ID

VAR-201811-0912


CVE

CVE-2018-5407


TITLE

HPE Integrated Lights-Out 5 , HPE Integrated Lights-Out 4 , HPE Integrated Lights-Out 3 Vulnerabilities related to security functions

Trust: 0.8

sources: JVNDB: JVNDB-2018-012393

DESCRIPTION

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. HPE Integrated Lights-Out 5 (iLO 5) , HPE Integrated Lights-Out 4(iLO 4) , HPE Integrated Lights-Out 3 (iLO 3) Contains vulnerabilities related to security features.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Simultaneous Multi-threading (SMT) Contains an information disclosure vulnerability.Information may be obtained. OpenSSL is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. This vulnerability stems from configuration errors in network systems or products during operation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: March 14, 2019 Bugs: #673056, #678564 ID: 201903-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple Information Disclosure vulnerabilities in OpenSSL allow attackers to obtain sensitive information. Background ========== OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 1.0.2r >= 1.0.2r Description =========== Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. A local attacker could run a malicious process next to legitimate processes using the architectureas parallel thread running capabilities to leak encrypted data from the CPU's internal processes. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2r" References ========== [ 1 ] CVE-2018-5407 https://nvd.nist.gov/vuln/detail/CVE-2018-5407 [ 2 ] CVE-2019-1559 https://nvd.nist.gov/vuln/detail/CVE-2019-1559 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201903-10 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 6 Advisory ID: RHSA-2019:3932-01 Product: Red Hat JBoss Core Services Advisory URL: https://access.redhat.com/errata/RHSA-2019:3932 Issue date: 2019-11-20 CVE Names: CVE-2018-0734 CVE-2018-0737 CVE-2018-5407 CVE-2018-17189 CVE-2018-17199 CVE-2019-0196 CVE-2019-0197 CVE-2019-0217 CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 CVE-2019-9517 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Core Services on RHEL 6 Server - i386, noarch, ppc64, x86_64 3. Description: This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release. Security Fix(es): * openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737) * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734) * mod_auth_digest: access control bypass due to race condition (CVE-2019-0217) * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) * mod_session_cookie does not respect expiry time (CVE-2018-17199) * mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189) * mod_http2: possible crash on late upgrade (CVE-2019-0197) * mod_http2: read-after-free on a string compare (CVE-2019-0196) * nghttp2: HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511) * nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513) * mod_http2: HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516) * mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1568253 - CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys 1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm 1645695 - CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) 1668493 - CVE-2018-17199 httpd: mod_session_cookie does not respect expiry time 1668497 - CVE-2018-17189 httpd: mod_http2: DoS via slow, unneeded request bodies 1695020 - CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition 1695030 - CVE-2019-0196 httpd: mod_http2: read-after-free on a string compare 1695042 - CVE-2019-0197 httpd: mod_http2: possible crash on late upgrade 1735741 - CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service 1741864 - CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service 1741868 - CVE-2019-9517 HTTP/2: request for large response leads to denial of service 6. Package List: Red Hat JBoss Core Services on RHEL 6 Server: Source: jbcs-httpd24-apr-1.6.3-63.jbcs.el6.src.rpm jbcs-httpd24-apr-util-1.6.1-48.jbcs.el6.src.rpm jbcs-httpd24-brotli-1.0.6-7.jbcs.el6.src.rpm jbcs-httpd24-curl-7.64.1-14.jbcs.el6.src.rpm jbcs-httpd24-httpd-2.4.37-33.jbcs.el6.src.rpm jbcs-httpd24-jansson-2.11-20.jbcs.el6.src.rpm jbcs-httpd24-mod_cluster-native-1.3.12-9.Final_redhat_2.jbcs.el6.src.rpm jbcs-httpd24-mod_jk-1.2.46-22.redhat_1.jbcs.el6.src.rpm jbcs-httpd24-mod_security-2.9.2-16.GA.jbcs.el6.src.rpm jbcs-httpd24-nghttp2-1.39.2-4.jbcs.el6.src.rpm jbcs-httpd24-openssl-1.1.1-25.jbcs.el6.src.rpm i386: jbcs-httpd24-apr-1.6.3-63.jbcs.el6.i686.rpm jbcs-httpd24-apr-debuginfo-1.6.3-63.jbcs.el6.i686.rpm jbcs-httpd24-apr-devel-1.6.3-63.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-devel-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-ldap-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-mysql-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-nss-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-odbc-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-openssl-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-48.jbcs.el6.i686.rpm jbcs-httpd24-brotli-1.0.6-7.jbcs.el6.i686.rpm jbcs-httpd24-brotli-debuginfo-1.0.6-7.jbcs.el6.i686.rpm jbcs-httpd24-brotli-devel-1.0.6-7.jbcs.el6.i686.rpm jbcs-httpd24-curl-7.64.1-14.jbcs.el6.i686.rpm jbcs-httpd24-curl-debuginfo-7.64.1-14.jbcs.el6.i686.rpm jbcs-httpd24-httpd-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-httpd-debuginfo-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-httpd-devel-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-httpd-selinux-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-httpd-tools-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-jansson-2.11-20.jbcs.el6.i686.rpm jbcs-httpd24-jansson-debuginfo-2.11-20.jbcs.el6.i686.rpm jbcs-httpd24-jansson-devel-2.11-20.jbcs.el6.i686.rpm jbcs-httpd24-libcurl-7.64.1-14.jbcs.el6.i686.rpm jbcs-httpd24-libcurl-devel-7.64.1-14.jbcs.el6.i686.rpm jbcs-httpd24-mod_cluster-native-1.3.12-9.Final_redhat_2.jbcs.el6.i686.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-9.Final_redhat_2.jbcs.el6.i686.rpm jbcs-httpd24-mod_jk-ap24-1.2.46-22.redhat_1.jbcs.el6.i686.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.46-22.redhat_1.jbcs.el6.i686.rpm jbcs-httpd24-mod_jk-manual-1.2.46-22.redhat_1.jbcs.el6.i686.rpm jbcs-httpd24-mod_ldap-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-mod_md-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-mod_proxy_html-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-mod_security-2.9.2-16.GA.jbcs.el6.i686.rpm jbcs-httpd24-mod_security-debuginfo-2.9.2-16.GA.jbcs.el6.i686.rpm jbcs-httpd24-mod_session-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-mod_ssl-2.4.37-33.jbcs.el6.i686.rpm jbcs-httpd24-nghttp2-1.39.2-4.jbcs.el6.i686.rpm jbcs-httpd24-nghttp2-debuginfo-1.39.2-4.jbcs.el6.i686.rpm jbcs-httpd24-nghttp2-devel-1.39.2-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-1.1.1-25.jbcs.el6.i686.rpm jbcs-httpd24-openssl-debuginfo-1.1.1-25.jbcs.el6.i686.rpm jbcs-httpd24-openssl-devel-1.1.1-25.jbcs.el6.i686.rpm jbcs-httpd24-openssl-libs-1.1.1-25.jbcs.el6.i686.rpm jbcs-httpd24-openssl-perl-1.1.1-25.jbcs.el6.i686.rpm jbcs-httpd24-openssl-static-1.1.1-25.jbcs.el6.i686.rpm noarch: jbcs-httpd24-httpd-manual-2.4.37-33.jbcs.el6.noarch.rpm ppc64: jbcs-httpd24-brotli-1.0.6-7.jbcs.el6.ppc64.rpm