CVE-2018-5407

Source
Severity Low
Remote No
Type Private key recovery
Description
A vulnerability has been found in the ECC scalar multiplication implementation of OpenSSL < 1.1.0i and <= 1.0.2p. The implementation, used in e.g. ECDSA and ECDH, has been shown
to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.
Group Package Affected Fixed Severity Status Ticket
AVG-807 openssl-1.0 1.0.2.p-1 1.0.2.q-1 Low Fixed
AVG-806 lib32-openssl-1.0 1.0.2.p-1 1.0.2.q-1 Low Fixed
Date Advisory Group Package Severity Description
08 Dec 2018 ASA-201812-8 AVG-807 openssl-1.0 Low private key recovery
08 Dec 2018 ASA-201812-7 AVG-806 lib32-openssl-1.0 Low private key recovery
References
https://www.openssl.org/news/secadv/20181112.txt
https://github.com/openssl/openssl/commit/b18162a7c9bbfb57112459a4d6631fa258fd8c0c