ID

VAR-201810-0933


CVE

CVE-2018-0735


TITLE

OpenSSL ECDSA Vulnerabilities related to key management errors in signature algorithms

Trust: 0.8

sources: JVNDB: JVNDB-2018-014030

DESCRIPTION

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). OpenSSL is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. The vulnerability stems from incorrect use of relevant cryptographic algorithms by network systems or products, resulting in improperly encrypted content, weak encryption, and storing sensitive information in plain text. For the stable distribution (stretch), these problems have been fixed in version 1.1.0j-1~deb9u1. Going forward, openssl security updates for stretch will be based on the 1.1.0x upstream releases. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwBuAcACgkQEMKTtsN8 TjZbBw/+MOB5+pZbCHHXyH3IeD+yj+tSPvmNc3SCwdEtUxGXr0ZX7TKHfaLs/8s6 Udto0K8a1FvjrcUQCfhnFpNcSAv9pxX13Fr6Pd560miIfAu9/5jAqiCufCoiz+xj 45LNJGlaxxaFjgBGCitZSJA0Fc4SM6v5XFyJfR3kChdQ/3kGQbbMNAp16Fy3ZsxJ VXwviomUxmmmdvjxyhifTIpuwr9OiJSQ+13etQjTDQ3pzSbLBPSOxmpV0vPIC7I2 Dwa4zuQXA/DF4G6l8T4rXCwCN4e4pwbTc8bbCjXeZK+iVAhnRD6wXlS3cc5IVAzx /qTa89LZU8B6ylcB6nodeAHLuZTC3Le8ndoxYz5S2/jHZMM/jCQNHYJemHWNbOqn q+e5W0D1fIVLiLoL/iHW5XhN6yJY2Ma7zjXMRBnkzJA9CTNIKgUjrSFz0Ud+wIM/ u8QhNPwZ0hPd5IfSgIyWqmuQ5XzFYqAQvwT1gUJiK7tIvuT0VsSyKVaSZVbi4yrM 9sxkZaP1UNLcTVCFw6A0KFwhb9z6kQtyH1MRkFPphmnb8jlHA3cTdPJkFUBi3VaT 7izThm5/mVLbAjZ8X7nkqnzWzmc885j0ml3slDd/MOVWB5CD3vFAcI8k3VZr3A61 P2gNSN6UbAbLMGsxgs3hYUHgazi7MdXJ/aNavjGSbYBNL780Iaw=3Qji -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: openssl security, bug fix, and enhancement update Advisory ID: RHSA-2019:3700-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3700 Issue date: 2019-11-05 CVE Names: CVE-2018-0734 CVE-2018-0735 CVE-2019-1543 ===================================================================== 1. Summary: An update for openssl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. The following packages have been upgraded to a later upstream version: openssl (1.1.1c). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1644356 - CVE-2018-0735 openssl: timing side channel attack in the ECDSA signature generation 1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm 1668880 - ec man page lists -modulus but the tool doesn't support it 1686058 - specifying digest for signing time-stamping responses is mandatory 1686548 - Incorrect handling of fragmented KeyUpdate messages 1695954 - CVE-2019-1543 openssl: ChaCha20-Poly1305 with long nonces 1697915 - Race/segmentation fault on process shutdown in OpenSSL 1706104 - openssl asn1parse crashes with double free or corruption (!prev) 1706915 - OpenSSL should implement continuous random test or use the kernel AF_ALG interface for random 1712023 - openssl pkcs12 uses certpbe algorithm not compliant with FIPS by default 1714245 - DSA ciphers in TLS don't work with SHA-1 signatures even in LEGACY level 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: openssl-1.1.1c-2.el8.src.rpm aarch64: openssl-1.1.1c-2.el8.aarch64.rpm openssl-debuginfo-1.1.1c-2.el8.aarch64.rpm openssl-debugsource-1.1.1c-2.el8.aarch64.rpm openssl-devel-1.1.1c-2.el8.aarch64.rpm openssl-libs-1.1.1c-2.el8.aarch64.rpm openssl-libs-debuginfo-1.1.1c-2.el8.aarch64.rpm