CVE-2018-16868
First published: Mon Dec 03 2018(Updated: )
A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gnu Gnutls | <=3.6.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2018-16868.
What is the severity of CVE-2018-16868?
The severity of CVE-2018-16868 is medium with a CVSS score of 5.6.
Which software is affected by CVE-2018-16868?
The software affected by CVE-2018-16868 is Gnu Gnutls version up to and including 3.6.4.
What is the CWE ID for CVE-2018-16868?
The CWE ID for CVE-2018-16868 is CWE-203.
How can this vulnerability be exploited?
An attacker who is able to run a process on the same physical core as the victim process can exploit this vulnerability using a side-channel based padding oracle attack to extract plaintext or downgrade an encryption connection.
- collector/nvd-index
- vendor/gnu
- canonical/gnu gnutls
- version/gnu gnutls/3.6.4