CVE-2016-2178

Published on: 06/19/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:14 PM UTC

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Certain versions of Openssl from Openssl contain the following vulnerability:

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

  • CVE-2016-2178 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.5 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 2.1 - LOW

Access
Vector
Access
Complexity
Authentication
LOCAL LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
Oracle Solaris Bulletin - April 2016 Third Party Advisory
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Security updates for all active release lines, September 2016 | Node.js Third Party Advisory
nodejs.org
text/html
URL Logo CONFIRM nodejs.org/en/blog/vulnerability/september-2016-security-releases/
OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker Third Party Advisory
VDB Entry
www.securitytracker.com
text/html
URL Logo SECTRACK 1036054
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:0194
Document Display | HPE Support Center support.hpe.com
text/html
URL Logo CONFIRM support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03856en_us
/news/vulnerabilities.html Vendor Advisory
www.openssl.org
text/html
URL Logo MISC www.openssl.org/news/vulnerabilities.html#y2017
Oracle Critical Patch Update - January 2018 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - April 2018 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:1659
Document Display | HPE Support Center Third Party Advisory
h20566.www2.hpe.com
text/html
URL Logo CONFIRM h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05302448
Splunk Enterprise 6.4.5 addresses multiple vulnerabilities | Splunk Third Party Advisory
www.splunk.com
text/html
URL Logo CONFIRM www.splunk.com/view/SP-CAAAPUE
Oracle Linux Bulletin - October 2016 Third Party Advisory
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Critical Patch Update - October 2016 Third Party Advisory
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Public KB - SA40312 - September 22 2016 OpenSSL Security Advisory Third Party Advisory
kb.pulsesecure.net
text/html
URL Logo CONFIRM kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312
OpenSSL: Multiple vulnerabilities (GLSA 201612-16) — Gentoo security Third Party Advisory
VDB Entry
security.gentoo.org
text/html
URL Logo GENTOO GLSA-201612-16
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1940
[R5] Nessus 6.9 Fixes Multiple Vulnerabilities - Security Advisory | Tenable Network Security Third Party Advisory
www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-16
OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 91081
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:0193
SA132 : OpenSSL Vulnerabilities 22-Sep-2016 and 26-Sep-2016 Third Party Advisory
bto.bluecoat.com
text/html
URL Logo CONFIRM bto.bluecoat.com/security-advisory/sa132
Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities | Splunk Third Party Advisory
www.splunk.com
text/html
URL Logo CONFIRM www.splunk.com/view/SP-CAAAPSV
Oracle VM Server for x86 Bulletin - October 2016 Third Party Advisory
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
oss-security - Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Mailing List
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160609 Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations
[R2] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory | Tenable Network Security www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-20
Juniper Networks - 2016-10 Security Bulletin: OpenSSL security updates Third Party Advisory
kb.juniper.net
text/html
URL Logo CONFIRM kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1658
1343400 – (CVE-2016-2178) CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation Issue Tracking
Patch
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1343400
IBM Security Bulletin: Vulnerabilities in OpenSSL, OpenVPN and GNU glibc affect IBM Security Virtual Server Protection for VMware - United States Third Party Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www-01.ibm.com/support/docview.wss?uid=swg21995039
git.openssl.org Git - openssl.git/commit Issue Tracking
Patch
Third Party Advisory
git.openssl.org
text/xml
URL Logo CONFIRM git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
Oracle Critical Patch Update - July 2017 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
[R1] LCE 4.8.2 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory | Tenable Network Security www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-21
Oracle Critical Patch Update - October 2017 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
oss-security - CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Mailing List
Patch
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160608 CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations
security.FreeBSD.org
text/plain
FREEBSD FreeBSD-SA-16:26
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2957
[security-announce] SUSE-SU-2016:2470-1: important: Security update for Third Party Advisory
lists.opensuse.org
text/html
URL Logo SUSE SUSE-SU-2016:2470
Technical Description
Third Party Advisory
eprint.iacr.org
application/pdf
MISC eprint.iacr.org/2016/594.pdf

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOpensslOpenssl1.0.1AllAllAll
ApplicationOpensslOpenssl1.0.1aAllAllAll
ApplicationOpensslOpenssl1.0.1bAllAllAll
ApplicationOpensslOpenssl1.0.1cAllAllAll
ApplicationOpensslOpenssl1.0.1dAllAllAll
ApplicationOpensslOpenssl1.0.1eAllAllAll
ApplicationOpensslOpenssl1.0.1fAllAllAll
ApplicationOpensslOpenssl1.0.1gAllAllAll
ApplicationOpensslOpenssl1.0.1hAllAllAll
ApplicationOpensslOpenssl1.0.1iAllAllAll
ApplicationOpensslOpenssl1.0.1jAllAllAll
ApplicationOpensslOpenssl1.0.1kAllAllAll
ApplicationOpensslOpenssl1.0.1lAllAllAll
ApplicationOpensslOpenssl1.0.1mAllAllAll
ApplicationOpensslOpenssl1.0.1nAllAllAll
ApplicationOpensslOpenssl1.0.1oAllAllAll
ApplicationOpensslOpenssl1.0.1pAllAllAll
ApplicationOpensslOpenssl1.0.1qAllAllAll
ApplicationOpensslOpenssl1.0.1rAllAllAll
ApplicationOpensslOpenssl1.0.1sAllAllAll
ApplicationOpensslOpenssl1.0.1tAllAllAll
ApplicationOpensslOpenssl1.0.2AllAllAll
ApplicationOpensslOpenssl1.0.2aAllAllAll
ApplicationOpensslOpenssl1.0.2bAllAllAll
ApplicationOpensslOpenssl1.0.2cAllAllAll
ApplicationOpensslOpenssl1.0.2dAllAllAll
ApplicationOpensslOpenssl1.0.2eAllAllAll
ApplicationOpensslOpenssl1.0.2fAllAllAll
ApplicationOpensslOpenssl1.0.2gAllAllAll
ApplicationOpensslOpenssl1.0.2hAllAllAll
ApplicationOpensslOpenssl1.0.1AllAllAll
ApplicationOpensslOpenssl1.0.1aAllAllAll
ApplicationOpensslOpenssl1.0.1bAllAllAll
ApplicationOpensslOpenssl1.0.1cAllAllAll
ApplicationOpensslOpenssl1.0.1dAllAllAll
ApplicationOpensslOpenssl1.0.1eAllAllAll
ApplicationOpensslOpenssl1.0.1fAllAllAll
ApplicationOpensslOpenssl1.0.1gAllAllAll
ApplicationOpensslOpenssl1.0.1hAllAllAll
ApplicationOpensslOpenssl1.0.1iAllAllAll
ApplicationOpensslOpenssl1.0.1jAllAllAll
ApplicationOpensslOpenssl1.0.1kAllAllAll
ApplicationOpensslOpenssl1.0.1lAllAllAll
ApplicationOpensslOpenssl1.0.1mAllAllAll
ApplicationOpensslOpenssl1.0.1nAllAllAll
ApplicationOpensslOpenssl1.0.1oAllAllAll
ApplicationOpensslOpenssl1.0.1pAllAllAll
ApplicationOpensslOpenssl1.0.1qAllAllAll
ApplicationOpensslOpenssl1.0.1rAllAllAll
ApplicationOpensslOpenssl1.0.1sAllAllAll
ApplicationOpensslOpenssl1.0.1tAllAllAll
ApplicationOpensslOpenssl1.0.2AllAllAll
ApplicationOpensslOpenssl1.0.2aAllAllAll
ApplicationOpensslOpenssl1.0.2bAllAllAll
ApplicationOpensslOpenssl1.0.2cAllAllAll
ApplicationOpensslOpenssl1.0.2dAllAllAll
ApplicationOpensslOpenssl1.0.2eAllAllAll
ApplicationOpensslOpenssl1.0.2fAllAllAll
ApplicationOpensslOpenssl1.0.2gAllAllAll
ApplicationOpensslOpenssl1.0.2hAllAllAll
Operating
System
OracleLinux5AllAllAll
Operating
System
OracleLinux6AllAllAll
Operating
System
OracleLinux7AllAllAll
Operating
System
OracleLinux5AllAllAll
Operating
System
OracleLinux6AllAllAll
Operating
System
OracleLinux7AllAllAll
Operating
System
OracleSolaris10AllAllAll
Operating
System
OracleSolaris11.3AllAllAll
Operating
System
OracleSolaris10AllAllAll
Operating
System
OracleSolaris11.3AllAllAll
Operating
System
SuseLinux Enterprise12.0AllAllAll
Operating
System
SuseLinux Enterprise12.0AllAllAll
  • cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1m:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1p:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1q:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1r:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1t:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1m:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1p:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1q:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1r:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1t:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:linux:5:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:linux:5:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*:
  • cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*: