CVE-2018-0733

Impact:
Moderate
Public Date:
2018-03-27
CWE:
CWE-325
Bugzilla:
1561260: CVE-2018-0733 openssl: Implementation bug in PA-RISC CRYPTO_memcmp function allows attackers to forge authenticated messages in a reduced number of attempts

The MITRE CVE dictionary describes this issue as:

Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).

Find out more about CVE-2018-0733 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This flaw only affects the openssl code which is compiled by the HP-UX assembler, so that only HP-UX PA-RISC arches are affected. Red Hat Enterprise Linux does not support this architecture, and therefore is not affected.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact None

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3 openssl Not affected
Red Hat JBoss EWS 2 openssl Not affected
Red Hat JBoss EAP 6 openssl Not affected
Red Hat JBoss EAP 5 openssl Not affected
Red Hat JBoss Core Services 1 openssl Not affected
Red Hat Enterprise Linux 7 openssl098e Not affected
Red Hat Enterprise Linux 7 openssl Not affected
Red Hat Enterprise Linux 7 OVMF Not affected
Red Hat Enterprise Linux 6 openssl Not affected
Red Hat Enterprise Linux 6 openssl098e Not affected
Red Hat Enterprise Linux 5 openssl Not affected
Red Hat Enterprise Linux 5 openssl097a Not affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.