1611638 – (CVE-2018-0497, CVE-2018-0498) CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release

Bug 1611638 (CVE-2018-0497, CVE-2018-0498) - CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release

Summary: CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-0497, CVE-2018-0498
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-02 14:13 UTC by Pedro Sampaio
Modified:	2021-10-25 09:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-25 09:49:14 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2018-08-02 14:13:19 UTC

CVE-2018-0497

ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote
attackers to achieve partial plaintext recovery (for a CBC based ciphersuite)
via a timing-based side-channel attack. This vulnerability exists because of an
incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.

CVE-2018-0498

ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users
to achieve partial plaintext recovery (for a CBC based ciphersuite) via a
cache-based side-channel attack.

References:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02

Note You need to log in before you can comment on or make changes to this bug.