Solaris vulnerabilities in openssl (Alpine package)



Published: 2016-06-22 | Updated: 2023-03-06
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-2178
CWE-ID CWE-203
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		openssl (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Observable discrepancy

EUVDB-ID: #VU1589

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-2178

CWE-ID: CWE-203 - Observable discrepancy

Exploit availability: No

Description

The vulnerability allows a local user to perform timing attack.

The vulnerability exists due to an error within the dsa_sign_setup() function in crypto/dsa/dsa_ossl.c. A local user can obtain a DSA private key via a timing side-channel attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

openssl (Alpine package): 1.0.1t-r0

External links

http://git.alpinelinux.org/aports/commit/?id=be71850614d4346dc7cd2243591ca908f4475a1d
http://git.alpinelinux.org/aports/commit/?id=38c6e1fd86f4d9cba4c146b8bdcd71f84e1a4ee7
http://git.alpinelinux.org/aports/commit/?id=510da6cf43e86bf53a64a018de95bd1e1621aee1
http://git.alpinelinux.org/aports/commit/?id=7d2ebac3c49c357dc1b35746dbd9c1bcbbcee2e0
http://git.alpinelinux.org/aports/commit/?id=d8e0efebf3c84cd361bc21b86aa763b373e87620


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###