openssl-perl-1.1.1c-2.el8.aarch64.rpm ppc64le: openssl-1.1.1c-2.el8.ppc64le.rpm openssl-debuginfo-1.1.1c-2.el8.ppc64le.rpm openssl-debugsource-1.1.1c-2.el8.ppc64le.rpm openssl-devel-1.1.1c-2.el8.ppc64le.rpm openssl-libs-1.1.1c-2.el8.ppc64le.rpm openssl-libs-debuginfo-1.1.1c-2.el8.ppc64le.rpm openssl-perl-1.1.1c-2.el8.ppc64le.rpm s390x: openssl-1.1.1c-2.el8.s390x.rpm openssl-debuginfo-1.1.1c-2.el8.s390x.rpm openssl-debugsource-1.1.1c-2.el8.s390x.rpm openssl-devel-1.1.1c-2.el8.s390x.rpm openssl-libs-1.1.1c-2.el8.s390x.rpm openssl-libs-debuginfo-1.1.1c-2.el8.s390x.rpm openssl-perl-1.1.1c-2.el8.s390x.rpm x86_64: openssl-1.1.1c-2.el8.x86_64.rpm openssl-debuginfo-1.1.1c-2.el8.i686.rpm openssl-debuginfo-1.1.1c-2.el8.x86_64.rpm openssl-debugsource-1.1.1c-2.el8.i686.rpm openssl-debugsource-1.1.1c-2.el8.x86_64.rpm openssl-devel-1.1.1c-2.el8.i686.rpm openssl-devel-1.1.1c-2.el8.x86_64.rpm openssl-libs-1.1.1c-2.el8.i686.rpm openssl-libs-1.1.1c-2.el8.x86_64.rpm openssl-libs-debuginfo-1.1.1c-2.el8.i686.rpm openssl-libs-debuginfo-1.1.1c-2.el8.x86_64.rpm openssl-perl-1.1.1c-2.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-0734 https://access.redhat.com/security/cve/CVE-2018-0735 https://access.redhat.com/security/cve/CVE-2019-1543 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXcHzTdzjgjWX9erEAQjP6w/8D4eIfwgPbpKXdy3Y2kjmKhb9faqBJvHm eqpG5tewJQBtRAPm/R7SesrMVKGUEDAuiSKydQlQn8nuRIWDsKw14+uLRN7AyTQ3 jXy0pnp+C7O1hyJnwNEiXo9ZgUaXMMXLGyTk8v9gnzA/HYpZX1c4g4FXHf0ycBi/ thxllEiJx6CrEO3pszYzu1Lt9GFMOAJPvwbiW0S7mVmsNCI4n+5OfeNzmURXdObs 89/XCFrQO3CDAh3SXCZa08Ie8px7Aq8slmNWOswhlqIYkUWGUbICIpqW1+4XyAqz hVP8iqTY7TRwBPB0zoqmO5cxMY+jqMk/LphG+oTOF+ZA7YZH3bjDxJisCOr+ys+i WnTYAl1KFBqo5uhH4dBzNH2EE5PeiwKNKqu6Wws1qOblTFXb3AYSHsqLv6VB0m1B MXcUXrjSMwelSVAgK1eekJsYqCr3lT1+N8cA8P/sgT/DzGTNJhcoCE/OeJCUVBZL uGhke48CUs3GvXCKP0+PDpINRRllGwVqkkCQ7LtsXoB0hGaaGt+CNCd3aQj8rf02 mPi2Vab7CjBLUn1QGiNigLF4X4rKZlxiBcHDByyHdeCW+zHvGod7ksmJKXmHujvY pdg6toj/our0hhQp2dPTXFPKFtkO7GIIe19i+OZ6Rn0niVxSQbshiXyFFsvgZN0F 82vSbeKouJA= =mdzd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-3840-1 December 06, 2018 openssl, openssl1.0 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in OpenSSL. (CVE-2018-0734) Samuel Weiser discovered that OpenSSL incorrectly handled ECDSA signing. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-0735) Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri, and Alejandro Cabrera Aldaya discovered that Simultaneous Multithreading (SMT) architectures are vulnerable to side-channel leakage. This issue is known as "PortSmash". (CVE-2018-5407) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10: libssl1.0.0 1.0.2n-1ubuntu6.1 libssl1.1 1.1.1-1ubuntu2.1 Ubuntu 18.04 LTS: libssl1.0.0 1.0.2n-1ubuntu5.2 libssl1.1 1.1.0g-2ubuntu4.3 Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.14 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.27 After a standard system update you need to reboot your computer to make all the necessary changes. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.1 or 1.1.0 at this time. The fix is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28 (for 1.1.0) in the OpenSSL git repository. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20181029.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html

