CVE-2018-0735 : The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

Published 2018-10-29 13:29:00

Updated 2022-08-29 20:41:25

Source OpenSSL Software Foundation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2018-0735

Probability of exploitation activity in the next 30 days: 0.48%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-0735

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-0735

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-0735

https://www.oracle.com/security-alerts/cpujan2020.html

Oracle Critical Patch Update Advisory - January 2020
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1041986

OpenSSL ECDSA Signature Algorithm Lets Remote Users Obtain Passwords on the Target System in Certain Cases - SecurityTracker
Third Party Advisory;VDB Entry
https://usn.ubuntu.com/3840-1/

USN-3840-1: OpenSSL vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Oracle Critical Patch Update - July 2019
Patch;Third Party Advisory

CVEs referencing this url
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1

git.openssl.org Git - openssl.git/commitdiff
Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3700

RHSA-2019:3700 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html

[SECURITY] [DLA 1586-1] openssl security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

November 2018 Security Releases | Node.js
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Oracle Critical Patch Update - April 2019
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20181105-0002/

October 2018 OpenSSL Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://www.openssl.org/news/secadv/20181029.txt

Vendor Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Critical Patch Update - January 2019
Patch;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/105750

OpenSSL CVE-2018-0735 Side Channel Attack Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://www.debian.org/security/2018/dsa-4348

Debian -- Security Information -- DSA-4348-1 openssl
Third Party Advisory

CVEs referencing this url
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

git.openssl.org Git - openssl.git/commitdiff
Patch;Third Party Advisory

Products affected by CVE-2018-0735

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Application Server » Version: 0.9.8
cpe:2.3:a:oracle:application_server:0.9.8:*:*:*:*:*:*:*
Matching versions
Oracle » Application Server » Version: 1.0.0
cpe:2.3:a:oracle:application_server:1.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Application Server » Version: 1.0.1
cpe:2.3:a:oracle:application_server:1.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.55
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.56
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.57
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
Matching versions
Oracle » Vm Virtualbox
Versions before (<) 6.0.0
cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*
Matching versions
Oracle » Vm Virtualbox
Versions from including (>=) 5.0.0 and before (<) 5.2.24
cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 5.7.0 and up to, including, (<=) 5.7.24
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions up to, including, (<=) 5.6.42
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.0.13
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Secure Global Desktop » Version: 5.4
cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
Matching versions
Oracle » Api Gateway » Version: 11.1.2.4.0
cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Tuxedo » Version: 12.1.1.0.0
cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Ops Center » Version: 12.3.3
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management
Versions from including (>=) 17.7 and up to, including, (<=) 17.12
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management » Version: 8.4
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management » Version: 15.2
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management » Version: 16.1
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management » Version: 15.1
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management » Version: 16.2
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management » Version: 18.8
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.2.0.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.3.0.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 12.1.0.5.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*
Matching versions
Openssl » Openssl
Versions from including (>=) 1.1.0 and up to, including, (<=) 1.1.0i
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
Matching versions
Openssl » Openssl » Version: 1.1.1
cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Netapp » Snapdrive » Version: N/A For Unix
cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*
Matching versions
Netapp » Snapdrive » Version: N/A For Windows
cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Unified Manager » For Vsphere
Versions from including (>=) 9.4
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*
Matching versions
Netapp » Oncommand Unified Manager
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*
Matching versions
Netapp » Element Software » Version: N/A
cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
Matching versions
Netapp » Santricity Smi-s Provider » Version: N/A
cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cn1610 Firmware » Version: N/A
cpe:2.3:o:netapp:cn1610_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Cn1610 » Version: N/A
Netapp » Steelstore » Version: N/A
cpe:2.3:a:netapp:steelstore:-:*:*:*:*:*:*:*
Matching versions
Netapp » Smi-s Provider » Version: N/A
cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 10.0.0 and before (<) 10.12.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 11.0.0 and before (<) 11.3.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » Version: 10.13.0 LTS Edition
cpe:2.3:a:nodejs:node.js:10.13.0:*:*:*:lts:*:*:*
Matching versions

Vulnerability Details : CVE-2018-0735

Exploit prediction scoring system (EPSS) score for CVE-2018-0735

CVSS scores for CVE-2018-0735

CWE ids for CVE-2018-0735

References for CVE-2018-0735

Products affected by CVE-2018-0735