Bug 1644364 (CVE-2018-0734)

Summary: CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bkundal, bmaxwell, cdewolf, chazlett, csutherl, darran.lofthouse, dbaker, dimitris, dosoudil, erik-fedora, fgavrilo, gzaronik, hkario, jawilson, jclere, jondruse, jorton, ktietz, lersek, lgao, marcandre.lureau, mbabacek, mturk, myarboro, nobrowser, pgier, ppalaga, psakar, pslavice, rh-spice-bugs, rjones, rmullett, rnetuka, rstancel, rsvoboda, slawomir, sthangav, tmraz, trankin, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.1.0j-dev, openssl 1.1.1a-dev, openssl 1.0.2q-dev Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:19:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1644655, 1644366, 1644367, 1644368, 1644370, 1644371, 1644964, 1648764, 1708675, 1802266, 1802267, 1802268    
Bug Blocks: 1644372    

Description Laura Pardo 2018-10-30 16:19:42 UTC 
A flaw was found in OpenSSL versions from 1.1.0 through 1.1.0i inclusive, from 1.0.2 through 1.0.2p inclusive and version 1.1.1. The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. 


Reference:
https://www.openssl.org/news/secadv/20181030.txt

Upstream Patches:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7
https://github.com/openssl/openssl/commit/b96bebacfe814deb99fb64a3ed2296d95c573600
Comment 1 Laura Pardo 2018-10-30 16:22:24 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1644370]
Affects: fedora-all [bug 1644368]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1644366]
Comment 8 errata-xmlrpc 2019-08-06 12:38:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2304 https://access.redhat.com/errata/RHSA-2019:2304
Comment 9 Product Security DevOps Team 2019-08-06 19:19:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-0734
Comment 10 errata-xmlrpc 2019-11-05 22:05:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3700 https://access.redhat.com/errata/RHSA-2019:3700
Comment 11 errata-xmlrpc 2019-11-20 16:08:28 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935
Comment 12 errata-xmlrpc 2019-11-20 16:13:05 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933
Comment 13 errata-xmlrpc 2019-11-20 16:20:42 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932