jbcs-httpd24-brotli-debuginfo-1.0.6-7.jbcs.el6.ppc64.rpm jbcs-httpd24-brotli-devel-1.0.6-7.jbcs.el6.ppc64.rpm jbcs-httpd24-curl-7.64.1-14.jbcs.el6.ppc64.rpm jbcs-httpd24-curl-debuginfo-7.64.1-14.jbcs.el6.ppc64.rpm jbcs-httpd24-httpd-debuginfo-2.4.37-33.jbcs.el6.ppc64.rpm jbcs-httpd24-jansson-2.11-20.jbcs.el6.ppc64.rpm jbcs-httpd24-jansson-debuginfo-2.11-20.jbcs.el6.ppc64.rpm jbcs-httpd24-jansson-devel-2.11-20.jbcs.el6.ppc64.rpm jbcs-httpd24-libcurl-7.64.1-14.jbcs.el6.ppc64.rpm jbcs-httpd24-libcurl-devel-7.64.1-14.jbcs.el6.ppc64.rpm jbcs-httpd24-mod_md-2.4.37-33.jbcs.el6.ppc64.rpm x86_64: jbcs-httpd24-apr-1.6.3-63.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-debuginfo-1.6.3-63.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-devel-1.6.3-63.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-devel-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-nss-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-48.jbcs.el6.x86_64.rpm jbcs-httpd24-brotli-1.0.6-7.jbcs.el6.x86_64.rpm jbcs-httpd24-brotli-debuginfo-1.0.6-7.jbcs.el6.x86_64.rpm jbcs-httpd24-brotli-devel-1.0.6-7.jbcs.el6.x86_64.rpm jbcs-httpd24-curl-7.64.1-14.jbcs.el6.x86_64.rpm jbcs-httpd24-curl-debuginfo-7.64.1-14.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-jansson-2.11-20.jbcs.el6.x86_64.rpm jbcs-httpd24-jansson-debuginfo-2.11-20.jbcs.el6.x86_64.rpm jbcs-httpd24-jansson-devel-2.11-20.jbcs.el6.x86_64.rpm jbcs-httpd24-libcurl-7.64.1-14.jbcs.el6.x86_64.rpm jbcs-httpd24-libcurl-devel-7.64.1-14.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_cluster-native-1.3.12-9.Final_redhat_2.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-9.Final_redhat_2.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.46-22.redhat_1.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.46-22.redhat_1.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_jk-manual-1.2.46-22.redhat_1.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_md-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_security-2.9.2-16.GA.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.2-16.GA.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_session-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.37-33.jbcs.el6.x86_64.rpm jbcs-httpd24-nghttp2-1.39.2-4.jbcs.el6.x86_64.rpm jbcs-httpd24-nghttp2-debuginfo-1.39.2-4.jbcs.el6.x86_64.rpm jbcs-httpd24-nghttp2-devel-1.39.2-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-1.1.1-25.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.1.1-25.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-devel-1.1.1-25.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-libs-1.1.1-25.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-perl-1.1.1-25.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-static-1.1.1-25.jbcs.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-0734 https://access.redhat.com/security/cve/CVE-2018-0737 https://access.redhat.com/security/cve/CVE-2018-5407 https://access.redhat.com/security/cve/CVE-2018-17189 https://access.redhat.com/security/cve/CVE-2018-17199 https://access.redhat.com/security/cve/CVE-2019-0196 https://access.redhat.com/security/cve/CVE-2019-0197 https://access.redhat.com/security/cve/CVE-2019-0217 https://access.redhat.com/security/cve/CVE-2019-9511 https://access.redhat.com/security/cve/CVE-2019-9513 https://access.redhat.com/security/cve/CVE-2019-9516 https://access.redhat.com/security/cve/CVE-2019-9517 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXdVoL9zjgjWX9erEAQhDLw/+Mfjt8An133D/dKW5oR9yMg62DEEC/4Cg dZmxKhl19OMZAZuW50cGKv2FpDmJrKdXXD3t5qral22H0PytI9//FOIhWI1iz6Iz dUezvO+lWWaKUQ7KoInxh+GX64/ll+uVfBqOW3I4FWA4ZHw27/kUVHfymD/7GBUQ YsZaaiy8jKHA0VfcjtZva9GJZ4/GkhBZF4xobzgxzKurv4jsvRZaRcf8pV8ty4ll e55/G3YVyLi7nzF5l/EWKLBOhi6EPVWPO7QcjrVyIJ8126UypxPgcVvst85GAFV9 waZVdRpbcMmGqm6yc+1+3Xz9t+uY4Kxa6/fgnTJGsKDhMyscdTzi5p/Ckoeu72u9 xdrvL5z9cQraY9j5O0E5rjc0zaqKXsKIBd4hi33HTO/DhQgCFvJFIZT6oLFsv6Iz mK0fC6v+7BDF01pKdjHRS6p/iEUKP5u5Dnrto/GPUGRS8RMcxLyCCHGttM50swgQ AJaXKchifSn00H2Dg+bb7z3mUZejPBLfDN39rvKzyonQd+GlDZUlprWtPVgu3qlC zQjLuPdbDIHnDPgTK+7MqNEM7DHyI/APh0l33/tjjtBG9ybLgGYDUSafPDA3caZM IIqBDEZ8ztDMVaSrkmQdI6onBFBJBYfQ5zu8VI6zxPQXs6vC0r9KlMAG7KqUihr4 eV0hw7GzzDQ= =xwun -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4348-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 30, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2018-0732 CVE-2018-0734 CVE-2018-0735 CVE-2018-0737 CVE-2018-5407 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. For the stable distribution (stretch), these problems have been fixed in version 1.1.0j-1~deb9u1. Going forward, openssl security updates for stretch will be based on the 1.1.0x upstream releases. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwBuAcACgkQEMKTtsN8 TjZbBw/+MOB5+pZbCHHXyH3IeD+yj+tSPvmNc3SCwdEtUxGXr0ZX7TKHfaLs/8s6 Udto0K8a1FvjrcUQCfhnFpNcSAv9pxX13Fr6Pd560miIfAu9/5jAqiCufCoiz+xj 45LNJGlaxxaFjgBGCitZSJA0Fc4SM6v5XFyJfR3kChdQ/3kGQbbMNAp16Fy3ZsxJ VXwviomUxmmmdvjxyhifTIpuwr9OiJSQ+13etQjTDQ3pzSbLBPSOxmpV0vPIC7I2 Dwa4zuQXA/DF4G6l8T4rXCwCN4e4pwbTc8bbCjXeZK+iVAhnRD6wXlS3cc5IVAzx /qTa89LZU8B6ylcB6nodeAHLuZTC3Le8ndoxYz5S2/jHZMM/jCQNHYJemHWNbOqn q+e5W0D1fIVLiLoL/iHW5XhN6yJY2Ma7zjXMRBnkzJA9CTNIKgUjrSFz0Ud+wIM/ u8QhNPwZ0hPd5IfSgIyWqmuQ5XzFYqAQvwT1gUJiK7tIvuT0VsSyKVaSZVbi4yrM 9sxkZaP1UNLcTVCFw6A0KFwhb9z6kQtyH1MRkFPphmnb8jlHA3cTdPJkFUBi3VaT 7izThm5/mVLbAjZ8X7nkqnzWzmc885j0ml3slDd/MOVWB5CD3vFAcI8k3VZr3A61 P2gNSN6UbAbLMGsxgs3hYUHgazi7MdXJ/aNavjGSbYBNL780Iaw=3Qji -----END PGP SIGNATURE----- . Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. Security Fix(es): * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) * openssl: 0-byte record padding oracle (CVE-2019-1559) * tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072) * tomcat: XSS in SSI printenv (CVE-2019-0221) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1645695 - CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) 1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle 1713275 - CVE-2019-0221 tomcat: XSS in SSI printenv 1723708 - CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 6. ========================================================================== Ubuntu Security Notice USN-3840-1 December 06, 2018 openssl, openssl1.0 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in OpenSSL. An attacker could possibly use this issue to perform a timing side-channel attack and recover private DSA keys. (CVE-2018-0734) Samuel Weiser discovered that OpenSSL incorrectly handled ECDSA signing. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-0735) Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri, and Alejandro Cabrera Aldaya discovered that Simultaneous Multithreading (SMT) architectures are vulnerable to side-channel leakage. This issue is known as "PortSmash". An attacker could possibly use this issue to perform a timing side-channel attack and recover private keys. (CVE-2018-5407) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10: libssl1.0.0 1.0.2n-1ubuntu6.1 libssl1.1 1.1.1-1ubuntu2.1 Ubuntu 18.04 LTS: libssl1.0.0 1.0.2n-1ubuntu5.2 libssl1.1 1.1.0g-2ubuntu4.3 Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.14 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.27 After a standard system update you need to reboot your computer to make all the necessary changes. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4