Trust: 2.43

sources: NVD: CVE-2018-0735 // JVNDB: JVNDB-2018-014030 // BID: 105750 // VULHUB: VHN-118937 // VULMON: CVE-2018-0735 // PACKETSTORM: 150561 // PACKETSTORM: 155160 // PACKETSTORM: 150683 // PACKETSTORM: 169669

AFFECTED PRODUCTS

vendor:opensslmodel:opensslscope:eqversion:1.1.1

Trust: 1.8

vendor:oraclemodel:mysqlscope:lteversion:5.7.24

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:8.4

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:16.1

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.55

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.10

Trust: 1.0

vendor:oraclemodel:enterprise manager base platformscope:eqversion:13.3.0.0.0

Trust: 1.0

vendor:netappmodel:santricity smi-s providerscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:gteversion:17.7

Trust: 1.0

vendor:oraclemodel:vm virtualboxscope:ltversion:6.0.0

Trust: 1.0

vendor:oraclemodel:application serverscope:eqversion:0.9.8

Trust: 1.0

vendor:netappmodel:snapdrivescope:eqversion: -

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.04

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:15.2

Trust: 1.0

vendor:oraclemodel:api gatewayscope:eqversion:11.1.2.4.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:10.0.0

Trust: 1.0

vendor:oraclemodel:mysqlscope:gteversion:8.0.0

Trust: 1.0

vendor:netappmodel:steelstorescope:eqversion: -

Trust: 1.0

vendor:netappmodel:smi-s providerscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.3.3

Trust: 1.0

vendor:netappmodel:element softwarescope:eqversion: -

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.56

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:18.8

Trust: 1.0

vendor:nodejsmodel:node.jsscope:eqversion:10.13.0

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:15.1

Trust: 1.0

vendor:oraclemodel:tuxedoscope:eqversion:12.1.1.0.0

Trust: 1.0

vendor:oraclemodel:enterprise manager base platformscope:eqversion:13.2.0.0.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.57

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:lteversion:17.12

Trust: 1.0

vendor:opensslmodel:opensslscope:lteversion:1.1.0i

Trust: 1.0

vendor:oraclemodel:enterprise manager base platformscope:eqversion:12.1.0.5.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:11.3.0

Trust: 1.0

vendor:netappmodel:oncommand unified managerscope:eqversion:*

Trust: 1.0

vendor:netappmodel:oncommand unified managerscope:gteversion:9.4

Trust: 1.0

vendor:opensslmodel:opensslscope:gteversion:1.1.0

Trust: 1.0

vendor:oraclemodel:mysqlscope:lteversion:5.6.42

Trust: 1.0

vendor:oraclemodel:mysqlscope:gteversion:5.7.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:10.12.0

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:16.2

Trust: 1.0

vendor:oraclemodel:vm virtualboxscope:gteversion:5.0.0

Trust: 1.0

vendor:netappmodel:cn1610scope:eqversion: -

Trust: 1.0

vendor:netappmodel:cloud backupscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:secure global desktopscope:eqversion:5.4

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.04

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:11.0.0

Trust: 1.0

vendor:oraclemodel:application serverscope:eqversion:1.0.0

Trust: 1.0

vendor:oraclemodel:vm virtualboxscope:ltversion:5.2.24

Trust: 1.0

vendor:oraclemodel:application serverscope:eqversion:1.0.1

Trust: 1.0

vendor:oraclemodel:mysqlscope:lteversion:8.0.13

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:canonicalmodel:ubuntuscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:netappmodel:cn1610scope: - version: -

Trust: 0.8

vendor:netappmodel:cloud backupscope: - version: -

Trust: 0.8

vendor:netappmodel:oncommand unified manager core packagescope: - version: -

Trust: 0.8

vendor:netappmodel:santricity smi-s providerscope: - version: -

Trust: 0.8

vendor:netappmodel:steelstore cloud integrated storagescope: - version: -

Trust: 0.8

vendor:node jsmodel:node.jsscope: - version: -

Trust: 0.8

vendor:opensslmodel:opensslscope:eqversion:1.1.0 to 1.1.0i

Trust: 0.8

vendor:opensslmodel:project opensslscope:eqversion:1.1

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0iscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0hscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0gscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0fscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0escope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0dscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0cscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0bscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0ascope: - version: -

Trust: 0.3

sources: BID: 105750 // JVNDB: JVNDB-2018-014030 // NVD: CVE-2018-0735

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0735
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-0735
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201810-1395
value: MEDIUM

Trust: 0.6

VULHUB: VHN-118937
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-0735
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-0735
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-118937
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0735
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2018-0735
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-118937 // VULMON: CVE-2018-0735 // JVNDB: JVNDB-2018-014030 // CNNVD: CNNVD-201810-1395 // NVD: CVE-2018-0735

PROBLEMTYPE DATA

problemtype:CWE-327

Trust: 1.1

problemtype:CWE-320

Trust: 0.9

sources: VULHUB: VHN-118937 // JVNDB: JVNDB-2018-014030 // NVD: CVE-2018-0735

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1395

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201810-1395

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014030

PATCH

title:[SECURITY] [DLA 1586-1] openssl security updateurl:https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html

Trust: 0.8

title:DSA-4348url:https://www.debian.org/security/2018/dsa-4348

Trust: 0.8

title:Timing vulnerability in ECDSA signature generation (CVE-2018-0735)(56fb454)url:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1

Trust: 0.8

title:Timing vulnerability in ECDSA signature generation (CVE-2018-0735)(b1d6d55)url:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

Trust: 0.8

title:NTAP-20181105-0002url:https://security.netapp.com/advisory/ntap-20181105-0002/

Trust: 0.8

title:November 2018 Security Releasesurl:https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Trust: 0.8

title:Timing vulnerability in ECDSA signature generation (CVE-2018-0735)url:https://www.openssl.org/news/secadv/20181029.txt

Trust: 0.8

title:USN-3840-1url:https://usn.ubuntu.com/3840-1/

Trust: 0.8

title:OpenSSL Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86394

Trust: 0.6

title:Red Hat: Low: openssl security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20193700 - Security Advisory

Trust: 0.1

title:Ubuntu Security Notice: openssl, openssl1.0 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3840-1

Trust: 0.1

title:Red Hat: CVE-2018-0735url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-0735

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2018-0735

Trust: 0.1

title:Arch Linux Advisories: [ASA-201812-6] lib32-openssl: private key recoveryurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201812-6

Trust: 0.1

title:Arch Linux Advisories: [ASA-201812-5] openssl: private key recoveryurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201812-5

Trust: 0.1

title:IBM: Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics Systemurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=11a896cf16b3849254ae662b7748b708

