Bug 1618861 (CVE-2018-15836)
| Summary: | CVE-2018-15836 openswan: Improper signature verification in try_RSA_signature_v2() fucntion for RSASSA-PKCS1-v1_5 signature scheme | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | pwouters |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-08-20 03:04:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1618862 | ||
|
Description
Pedro Sampaio
2018-08-17 20:05:38 UTC
note this flaw only affects openswan versions compiled without NSS. When NSS is used as cryptographic library, the RSA routines from NSS are used instead of the custom openswan RSA code that contains the vulnerability. RHEL has only ever shipped with NSS enabled openswan versions, so no Red Hat products are vulnerable to this bug. Statement: This flaw only affects openswan versions compiled without NSS. When NSS is used as cryptographic library, the RSA routines from NSS are used instead of the custom openswan RSA code that contains the vulnerability. Red Hat Enterprise Linux has only ever shipped with NSS enabled openswan versions, so no Red Hat products are vulnerable to this bug. |