Trust: 3.42

sources: NVD: CVE-2018-5407 // JVNDB: JVNDB-2018-012393 // JVNDB: JVNDB-2018-012363 // BID: 105897 // VULHUB: VHN-135438 // PACKETSTORM: 152084 // PACKETSTORM: 155414 // PACKETSTORM: 155417 // PACKETSTORM: 150860 // PACKETSTORM: 150561 // PACKETSTORM: 155415 // PACKETSTORM: 150683 // PACKETSTORM: 152241

AFFECTED PRODUCTS

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:8.4

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:16.1

Trust: 1.0

vendor:oraclemodel:mysql enterprise backupscope:lteversion:4.1.2

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:oraclemodel:mysql enterprise backupscope:lteversion:3.12.3

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.55

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.10

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:10.9.0

Trust: 1.0

vendor:oraclemodel:enterprise manager base platformscope:eqversion:13.3.0.0.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server ausscope:eqversion:7.6

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:gteversion:17.7

Trust: 1.0

vendor:oraclemodel:vm virtualboxscope:ltversion:6.0.0

Trust: 1.0

vendor:oraclemodel:application serverscope:eqversion:0.9.8

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.04

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:6.14.4

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:15.2

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server tusscope:eqversion:7.6

Trust: 1.0

vendor:oraclemodel:api gatewayscope:eqversion:11.1.2.4.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:10.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:gteversion:1.0.2

Trust: 1.0

vendor:redhatmodel:enterprise linux workstationscope:eqversion:7.0

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.3.3

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.56

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.6

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:18.8

Trust: 1.0

vendor:opensslmodel:opensslscope:ltversion:1.0.2q

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:15.1

Trust: 1.0

vendor:tenablemodel:nessusscope:ltversion:8.1.1

Trust: 1.0

vendor:oraclemodel:tuxedoscope:eqversion:12.1.1.0.0

Trust: 1.0

vendor:redhatmodel:enterprise linux desktopscope:eqversion:7.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:8.0.0

Trust: 1.0

vendor:oraclemodel:enterprise manager base platformscope:eqversion:13.2.0.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:ltversion:1.1.0i

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.57

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:lteversion:17.12

Trust: 1.0

vendor:oraclemodel:enterprise manager base platformscope:eqversion:12.1.0.5.0

Trust: 1.0

vendor:oraclemodel:primavera p6 enterprise project portfolio managementscope:eqversion:16.2

Trust: 1.0

vendor:opensslmodel:opensslscope:gteversion:1.1.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:8.11.4

Trust: 1.0

vendor:oraclemodel:mysql enterprise backupscope:gteversion:3.12.4

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.04

Trust: 1.0

vendor:oraclemodel:application serverscope:eqversion:1.0.0

Trust: 1.0

vendor:oraclemodel:application serverscope:eqversion:1.0.1

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:7.6

Trust: 1.0

vendor:hewlett packardmodel:hpe integrated lights-out 3scope:ltversion:1.90

Trust: 0.8

vendor:hewlett packardmodel:hpe integrated lights-out 4scope:ltversion:2.61

Trust: 0.8

vendor:hewlett packardmodel:hpe integrated lights-out 5scope:ltversion:1.35

Trust: 0.8

vendor:canonicalmodel:ubuntuscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:node jsmodel:node.jsscope: - version: -

