SB2016062205 - Solaris vulnerabilities in openssl (Alpine package)
Published: June 22, 2016 Updated: March 6, 2023
Security Bulletin ID
SB2016062205
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Observable discrepancy (CVE-ID: CVE-2016-2178)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform timing attack.
The vulnerability exists due to an error within the dsa_sign_setup() function in crypto/dsa/dsa_ossl.c. A local user can obtain a DSA private key via a timing side-channel attack.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=be71850614d4346dc7cd2243591ca908f4475a1d
- https://git.alpinelinux.org/aports/commit/?id=38c6e1fd86f4d9cba4c146b8bdcd71f84e1a4ee7
- https://git.alpinelinux.org/aports/commit/?id=510da6cf43e86bf53a64a018de95bd1e1621aee1
- https://git.alpinelinux.org/aports/commit/?id=7d2ebac3c49c357dc1b35746dbd9c1bcbbcee2e0
- https://git.alpinelinux.org/aports/commit/?id=d8e0efebf3c84cd361bc21b86aa763b373e87620