CVE-2003-0147
First published: Tue Mar 18 2003(Updated: )
OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Stunnel Stunnel | =4.02 | |
| OpenSSL OpenSSL | =0.9.6i | |
| Stunnel Stunnel | =3.7 | |
| OpenSSL OpenSSL | =0.9.6d | |
| OpenSSL OpenSSL | =0.9.6 | |
| OpenSSL OpenSSL | =0.9.6a | |
| Stunnel Stunnel | =3.14 | |
| Stunnel Stunnel | =3.22 | |
| Stunnel Stunnel | =3.18 | |
| OpenSSL OpenSSL | =0.9.6h | |
| OpenSSL OpenSSL | =0.9.7 | |
| Stunnel Stunnel | =3.15 | |
| Stunnel Stunnel | =3.16 | |
| Stunnel Stunnel | =3.8 | |
| Stunnel Stunnel | =3.11 | |
| Stunnel Stunnel | =3.12 | |
| Stunnel Stunnel | =3.20 | |
| Openpkg Openpkg | =1.1 | |
| OpenSSL OpenSSL | =0.9.6e | |
| OpenSSL OpenSSL | =0.9.6g | |
| Stunnel Stunnel | =3.13 | |
| Stunnel Stunnel | =3.21 | |
| Stunnel Stunnel | =4.04 | |
| OpenSSL OpenSSL | =0.9.6b | |
| Stunnel Stunnel | =3.10 | |
| Stunnel Stunnel | =3.17 | |
| Stunnel Stunnel | =3.9 | |
| Openpkg Openpkg | =1.2 | |
| OpenSSL OpenSSL | =0.9.6c | |
| Stunnel Stunnel | =3.19 | |
| Stunnel Stunnel | =4.01 | |
| Openpkg Openpkg | ||
| Stunnel Stunnel | =4.03 | |
| OpenSSL OpenSSL | =0.9.7a | |
| Stunnel Stunnel | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0130.html
- http://www.kb.cert.org/vuls/id/997481
- http://www.openssl.org/news/secadv_20030317.txt
- http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
- http://www.debian.org/security/2003/dsa-288
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:035
- http://www.redhat.com/support/errata/RHSA-2003-101.html
- http://www.redhat.com/support/errata/RHSA-2003-102.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000625
- http://www.gentoo.org/security/en/glsa/glsa-200303-23.xml
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.019.html
- http://marc.info/?l=bugtraq&m=104819602408063&w=2
- http://marc.info/?l=bugtraq&m=104792570615648&w=2
- http://marc.info/?l=bugtraq&m=104829040921835&w=2
- http://marc.info/?l=bugtraq&m=104766550528628&w=2
- http://marc.info/?l=bugtraq&m=104861762028637&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A466
- http://www.securityfocus.com/archive/1/316577/30/25310/threaded
- http://www.securityfocus.com/archive/1/316165/30/25370/threaded
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/event
- agent/description
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/stunnel
- canonical/stunnel stunnel
- version/stunnel stunnel/4.02
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/0.9.6i
- version/stunnel stunnel/3.7
- version/openssl openssl/0.9.6d
- version/openssl openssl/0.9.6
- version/openssl openssl/0.9.6a
- version/stunnel stunnel/3.14
- version/stunnel stunnel/3.22
- version/stunnel stunnel/3.18
- version/openssl openssl/0.9.6h
- version/openssl openssl/0.9.7
- version/stunnel stunnel/3.15
- version/stunnel stunnel/3.16
- version/stunnel stunnel/3.8
- version/stunnel stunnel/3.11
- version/stunnel stunnel/3.12
- version/stunnel stunnel/3.20
- vendor/openpkg
- canonical/openpkg openpkg
- version/openpkg openpkg/1.1
- version/openssl openssl/0.9.6e
- version/openssl openssl/0.9.6g
- version/stunnel stunnel/3.13
- version/stunnel stunnel/3.21
- version/stunnel stunnel/4.04
- version/openssl openssl/0.9.6b
- version/stunnel stunnel/3.10
- version/stunnel stunnel/3.17
- version/stunnel stunnel/3.9
- version/openpkg openpkg/1.2
- version/openssl openssl/0.9.6c
- version/stunnel stunnel/3.19
- version/stunnel stunnel/4.01
- version/stunnel stunnel/4.03
- version/openssl openssl/0.9.7a
- version/stunnel stunnel/4.0