Trust: 0.8

vendor:opensslmodel:opensslscope: - version: -

Trust: 0.8

vendor:tenablemodel:nessusscope:eqversion:8.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:8.0

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.2.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.2.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.1.3

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.1.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.1.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.9.3

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.9

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.8

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.7

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.6.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.6.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.6

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.5.6

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.5.5

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.5.4

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.5.3

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.5.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.5.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.5

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.4.3

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.4.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.4.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.4

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3.7

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3.6

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3.5

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3.4

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3.3

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.3

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.2.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.1.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.1.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.0.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.0.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.0

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:5.2.7

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:5.2.4

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:5.2.3

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:1.0.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:7.0

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.9.2

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:6.9.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:4.4.1

Trust: 0.3

vendor:tenablemodel:nessusscope:eqversion:3.0.3

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:7

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:5

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:11.4

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:11.3

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:10

Trust: 0.3

vendor:opensslmodel:project opensslscope:eqversion:1.0.2

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0hscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0gscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0fscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0escope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0dscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0cscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0bscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0ascope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2pscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2oscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2nscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2mscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2l-gitscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2lscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2kscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2jscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2iscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2hscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2gscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2fscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2escope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2dscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2cscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2bscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2ascope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2-1.0.2oscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl beta1scope:eqversion:1.0.2

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.3

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.14

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.4.0

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.3.50

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.3.4

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.3.3

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.3.2

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.3.0

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.2.6

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.2.5

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.2.4

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.2.0

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.1.9

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.1.8

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.1.3

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.1.1

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.1.0

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.0.13

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.0.12

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.0.11

Trust: 0.3

vendor:ibmmodel:viosscope:eqversion:2.2.0.10

Trust: 0.3

vendor:ibmmodel:aixscope:eqversion:7.2

Trust: 0.3

vendor:ibmmodel:aixscope:eqversion:7.1

Trust: 0.3

vendor:ibmmodel:aixscope:eqversion:6.1

Trust: 0.3

vendor:ibmmodel:aixscope:eqversion:5.3

Trust: 0.3

vendor:tenablemodel:nessusscope:neversion:8.1.1

Trust: 0.3

vendor:opensslmodel:project opensslscope:neversion:1.1.1

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0iscope:neversion: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2qscope:neversion: -

Trust: 0.3

sources: BID: 105897 // JVNDB: JVNDB-2018-012393 // JVNDB: JVNDB-2018-012363 // NVD: CVE-2018-5407

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-5407
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-5407
value: HIGH

Trust: 0.8

NVD: CVE-2018-5407
value: MEDIUM

Trust: 0.8

VULHUB: VHN-135438
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-5407
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2018-5407
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-135438
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-5407
baseSeverity: MEDIUM
baseScore: 4.7
vectorString: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.0
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2018-5407
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

NVD: CVE-2018-5407
baseSeverity: MEDIUM
baseScore: 4.7
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-135438 // JVNDB: JVNDB-2018-012393 // JVNDB: JVNDB-2018-012363 // NVD: CVE-2018-5407

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

problemtype:CWE-203

Trust: 1.1

problemtype:CWE-254

Trust: 0.8

sources: VULHUB: VHN-135438 // JVNDB: JVNDB-2018-012393 // JVNDB: JVNDB-2018-012363 // NVD: CVE-2018-5407

THREAT TYPE

local

Trust: 0.5

sources: BID: 105897 // PACKETSTORM: 150860 // PACKETSTORM: 150561

TYPE

Design Error

Trust: 0.3

sources: BID: 105897

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012393

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-135438

PATCH

title:hpesbhf03866en_usurl:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03866en_us

Trust: 0.8

title:DSA-4348url:https://www.debian.org/security/2018/dsa-4348

Trust: 0.8

title:DSA-4355url:https://www.debian.org/security/2018/dsa-4355

Trust: 0.8

title:[SECURITY] [DLA 1586-1] openssl security updateurl:https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html

