Bug 1644356 (CVE-2018-0735)

Summary: CVE-2018-0735 openssl: timing side channel attack in the ECDSA signature generation
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, ahardin, bkundal, bleanhar, bmaxwell, ccoleman, cdewolf, chazlett, csutherl, darran.lofthouse, dbaker, dedgar, dimitris, dosoudil, eparis, erik-fedora, fgavrilo, gzaronik, jawilson, jclere, jgoulding, jokerman, jondruse, jorton, ktietz, lersek, lgao, marcandre.lureau, mbabacek, mchappel, mturk, myarboro, pgier, ppalaga, pslavice, rh-spice-bugs, rjones, rnetuka, rstancel, rsvoboda, slawomir, sthangav, tmraz, trankin, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.1.0j, openssl 1.1.1a Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:51:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1644357, 1644358, 1648185, 1648767    
Bug Blocks: 1644372    

Description Laura Pardo 2018-10-30 15:46:18 UTC 
A flaw was found in OpenSSL versions from 1.1.0 through 1.1.0i inclusive and version 1.1.1. The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.


References:
https://www.openssl.org/news/secadv/20181029.txt

Upstream Patch:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
Comment 1 Laura Pardo 2018-10-30 15:46:46 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1644357]
Comment 6 errata-xmlrpc 2019-11-05 22:05:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3700 https://access.redhat.com/errata/RHSA-2019:3700
Comment 7 Product Security DevOps Team 2019-11-06 00:51:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-0735