First published: Wed Jun 13 2018(Updated: )
An implementation flaw was discovered in multiple cryptographic libraries that allows a side-channel based attacker to recover ECDSA or DSA private keys. When these cryptographic libraries use the private key to create a signature, such as for a TLS or SSH connection, they inadvertently leak information through memory caches. An unprivileged attacker running on the same machine can collect the information from a few thousand signatures and recover the value of the private key. External References: <a href="https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/">https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/</a>
Credit: security@debian.org security@debian.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24-httpd | <0:2.4.29-40.jbcs.el6 | 0:2.4.29-40.jbcs.el6 |
redhat/jbcs-httpd24-openssl | <1:1.0.2n-15.jbcs.el6 | 1:1.0.2n-15.jbcs.el6 |
redhat/jbcs-httpd24-httpd | <0:2.4.29-40.jbcs.el7 | 0:2.4.29-40.jbcs.el7 |
redhat/jbcs-httpd24-openssl | <1:1.0.2n-15.jbcs.el7 | 1:1.0.2n-15.jbcs.el7 |
redhat/openssl | <1:1.0.2k-16.el7 | 1:1.0.2k-16.el7 |
redhat/nspr | <0:4.21.0-1.el7 | 0:4.21.0-1.el7 |
redhat/nss | <0:3.44.0-4.el7 | 0:3.44.0-4.el7 |
redhat/nss-softokn | <0:3.44.0-5.el7 | 0:3.44.0-5.el7 |
redhat/nss-util | <0:3.44.0-3.el7 | 0:3.44.0-3.el7 |
redhat/nss-softokn | <0:3.28.3-9.el7_4 | 0:3.28.3-9.el7_4 |
redhat/nss-softokn | <0:3.36.0-6.el7_5 | 0:3.36.0-6.el7_5 |
redhat/nss-softokn | <0:3.36.0-6.el7_6 | 0:3.36.0-6.el7_6 |
GnuPG Libgcrypt | <1.7.10 | |
GnuPG Libgcrypt | >=1.8.0<1.8.3 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =17.10 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Redhat Ansible Tower | =3.3 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Oracle Traffic Director | =11.1.1.9.0 | |
debian/libgcrypt20 | 1.8.7-6 1.10.1-3 1.11.0-6 1.11.0-7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)