First published: Fri May 25 2018(Updated: )
A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
GNU GnuTLS | <3.6.12 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Canonical Ubuntu Linux | =19.04 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Debian Debian Linux | =8.0 | |
debian/gnutls28 | 3.7.1-5+deb11u5 3.7.1-5+deb11u6 3.7.9-2+deb12u3 3.8.8-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-10846 is a cache-based side channel vulnerability in the GnuTLS implementation that allows an attacker to recover plain text in a cross-VM attack setting.
The severity of CVE-2018-10846 is medium, with a CVSS score of 5.6.
The affected software includes GnuTLS version up to and excluding 3.5.18-1ubuntu1.1, 3.5.19 and 3.6.3 (Ubuntu), 3.4.10-4ubuntu1.5 (Xenial), 3.6.7-4+deb10u8, 3.6.7-4+deb10u10, 3.7.1-5+deb11u3, 3.7.9-2, 3.8.1-4 (Debian), as well as other specific versions and distributions.
To fix CVE-2018-10846, you should update GnuTLS to version 3.5.18-1ubuntu1.1 (Ubuntu), 3.5.19 or 3.6.3 (Ubuntu), 3.4.10-4ubuntu1.5 (Xenial), or other specific fixed versions for different distributions.
You can find more information about CVE-2018-10846 on the SecurityFocus and Red Hat websites.