Bug 1611638 (CVE-2018-0497, CVE-2018-0498) - CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release
Summary: CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-0497, CVE-2018-0498
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-02 14:13 UTC by Pedro Sampaio
Modified: 2021-10-25 09:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 09:49:14 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2018-08-02 14:13:19 UTC
CVE-2018-0497

ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote
attackers to achieve partial plaintext recovery (for a CBC based ciphersuite)
via a timing-based side-channel attack. This vulnerability exists because of an
incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.

CVE-2018-0498

ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users
to achieve partial plaintext recovery (for a CBC based ciphersuite) via a
cache-based side-channel attack.

References:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02


Note You need to log in before you can comment on or make changes to this bug.