Trust: 0.1

title:Debian Security Advisories: DSA-4348-1 openssl -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=322bd50b7b929759e38c99b73122a852

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM Event Streams is affected by OpenSSL vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=efdce9b94f89918f3f2b2dfc69780ccd

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Serverurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=d04b79d120c8d1de061ffc3f57258fcb

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2018-0735, CVE-2018-0734, CVE-2018-5407)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=c829d56f5888779e791387897875c4b4

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private – Node.jsurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=2e571e7bc5566212c3e69e37ecfa5ad4

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Softwareurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=2bd72b857f21f300d83d07a791be44cf

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management V2018url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=dce787e9d669a768893a91801bf5eea4

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloudurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=26f585287da19915b94b6cae2d1b864f

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private – fluentdurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=60de0933c28b353f38df30120aa2a908

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - January 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=aea3fcafd82c179d3a5dfa015e920864

Trust: 0.1

title:IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-vurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=413b5f9466c1ebf3ab090a45e189b43e

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2018-0735

Trust: 0.1

title:vygerurl:https://github.com/mrodden/vyger

Trust: 0.1

sources: VULMON: CVE-2018-0735 // JVNDB: JVNDB-2018-014030 // CNNVD: CNNVD-201810-1395

EXTERNAL IDS

db:NVDid:CVE-2018-0735

Trust: 3.3

db:BIDid:105750

Trust: 2.1

db:SECTRACKid:1041986

Trust: 1.8

db:JVNDBid:JVNDB-2018-014030

Trust: 0.8

db:CNNVDid:CNNVD-201810-1395

Trust: 0.7

db:AUSCERTid:ESB-2019.0514

Trust: 0.6

db:AUSCERTid:ESB-2019.1119

Trust: 0.6

db:AUSCERTid:ESB-2019.0473

Trust: 0.6

db:AUSCERTid:ESB-2020.0529

Trust: 0.6

db:AUSCERTid:ESB-2019.3390.4

Trust: 0.6

db:VULHUBid:VHN-118937

Trust: 0.1

db:VULMONid:CVE-2018-0735

Trust: 0.1

db:PACKETSTORMid:150561

Trust: 0.1

db:PACKETSTORMid:155160

Trust: 0.1

db:PACKETSTORMid:150683

Trust: 0.1

db:PACKETSTORMid:169669

Trust: 0.1

sources: VULHUB: VHN-118937 // VULMON: CVE-2018-0735 // BID: 105750 // JVNDB: JVNDB-2018-014030 // PACKETSTORM: 150561 // PACKETSTORM: 155160 // PACKETSTORM: 150683 // PACKETSTORM: 169669 // CNNVD: CNNVD-201810-1395 // NVD: CVE-2018-0735

REFERENCES

url:http://www.securityfocus.com/bid/105750

Trust: 2.4

url:https://www.openssl.org/news/secadv/20181029.txt

Trust: 2.2

url:https://access.redhat.com/errata/rhsa-2019:3700

Trust: 2.0

url:https://usn.ubuntu.com/3840-1/

Trust: 1.9

url:https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20181105-0002/

Trust: 1.8

url:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Trust: 1.8

url:https://www.debian.org/security/2018/dsa-4348

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpujan2020.html

Trust: 1.8

url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Trust: 1.8

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html

Trust: 1.8

url:http://www.securitytracker.com/id/1041986

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-0735

Trust: 1.2

url:https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=56fb454d281a023b3f950d969693553d3f3ceea1

Trust: 1.1

url:https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

Trust: 1.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0735

Trust: 0.8

url:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1

Trust: 0.7

url:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

Trust: 0.7

url:https://support.symantec.com/us/en/article.symsa1490.html

Trust: 0.6

url:http://www.ibm.com/support/docview.wss

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-tivoli-netcool-system-service-monitors-application-service-monitors-cve-2018-5407cve-2020-1967cve-2018-0734cve-2019-1563cve-2019/

