Описание
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | openssl | Will not fix | ||
| Red Hat Enterprise Linux 5 | openssl097a | Will not fix | ||
| Red Hat Enterprise Linux 6 | openssl098e | Will not fix | ||
| Red Hat Enterprise Linux 7 | openssl098e | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | openssl | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 2 | openssl | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 3 | openssl | Fix deferred | ||
| JBoss Core Services on RHEL 6 | jbcs-httpd24-httpd | Fixed | RHSA-2017:0193 | 25.01.2017 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-mod_auth_kerb | Fixed | RHSA-2017:0193 | 25.01.2017 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-mod_bmx | Fixed | RHSA-2017:0193 | 25.01.2017 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.1 Medium
CVSS3
1.9 Low
CVSS2
Связанные уязвимости
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL throug ...
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
Уязвимость функции dsa_sign_setup библиотеки OpenSSL , связанная с раскрытием защищаемой информации, позволяющая нарушителю обойти криптографические механизмы защиты шифрования
EPSS
5.1 Medium
CVSS3
1.9 Low
CVSS2