RHSA-2019:2304	vendor-advisory, x_refsource_REDHAT
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/	vendor-advisory, x_refsource_FEDORA
https://access.redhat.com/errata/RHSA-2019:3700	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3933	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3935	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3932	vendor-advisory, x_refsource_REDHAT
https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC

Impacted products

Vendor	Product
OpenSSL	OpenSSL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:35:49.290Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "name": "USN-3840-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3840-1/"
          },
          {
            "name": "DSA-4355",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4355"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20181105-0002/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8abfe72e8c1de1b95f50aa0d9134803b4d00070f"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2018-17"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2018-16"
          },
          {
            "name": "105758",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105758"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ef11e19d1365eea2b1851e6f540a0bf365d303e7"
          },
          {
            "name": "DSA-4348",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4348"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=43e6a58d4991a451daf4891ff05a48735df871ac"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20181030.txt"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190118-0002/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
          },
          {
            "name": "openSUSE-SU-2019:1547",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "name": "openSUSE-SU-2019:1814",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
          },
          {
            "name": "RHSA-2019:2304",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2304"
          },
          {
            "name": "FEDORA-2019-db06efdea1",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
          },
          {
            "name": "FEDORA-2019-00c25b9379",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
          },
          {
            "name": "FEDORA-2019-9a0a7c0986",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
          },
          {
            "name": "RHSA-2019:3700",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3700"
          },
          {
            "name": "RHSA-2019:3933",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3933"
          },
          {
            "name": "RHSA-2019:3935",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3935"
          },
          {
            "name": "RHSA-2019:3932",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3932"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.1a (Affected 1.1.1)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Samuel Weiser"
        }
      ],
      "datePublic": "2018-10-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "lang": "eng",
              "url": "https://www.openssl.org/policies/secpolicy.html#Low",
              "value": "Low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Constant time issue",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-15T21:06:42",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "name": "USN-3840-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3840-1/"
        },
        {
          "name": "DSA-4355",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4355"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20181105-0002/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8abfe72e8c1de1b95f50aa0d9134803b4d00070f"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tenable.com/security/tns-2018-17"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tenable.com/security/tns-2018-16"
        },
        {
          "name": "105758",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105758"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ef11e19d1365eea2b1851e6f540a0bf365d303e7"
        },
        {
          "name": "DSA-4348",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4348"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=43e6a58d4991a451daf4891ff05a48735df871ac"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.openssl.org/news/secadv/20181030.txt"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190118-0002/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
        },
        {
          "name": "openSUSE-SU-2019:1547",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
        },
        {
          "name": "openSUSE-SU-2019:1814",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
        },
        {
          "name": "RHSA-2019:2304",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2304"
        },
        {
          "name": "FEDORA-2019-db06efdea1",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
        },
        {
          "name": "FEDORA-2019-00c25b9379",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
        },
        {
          "name": "FEDORA-2019-9a0a7c0986",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
        },
        {
          "name": "RHSA-2019:3700",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3700"
        },
        {
          "name": "RHSA-2019:3933",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3933"
        },
        {
          "name": "RHSA-2019:3935",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3935"
        },
        {
          "name": "RHSA-2019:3932",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3932"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        }
      ],
      "title": "Timing attack against DSA",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "openssl-security@openssl.org",
          "DATE_PUBLIC": "2018-10-30",
          "ID": "CVE-2018-0734",
          "STATE": "PUBLIC",
          "TITLE": "Timing attack against DSA"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "OpenSSL",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in OpenSSL 1.1.1a (Affected 1.1.1)"
                          },
                          {
                            "version_value": "Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)"
                          },
                          {
                            "version_value": "Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OpenSSL"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Samuel Weiser"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)."
            }
          ]
        },
        "impact": [
          {
            "lang": "eng",
            "url": "https://www.openssl.org/policies/secpolicy.html#Low",
            "value": "Low"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Constant time issue"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "USN-3840-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3840-1/"
            },
            {
              "name": "DSA-4355",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4355"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20181105-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20181105-0002/"
            },
            {
              "name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f",
              "refsource": "CONFIRM",
              "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f"
            },
            {
              "name": "https://www.tenable.com/security/tns-2018-17",
              "refsource": "CONFIRM",
              "url": "https://www.tenable.com/security/tns-2018-17"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
            },
            {
              "name": "https://www.tenable.com/security/tns-2018-16",
              "refsource": "CONFIRM",
              "url": "https://www.tenable.com/security/tns-2018-16"
            },
            {
              "name": "105758",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105758"
            },
            {
              "name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7",
              "refsource": "CONFIRM",
              "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7"
            },
            {
              "name": "DSA-4348",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4348"
            },
            {
              "name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac",
              "refsource": "CONFIRM",
              "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac"
            },
            {
              "name": "https://www.openssl.org/news/secadv/20181030.txt",
              "refsource": "CONFIRM",
              "url": "https://www.openssl.org/news/secadv/20181030.txt"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190118-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190118-0002/"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190423-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
            },
            {
              "name": "openSUSE-SU-2019:1547",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "openSUSE-SU-2019:1814",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
            },
            {
              "name": "RHSA-2019:2304",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2304"
            },
            {
              "name": "FEDORA-2019-db06efdea1",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
            },
            {
              "name": "FEDORA-2019-00c25b9379",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
            },
            {
              "name": "FEDORA-2019-9a0a7c0986",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
            },
            {
              "name": "RHSA-2019:3700",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3700"
            },
            {
              "name": "RHSA-2019:3933",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2018-0734",
    "datePublished": "2018-10-30T12:00:00Z",
    "dateReserved": "2017-11-30T00:00:00",
    "dateUpdated": "2024-09-16T23:10:36.543Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-1543

