CVE-2013-4242

Impact:
Moderate
Public Date:
2013-07-22
Bugzilla:
988589: CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack

The MITRE CVE dictionary describes this issue as:

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

Find out more about CVE-2013-4242 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the version of gnupg as shipped with Red Hat Enterprise Linux 5. This issue affects the version of libgcrypt as shipped with Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More technical details on this flaw are available at https://bugzilla.redhat.com/show_bug.cgi?id=988589#c12

CVSS v2 metrics

Base Score 1.9
Base Metrics AV:L/AC:M/Au:N/C:P/I:N/A:N
Access Vector Local
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (libgcrypt) RHSA-2013:1457 2013-10-24
Red Hat Enterprise Linux 6 (libgcrypt) RHSA-2013:1457 2013-10-24
Red Hat Enterprise Linux 5 (gnupg) RHSA-2013:1458 2013-10-24

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 libgcrypt Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation