SB2018090803 - Information disclosure vulnerabilities in RSA BSAFE SSL-J

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018090803

SB2018090803 - Information disclosure vulnerabilities in RSA BSAFE SSL-J

Published: September 8, 2018

Security Bulletin ID SB2018090803
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2018-11068)

The vulnerability allows a physically local high-privileged attacker to obtain potentially sensitive information.

The vulnerability exists due to improper clearing of heap memory before releasing the memory. A remote attacker can recover keys.


2) Covert timing attack (CVE-ID: CVE-2018-11069)

The vulnerability allows a network attacker to obtain potentially sensitive information.

The vulnerability exists due to covert time attack. A remote attacker can conduct a Bleichenbacher covert timing attack on the RSA decryption process and obtain the RSA private key.


3) Covert timing attack (CVE-ID: CVE-2018-11070)

The vulnerability allows a network attacker to obtain potentially sensitive information.

The vulnerability exists due to covert time attack. A remote attacker can conduct a Bleichenbacher covert timing attack on PKCS #1 unpadding operations and obtain the RSA private key.


Remediation

Install update from vendor's website.

References