CVE-2018-0737

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openssl	19.04 disco	Fixed 1.1.0g-2ubuntu5
	18.10 cosmic	Fixed 1.1.0g-2ubuntu5
	18.04 LTS bionic	Fixed 1.1.0g-2ubuntu4.1
	17.10 artful	Fixed 1.0.2g-1ubuntu13.6
	16.04 LTS xenial	Fixed 1.0.2g-1ubuntu4.13
	14.04 LTS trusty	Fixed 1.0.1f-1ubuntu2.26
openssl098	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
openssl1.0	19.04 disco	Not in release
	18.10 cosmic	Fixed 1.0.2n-1ubuntu6
	18.04 LTS bionic	Fixed 1.0.2n-1ubuntu5.1
	17.10 artful	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

mdeslaur

USN-3628-1 was releases with a possible incomplete fix. Next USN should add the three first commits listed below

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
openssl	Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=64eb614ccc7ccf30cc412b736f509f1d82bbf897 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d6710289307d277ebc3354105c965b6e8ba8eb0 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9db724cfede4ba7a3668bff533973ee70145ec07 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=011f82e66f4bf131c733fd41a8390039859aafb2 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7150a4720af7913cae16f2e4eaf768b578c0b298 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787

Package

Patch details

openssl

Severity score breakdown

Parameter	Value
Base score	5.9 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-3628-1
OpenSSL vulnerability
19 April 2018

USN-3628-2
OpenSSL vulnerability
19 April 2018

USN-3692-1
OpenSSL vulnerabilities
26 June 2018

USN-3692-2
OpenSSL vulnerabilities
26 June 2018

Cvss 3 Severity Score

Status

Notes

mdeslaur

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references