Vulnerability from cvelistv5

Published

2019-03-06 21:00

Modified

2024-09-16 17:43

Severity

Summary

ChaCha20-Poly1305 with long nonces

References

URL	Tags
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f426625b6ae9a7831010750490a5f0ad689c5ba3	x_refsource_CONFIRM
https://www.openssl.org/news/secadv/20190306.txt	x_refsource_CONFIRM
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ee22257b1418438ebaf54df98af4e24f494d1809	x_refsource_CONFIRM
https://seclists.org/bugtraq/2019/Jul/3	mailing-list, x_refsource_BUGTRAQ
https://www.debian.org/security/2019/dsa-4475	vendor-advisory, x_refsource_DEBIAN
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html	vendor-advisory, x_refsource_SUSE
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/	vendor-advisory, x_refsource_FEDORA
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	x_refsource_MISC
https://access.redhat.com/errata/RHSA-2019:3700	vendor-advisory, x_refsource_REDHAT
https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
https://kc.mcafee.com/corporate/index?page=content&id=SB10365	x_refsource_CONFIRM

Impacted products

Vendor	Product
OpenSSL	OpenSSL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:20:27.631Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f426625b6ae9a7831010750490a5f0ad689c5ba3"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20190306.txt"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ee22257b1418438ebaf54df98af4e24f494d1809"
          },
          {
            "name": "20190701 [SECURITY] [DSA 4475-1] openssl security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jul/3"
          },
          {
            "name": "DSA-4475",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4475"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "name": "openSUSE-SU-2019:1814",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
          },
          {
            "name": "FEDORA-2019-00c25b9379",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
          },
          {
            "name": "FEDORA-2019-9a0a7c0986",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          },
          {
            "name": "RHSA-2019:3700",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3700"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Joran Dirk Greef of Ronomon"
        }
      ],
      "datePublic": "2019-03-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "lang": "eng",
              "url": "https://www.openssl.org/policies/secpolicy.html#Low",
              "value": "Low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Nonce Reuse",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-31T07:06:28",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f426625b6ae9a7831010750490a5f0ad689c5ba3"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.openssl.org/news/secadv/20190306.txt"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ee22257b1418438ebaf54df98af4e24f494d1809"
        },
        {
          "name": "20190701 [SECURITY] [DSA 4475-1] openssl security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jul/3"
        },
        {
          "name": "DSA-4475",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4475"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
        },
        {
          "name": "openSUSE-SU-2019:1814",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
        },
        {
          "name": "FEDORA-2019-00c25b9379",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
        },
        {
          "name": "FEDORA-2019-9a0a7c0986",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
        },
        {
          "name": "RHSA-2019:3700",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3700"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365"
        }
      ],
      "title": "ChaCha20-Poly1305 with long nonces",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "openssl-security@openssl.org",
          "DATE_PUBLIC": "2019-03-06",
          "ID": "CVE-2019-1543",
          "STATE": "PUBLIC",
          "TITLE": "ChaCha20-Poly1305 with long nonces"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "OpenSSL",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b)"
                          },
                          {
                            "version_value": "Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OpenSSL"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Joran Dirk Greef of Ronomon"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j)."
            }
          ]
        },
        "impact": [
          {
            "lang": "eng",
            "url": "https://www.openssl.org/policies/secpolicy.html#Low",
            "value": "Low"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Nonce Reuse"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f426625b6ae9a7831010750490a5f0ad689c5ba3",
              "refsource": "CONFIRM",
              "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f426625b6ae9a7831010750490a5f0ad689c5ba3"
            },
            {
              "name": "https://www.openssl.org/news/secadv/20190306.txt",
              "refsource": "CONFIRM",
              "url": "https://www.openssl.org/news/secadv/20190306.txt"
            },
            {
              "name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee22257b1418438ebaf54df98af4e24f494d1809",
              "refsource": "CONFIRM",
              "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee22257b1418438ebaf54df98af4e24f494d1809"
            },
            {
              "name": "20190701 [SECURITY] [DSA 4475-1] openssl security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jul/3"
            },
            {
              "name": "DSA-4475",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4475"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "openSUSE-SU-2019:1814",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
            },
            {
              "name": "FEDORA-2019-00c25b9379",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
            },
            {
              "name": "FEDORA-2019-9a0a7c0986",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "name": "RHSA-2019:3700",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3700"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365",
              "refsource": "CONFIRM",
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2019-1543",
    "datePublished": "2019-03-06T21:00:00Z",
    "dateReserved": "2018-11-28T00:00:00",
    "dateUpdated": "2024-09-16T17:43:26.783Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2019_3700

Vulnerability from csaf_redhat

cve-2018-0735

Vulnerability from cvelistv5

cve-2018-0734

Vulnerability from cvelistv5

cve-2019-1543

Vulnerability from cvelistv5

Tags