Bug 1113651 - (CVE-2018-0735) VUL-1: CVE-2018-0735: openssl-1_1: Timing vulnerability in ECDSA signature generation
(CVE-2018-0735)
VUL-1: CVE-2018-0735: openssl-1_1: Timing vulnerability in ECDSA signature g...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:RedHat:CVE-2018-0735:5.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-29 06:30 UTC by Marcus Meissner
Modified: 2020-07-02 13:06 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-10-29 06:30:36 UTC
from openssl git:

commit 99540ec79491f59ed8b46b4edf130e17dc907f52
Author: Pauli <paul.dale@oracle.com>
Date:   Fri Oct 26 10:54:58 2018 +1000

    Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
    
    Preallocate an extra limb for some of the big numbers to avoid a reallocation
    that can potentially provide a side channel.
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/7486)
Comment 1 Marcus Meissner 2018-10-29 06:33:42 UTC
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)                                                                                                                           
==================================================================                                                                                                                           
                                                                                                                                                                                             
Severity: Low                                                                                                                                                                                
                                                                                                                                                                                             
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a                                                                                                                   
timing side channel attack. An attacker could use variations in the signing                                                                                                                  
algorithm to recover the private key.                                                                                                                                                        
                                                                                                                                                                                             
Due to the low severity of this issue we are not issuing a new release                                                                                                                       
of OpenSSL 1.1.1 or 1.1.0 at this time. The fix will be included in                                                                                                                          
OpenSSL 1.1.1a and OpenSSL 1.1.0j when they become available. The fix                                                                                                                        
is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28                                                                                                                     
(for 1.1.0) in the OpenSSL git repository.                                                                                                                                                   
                                                                                                                                                                                             
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.                                                                                                                    
                                                                                                                                                                                             
References                                                                                                                                                                                   
==========                                                                                                                                                                                   
                                                                                                                                                                                             
URL for this Security Advisory:                                                                                                                                                              
https://www.openssl.org/news/secadv/20181029.txt
Comment 2 Marcus Meissner 2018-10-29 12:29:51 UTC
a fix for
commit aab7c770353b1dc4ba045938c8fb446dd1c4531e
Author: Billy Brumley <bbrumley@gmail.com>
Date:   Thu Apr 19 12:21:51 2018 +0300

    Elliptic curve scalar multiplication with timing attack defenses

which was not yet backported to older branches
Comment 3 Robert Frohl 2018-10-31 10:03:18 UTC
My review of the patch suggests that the following codestream is affected:
- SUSE:SLE-15:Update/openssl-1_1
Comment 7 Swamp Workflow Management 2018-11-22 20:11:50 UTC
SUSE-SU-2018:3863-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1113651,1113652
CVE References: CVE-2018-0734,CVE-2018-0735
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    openssl-1_1-1.1.0i-4.15.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    openssl-1_1-1.1.0i-4.15.1
Comment 8 Swamp Workflow Management 2018-11-24 17:11:55 UTC
openSUSE-SU-2018:3890-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1113651,1113652
CVE References: CVE-2018-0734,CVE-2018-0735
Sources used:
openSUSE Leap 15.0 (src):    openssl-1_1-1.1.0i-lp150.3.15.1
Comment 9 Swamp Workflow Management 2018-11-29 17:11:27 UTC
SUSE-SU-2018:3945-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1112209,1113651,1113652
CVE References: CVE-2018-0734,CVE-2018-0735
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    openssl-1_1-1.1.1-2.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    openssl-1_1-1.1.1-2.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    openssl-1_1-1.1.1-2.3.1
Comment 10 Swamp Workflow Management 2019-01-10 15:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (1113651) was mentioned in
https://build.opensuse.org/request/show/664392 Factory / nodejs10
Comment 12 Marcus Meissner 2019-03-30 06:46:17 UTC
rekleased