Trust: 0.8

title:opensslurl:https://github.com/openssl/openssl

Trust: 0.8

title:November 2018 Security Releasesurl:https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Trust: 0.8

title:USN-3840-1url:https://usn.ubuntu.com/3840-1/

Trust: 0.8

sources: JVNDB: JVNDB-2018-012393 // JVNDB: JVNDB-2018-012363

EXTERNAL IDS

db:NVDid:CVE-2018-5407

Trust: 3.8

db:TENABLEid:TNS-2018-16

Trust: 1.4

db:BIDid:105897

Trust: 1.4

db:TENABLEid:TNS-2018-17

Trust: 1.1

db:EXPLOIT-DBid:45785

Trust: 1.1

db:JVNDBid:JVNDB-2018-012393

Trust: 0.8

db:JVNDBid:JVNDB-2018-012363

Trust: 0.8

db:PACKETSTORMid:152084

Trust: 0.2

db:PACKETSTORMid:152241

Trust: 0.2

db:PACKETSTORMid:155415

Trust: 0.2

db:PACKETSTORMid:150138

Trust: 0.1

db:PACKETSTORMid:155413

Trust: 0.1

db:PACKETSTORMid:152240

Trust: 0.1

db:PACKETSTORMid:152071

Trust: 0.1

db:CNNVDid:CNNVD-201811-279

Trust: 0.1

db:VULHUBid:VHN-135438

Trust: 0.1

db:PACKETSTORMid:155414

Trust: 0.1

db:PACKETSTORMid:155417

Trust: 0.1

db:PACKETSTORMid:150860

Trust: 0.1

db:PACKETSTORMid:150561

Trust: 0.1

db:PACKETSTORMid:150683

Trust: 0.1

sources: VULHUB: VHN-135438 // BID: 105897 // JVNDB: JVNDB-2018-012393 // JVNDB: JVNDB-2018-012363 // PACKETSTORM: 152084 // PACKETSTORM: 155414 // PACKETSTORM: 155417 // PACKETSTORM: 150860 // PACKETSTORM: 150561 // PACKETSTORM: 155415 // PACKETSTORM: 150683 // PACKETSTORM: 152241 // NVD: CVE-2018-5407

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2018-5407

Trust: 1.6

url:https://www.tenable.com/security/tns-2018-16

Trust: 1.4

url:https://github.com/bbbrumley/portsmash

Trust: 1.4

url:https://security.gentoo.org/glsa/201903-10

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2019:0651

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2019:3929

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2019:3932

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2019:3935

Trust: 1.2

url:http://www.securityfocus.com/bid/105897

Trust: 1.1

url:https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Trust: 1.1

url:https://security.netapp.com/advisory/ntap-20181126-0001/

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Trust: 1.1

url:https://www.tenable.com/security/tns-2018-17

Trust: 1.1

url:https://www.debian.org/security/2018/dsa-4348

Trust: 1.1

url:https://www.debian.org/security/2018/dsa-4355

Trust: 1.1

url:https://www.exploit-db.com/exploits/45785/

Trust: 1.1

url:https://eprint.iacr.org/2018/1060.pdf

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2020.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpujan2020.html

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 1.1

url:https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2019:0483

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2019:0652

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2019:2125

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2019:3931

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2019:3933

Trust: 1.1

url:https://usn.ubuntu.com/3840-1/

Trust: 1.1

url:https://support.f5.com/csp/article/k49711130?utm_source=f5support&amp%3butm_medium=rss

Trust: 1.0

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7105

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-7105

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5407

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2018-5407

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2018-0734

Trust: 0.5

url:https://access.redhat.com/security/team/contact/

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2018-0737

Trust: 0.4

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.4

url:https://www.openssl.org/news/cl102.txt

Trust: 0.3

url:http://openssl.org/

Trust: 0.3

url:https://bugzilla.redhat.com/show_bug.cgi?id=1645695

Trust: 0.3

url:https://www.openssl.org/news/openssl-1.0.2-notes.html

Trust: 0.3

url:https://www.openssl.org/news/secadv/20181112.txt

Trust: 0.3

url:https://www.oracle.com/technetwork/topics/security/bulletinjan2019-5251593.html

