SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
(Oracle Issues Fix for Oracle Linux) OpenSSL RSA Key Generation BN_mod_inverse() and BN_mod_exp_mont() Cache Timing Attack Lets Local Users Recover the Private Key
SecurityTracker Alert ID:  1041872
SecurityTracker URL:  http://securitytracker.com/id/1041872
CVE Reference:   CVE-2018-0737   (Links to External Site)
Date:  Oct 15 2018
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL. A local user can recover the private key in certain cases.

A local user that can conduct a cache timing side channel attack against the RSA key generation algorithm's BN_mod_inverse() and BN_mod_exp_mont() functions may be able to recover the private key.

The vendor was notified on April 4, 2018.

Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia, and Luis Manuel Alvarez Tapia reported this vulnerability.

Impact:   A local user that can conduct a cache timing attack on the target system may be able to recover the private key in certain cases.
Solution:   Oracle has issued a fix.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2018-4249.html

Vendor URL:  linux.oracle.com/errata/ELSA-2018-4249.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Apr 16 2018 OpenSSL RSA Key Generation BN_mod_inverse() and BN_mod_exp_mont() Cache Timing Attack Lets Local Users Recover the Private Key



 Source Message Contents

Subject:  [El-errata] ELSA-2018-4249 Important: Oracle Linux 7 openssl security update

Oracle Linux Security Advisory ELSA-2018-4249

http://linux.oracle.com/errata/ELSA-2018-4249.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
openssl-1.0.2k-12.0.3.el7.x86_64.rpm
openssl-devel-1.0.2k-12.0.3.el7.i686.rpm
openssl-devel-1.0.2k-12.0.3.el7.x86_64.rpm
openssl-libs-1.0.2k-12.0.3.el7.i686.rpm
openssl-libs-1.0.2k-12.0.3.el7.x86_64.rpm
openssl-perl-1.0.2k-12.0.3.el7.x86_64.rpm
openssl-static-1.0.2k-12.0.3.el7.i686.rpm
openssl-static-1.0.2k-12.0.3.el7.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/openssl-1.0.2k-12.0.3.el7.src.rpm



Description of changes:

[1.0.2k-12.0.3]
- Oracle bug 28672370: backport CVE-2018-0732
- Oracle bug 28672351: backport CVE-2018-0737


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC