CVE-2018-0737

Summary

CVE	CVE-2018-0737
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-04-16 18:29:00 UTC
Updated	2023-11-07 02:51:00 UTC
Description	The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

Risk And Classification

Problem Types: CWE-327

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	17.10	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	17.10	All	All	All
Application	Openssl	Openssl	All	All	All	All
Application	Openssl	Openssl	All	All	All	All

References

Reference	Source	Link	Tags
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	REDHAT	access.redhat.com
[SECURITY] Fedora 30 Update: compat-openssl10-1.0.2o-7.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
[R1] Nessus 7.1.4 Fixes Multiple Third-party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
[SECURITY] Fedora 31 Update: compat-openssl10-1.0.2o-8.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 30 Update: compat-openssl10-1.0.2o-7.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[R1] LCE 5.1.1 Fixes Multiple Third-party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
[SECURITY] Fedora 29 Update: compat-openssl10-1.0.2o-7.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
OpenSSL RSA Key Generation BN_mod_inverse() and BN_mod_exp_mont() Cache Timing Attack Lets Local Users Recover the Private Key - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
[R1] SecurityCenter 5.7.1 Fixes Multiple Third-Party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
Debian -- Security Information -- DSA-4348-1 openssl	DEBIAN	www.debian.org
PAN-SA-2018-0015 OpenSSL Vulnerabilities in PAN-OS	CONFIRM	securityadvisories.paloaltonetworks.com
OpenSSL: Multiple vulnerabilities (GLSA 201811-21) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] [DLA 1449-1] openssl security update	MLIST	lists.debian.org
USN-3628-1: OpenSSL vulnerability \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
USN-3628-2: OpenSSL vulnerability \| Ubuntu security notices	UBUNTU	usn.ubuntu.com	Third Party Advisory
[R1] Nessus 8.0.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
OpenSSL CVE-2018-0737 Side Channel Attack Information Disclosure Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
[SECURITY] Fedora 29 Update: compat-openssl10-1.0.2o-7.fc29 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Oracle Critical Patch Update - January 2019	CONFIRM	www.oracle.com
Oracle Critical Patch Update - July 2019	MISC	www.oracle.com
CVE-2018-0737 OpenSSL Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Red Hat Customer Portal	REDHAT	access.redhat.com
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org	Patch, Vendor Advisory
[SECURITY] Fedora 31 Update: compat-openssl10-1.0.2o-8.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
www.openssl.org/news/secadv/20180416.txt	CONFIRM	www.openssl.org	Vendor Advisory
August 2018 Security Releases \| Node.js	CONFIRM	nodejs.org
USN-3692-1: OpenSSL vulnerabilities \| Ubuntu security notices	UBUNTU	usn.ubuntu.com
Debian -- Security Information -- DSA-4355-1 openssl1.0	DEBIAN	www.debian.org
CPU Oct 2018	CONFIRM	www.oracle.com
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org	Patch, Vendor Advisory
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com
Red Hat Customer Portal	REDHAT	access.redhat.com
USN-3692-2: OpenSSL vulnerabilities \| Ubuntu security notices	UBUNTU	usn.ubuntu.com
Oracle Critical Patch Update Advisory - April 2019	MISC	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia

Legacy QID Mappings

390226 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2021-0011)
390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)
591115 ABB Relion 670 series and Relion 650 series Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (ABBVU-PGGA-1MRG032388)
670784 EulerOS Security Update for shim (EulerOS-SA-2021-2542)
670808 EulerOS Security Update for shim (EulerOS-SA-2021-2566)
710214 Gentoo Linux Open Secure Sockets Layer Multiple Vulnerabilities (GLSA 201811-21)