CVE-2018-0734 : The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

Published 2018-10-30 12:29:00

Updated 2022-08-29 20:41:32

Source OpenSSL Software Foundation

View at NVD, CVE.org

Products affected by CVE-2018-0734

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.55
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.56
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.57
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
Matching versions
Oracle » Api Gateway » Version: 11.1.2.4.0
cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Tuxedo » Version: 12.1.1.0.0
cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Ops Center » Version: 12.3.3
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.2.0.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.3.0.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 12.1.0.5.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » E-business Suite Technology Stack » Version: 1.0.1
cpe:2.3:a:oracle:e-business_suite_technology_stack:1.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » E-business Suite Technology Stack » Version: 1.0.0
cpe:2.3:a:oracle:e-business_suite_technology_stack:1.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » E-business Suite Technology Stack » Version: 0.9.8
cpe:2.3:a:oracle:e-business_suite_technology_stack:0.9.8:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Professional Project Management
Versions from including (>=) 17.7 and up to, including, (<=) 17.12
cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Professional Project Management » Version: 16.2
cpe:2.3:a:oracle:primavera_p6_professional_project_management:16.2:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Professional Project Management » Version: 8.4
cpe:2.3:a:oracle:primavera_p6_professional_project_management:8.4:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Professional Project Management » Version: 15.1
cpe:2.3:a:oracle:primavera_p6_professional_project_management:15.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Professional Project Management » Version: 18.8
cpe:2.3:a:oracle:primavera_p6_professional_project_management:18.8:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Professional Project Management » Version: 15.2
cpe:2.3:a:oracle:primavera_p6_professional_project_management:15.2:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Professional Project Management » Version: 16.1
cpe:2.3:a:oracle:primavera_p6_professional_project_management:16.1:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Enterprise Backup
Versions from including (>=) 3.0 and up to, including, (<=) 3.12.3
cpe:2.3:a:oracle:mysql_enterprise_backup:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Enterprise Backup
Versions from including (>=) 4.0 and up to, including, (<=) 4.1.2
cpe:2.3:a:oracle:mysql_enterprise_backup:*:*:*:*:*:*:*:*
Matching versions
Openssl » Openssl
Versions from including (>=) 1.1.0 and up to, including, (<=) 1.1.0i
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
Matching versions
Openssl » Openssl
Versions from including (>=) 1.0.2 and up to, including, (<=) 1.0.2p
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
Matching versions
Openssl » Openssl » Version: 1.1.1
cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Unified Manager
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*
Matching versions
Netapp » Storage Automation Store » Version: N/A
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netapp » Santricity Smi-s Provider » Version: N/A
cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cn1610 Firmware » Version: N/A
cpe:2.3:o:netapp:cn1610_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Cn1610 » Version: N/A
Netapp » Steelstore » Version: N/A
cpe:2.3:a:netapp:steelstore:-:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 8.9.0 and before (<) 8.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 6.0.0 and up to, including, (<=) 6.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 11.0.0 and before (<) 11.3.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 6.9.0 and before (<) 6.15.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 10.0.0 and up to, including, (<=) 10.12.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » Version: 10.13.0 LTS Edition
cpe:2.3:a:nodejs:node.js:10.13.0:*:*:*:lts:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-0734

EPSS FAQ

6.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-0734

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-0734

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-0734

https://security.netapp.com/advisory/ntap-20190118-0002/

January 2019 MySQL Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/

[SECURITY] Fedora 30 Update: compat-openssl10-1.0.2o-7.fc30 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2020.html

Oracle Critical Patch Update Advisory - January 2020
Third Party Advisory

CVEs referencing this url
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7

git.openssl.org Git - openssl.git/commitdiff
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/

[SECURITY] Fedora 31 Update: compat-openssl10-1.0.2o-8.fc31 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2020.html

Oracle Critical Patch Update Advisory - April 2020
Third Party Advisory

CVEs referencing this url
https://www.tenable.com/security/tns-2018-17

[R1] Nessus 7.1.4 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®
Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3840-1/

USN-3840-1: OpenSSL vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://www.tenable.com/security/tns-2018-16

[R1] Nessus 8.1.1 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Oracle Critical Patch Update - July 2019
Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/

[SECURITY] Fedora 29 Update: compat-openssl10-1.0.2o-7.fc29 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://www.openssl.org/news/secadv/20181030.txt

Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:3700

RHSA-2019:3700 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190423-0002/

April 2019 MySQL Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html

[security-announce] openSUSE-SU-2019:1547-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

November 2018 Security Releases | Node.js
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Oracle Critical Patch Update - April 2019
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20181105-0002/

October 2018 OpenSSL Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3935

RHSA-2019:3935 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Critical Patch Update - January 2019
Patch;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html

[security-announce] openSUSE-SU-2019:1814-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3932

RHSA-2019:3932 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac

git.openssl.org Git - openssl.git/commitdiff
Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3933

RHSA-2019:3933 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2304

RHSA-2019:2304 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f

git.openssl.org Git - openssl.git/commitdiff
Patch;Third Party Advisory
https://www.debian.org/security/2018/dsa-4348

Debian -- Security Information -- DSA-4348-1 openssl
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/105758

OpenSSL CVE-2018-0734 Side Channel Attack Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://www.debian.org/security/2018/dsa-4355

Debian -- Security Information -- DSA-4355-1 openssl1.0
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-0734

Products affected by CVE-2018-0734

Exploit prediction scoring system (EPSS) score for CVE-2018-0734

CVSS scores for CVE-2018-0734

CWE ids for CVE-2018-0734

References for CVE-2018-0734