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10876540

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0529/

Trust: 0.6

url:https://www.ibm.com/support/docview.wss?uid=ibm10869830

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10792231

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1143442

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10870936

Trust: 0.6

url:https://www.auscert.org.au/bulletins/78342

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3390.4/

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1169932

Trust: 0.6

url:https://www.auscert.org.au/bulletins/75618

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-spectrum-protect-plus-cve-2018-0735-cve-2018-0734-cve-2018-5407/

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10873310

Trust: 0.6

url:https://www.auscert.org.au/bulletins/75802

Trust: 0.6

url:https://github.com/openssl/openssl/commit/56fb454d281a023b3f950d969693553d3f3ceea1

Trust: 0.3

url:http://openssl.org/

Trust: 0.3

url:https://github.com/openssl/openssl/commit/b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

Trust: 0.3

url:https://www.openssl.org/news/vulnerabilities.html

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2018-0734

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2018-5407

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/327.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2018-0735

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=59068

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-0737

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-0732

Trust: 0.1

url:https://security-tracker.debian.org/tracker/openssl

Trust: 0.1

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#low

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-1543

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-0735

Trust: 0.1

url:https://bugzilla.redhat.com/):

Trust: 0.1

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-1543

Trust: 0.1

url:https://access.redhat.com/articles/11258

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-0734

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.14

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.27

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.1.0g-2ubuntu4.3

Trust: 0.1

url:https://usn.ubuntu.com/usn/usn-3840-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu6.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.2

Trust: 0.1

url:https://www.openssl.org/policies/secpolicy.html

Trust: 0.1

sources: VULHUB: VHN-118937 // VULMON: CVE-2018-0735 // BID: 105750 // JVNDB: JVNDB-2018-014030 // PACKETSTORM: 150561 // PACKETSTORM: 155160 // PACKETSTORM: 150683 // PACKETSTORM: 169669 // CNNVD: CNNVD-201810-1395 // NVD: CVE-2018-0735

CREDITS

Samuel Weiser.

Trust: 0.3

sources: BID: 105750

SOURCES

db:VULHUBid:VHN-118937
db:VULMONid:CVE-2018-0735
db:BIDid:105750
db:JVNDBid:JVNDB-2018-014030
db:PACKETSTORMid:150561
db:PACKETSTORMid:155160
db:PACKETSTORMid:150683
db:PACKETSTORMid:169669
db:CNNVDid:CNNVD-201810-1395
db:NVDid:CVE-2018-0735

LAST UPDATE DATE

2024-08-14T13:04:29.270000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-118937date:2020-08-24T00:00:00
db:VULMONid:CVE-2018-0735date:2023-11-07T00:00:00
db:BIDid:105750date:2018-10-29T00:00:00
db:JVNDBid:JVNDB-2018-014030date:2019-03-11T00:00:00
db:CNNVDid:CNNVD-201810-1395date:2020-12-16T00:00:00
db:NVDid:CVE-2018-0735date:2023-11-07T02:51:05.350

SOURCES RELEASE DATE

db:VULHUBid:VHN-118937date:2018-10-29T00:00:00
db:VULMONid:CVE-2018-0735date:2018-10-29T00:00:00
db:BIDid:105750date:2018-10-29T00:00:00
db:JVNDBid:JVNDB-2018-014030date:2019-03-11T00:00:00
db:PACKETSTORMid:150561date:2018-12-03T21:06:37
db:PACKETSTORMid:155160date:2019-11-06T15:56:37
db:PACKETSTORMid:150683date:2018-12-07T01:03:36
db:PACKETSTORMid:169669date:2018-10-29T12:12:12
db:CNNVDid:CNNVD-201810-1395date:2018-10-30T00:00:00
db:NVDid:CVE-2018-0735date:2018-10-29T13:29:00.263