Trust: 0.3

url:http://aix.software.ibm.com/aix/efixes/security/openssl_advisory29.asc

Trust: 0.3

url:https://access.redhat.com/articles/11258

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-1559

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-9513

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-9511

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-9517

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-0197

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-17199

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-9511

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-17189

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-9517

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-0737

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-17199

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-9516

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-9513

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-0217

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-0217

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-0197

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-17189

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-9516

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-0196

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-0196

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-0734

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://www.debian.org/security/faq

Trust: 0.2

url:https://www.debian.org/security/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-0732

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-0735

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://support.f5.com/csp/article/k49711130?utm_source=f5support&amp;amp;utm_medium=rss

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/openssl1.0

Trust: 0.1

url:https://security-tracker.debian.org/tracker/openssl

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-10072

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-0221

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-10072

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-1559

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.2/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-0221

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.14

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.27

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.1.0g-2ubuntu4.3

Trust: 0.1

url:https://usn.ubuntu.com/usn/usn-3840-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu6.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.2

Trust: 0.1

url:https://docs.ansible.com/ansible-tower/latest/html/release-notes/index.html

Trust: 0.1

url:https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/

Trust: 0.1

sources: VULHUB: VHN-135438 // BID: 105897 // JVNDB: JVNDB-2018-012393 // JVNDB: JVNDB-2018-012363 // PACKETSTORM: 152084 // PACKETSTORM: 155414 // PACKETSTORM: 155417 // PACKETSTORM: 150860 // PACKETSTORM: 150561 // PACKETSTORM: 155415 // PACKETSTORM: 150683 // PACKETSTORM: 152241 // NVD: CVE-2018-5407

CREDITS

Red Hat

Trust: 0.4

sources: PACKETSTORM: 155414 // PACKETSTORM: 155417 // PACKETSTORM: 155415 // PACKETSTORM: 152241

SOURCES

db:VULHUBid:VHN-135438
db:BIDid:105897
db:JVNDBid:JVNDB-2018-012393
db:JVNDBid:JVNDB-2018-012363
db:PACKETSTORMid:152084
db:PACKETSTORMid:155414
db:PACKETSTORMid:155417
db:PACKETSTORMid:150860
db:PACKETSTORMid:150561
db:PACKETSTORMid:155415
db:PACKETSTORMid:150683
db:PACKETSTORMid:152241
db:NVDid:CVE-2018-5407

LAST UPDATE DATE

2024-11-20T21:06:40.625000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-135438date:2020-09-18T00:00:00
db:BIDid:105897date:2019-01-17T10:00:00
db:JVNDBid:JVNDB-2018-012393date:2019-02-01T00:00:00
db:JVNDBid:JVNDB-2018-012363date:2019-02-01T00:00:00
db:NVDid:CVE-2018-5407date:2023-11-07T02:58:42.920

SOURCES RELEASE DATE

db:VULHUBid:VHN-135438date:2018-11-15T00:00:00
db:BIDid:105897date:2018-10-30T00:00:00
db:JVNDBid:JVNDB-2018-012393date:2019-02-01T00:00:00
db:JVNDBid:JVNDB-2018-012363date:2019-02-01T00:00:00
db:PACKETSTORMid:152084date:2019-03-14T16:23:47
db:PACKETSTORMid:155414date:2019-11-20T23:02:22
db:PACKETSTORMid:155417date:2019-11-20T21:11:11
db:PACKETSTORMid:150860date:2018-12-20T15:05:22
db:PACKETSTORMid:150561date:2018-12-03T21:06:37
db:PACKETSTORMid:155415date:2019-11-20T20:44:44
db:PACKETSTORMid:150683date:2018-12-07T01:03:36
db:PACKETSTORMid:152241date:2019-03-27T00:35:38
db:NVDid:CVE-2018-5407date:2018-11-15T21:29:00.233