SB2018062117 - Information disclosure in openssl (Alpine package)
Published: June 21, 2018
Security Bulletin ID
SB2018062117
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2018-0737)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists in the RSA key generation algorithm's BN_mod_inverse() and BN_mod_exp_mont() functions due to a cache timing side channel attack. A local attacker can recover the private key.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=8318a0b07a3aac56659289654c3403dfb8ee5ae1
- https://git.alpinelinux.org/aports/commit/?id=8593c3d6ba83fa5acf4bd55ff54c5481806a3596
- https://git.alpinelinux.org/aports/commit/?id=a6c1a037cfc03efb105af4f5eb6dfa305d268df3
- https://git.alpinelinux.org/aports/commit/?id=f23142862c2e144caac4022dba598819c072c867
- https://git.alpinelinux.org/aports/commit/?id=2258fe946d55022e3e8503b306eeabf6858ef89b
- https://git.alpinelinux.org/aports/commit/?id=86f75868acf5d2946949ee2896076f424c3a3088