Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:724968
HistoryAug 01, 2007 - 12:00 a.m.

RSA key reconstruction vulnerability

2007-08-0100:00:00
www.kb.cert.org
27

1.2 Low

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:H/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

14.3%

JSON

Overview

Various implementations of RSA may contain a vulnerability that could allow an attacker to retrieve encryption keys.

Description

Some implementations of RSA may contain a vulnerability that could allow a local attacker to retrieve encryption keys.

OpenSSL is a widely used open source implementation of the SSL and TLS protocols. OpenSSL is based on the SSLeay library. OpenSSL provides support for the RSA encryption algorithm. Note that vendors may include a vulnerable version of OpenSSL in web servers, VPN, or other products.

Impact

An attacker could possibly decrypt messages that were encrypted with OpenSSL using RSA algorithm.

Solution

Apply a patch
OpenSSL has released a patch to address this issue. See <http://openssl.org/news/patch-CVE-2007-3108.txt&gt; for more details. See the systems affected portion of this document for a partial list of other vendors who may be affected.

Vendor Information

724968

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

OpenSSL __ Affected

Updated: August 02, 2007

Status

Affected

Vendor Statement

The paper describes another example of a side-channel attack, not specific to OpenSSL, where an untrusted local user may be able to discover private key material that is in use on that system

(CVE-2007-3108).

The OpenSSL team have made the following patch available for OpenSSL 0.9.8 that can mitigate this issue. This patch will be part of a future release (although no new release is currently planned).

<http://openssl.org/news/patch-CVE-2007-3108.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

America Online, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apache HTTP Server Project Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apache-SSL Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Aruba Networks, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

AttachmateWRQ, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Certicom Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Covalent Technologies Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cryptlib __ Unknown

Notified: June 28, 2007 Updated: August 02, 2007

Status

Unknown

Vendor Statement

This Vulnerability Note addresses a covert channel issue that represents one particular instance of a large class of side-channel attacks made possible by certain architectural features of modern CPUs. While it’s possible to (probably) work around this one instance, the only fully effective solution that will work against current as well as future attacks of this kind is to not place sensitive data or data-dependent code flow in a position where side- channel attacks are possible. The cryptlib documentation contains guidance on doing this in the section “Safeguarding Cryptographic Operations”.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Crypto++ Library Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC Corporation Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F-Secure Corporation Unknown

Notified: July 31, 2007 Updated: July 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IAIK Java Group Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lotus Software Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mirapoint, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mozilla Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Netscape NSS Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenSSH Unknown

Notified: August 13, 2007 Updated: August 13, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

RSA Security, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Secure Computing Network Security Division Unknown

Notified: August 27, 2007 Updated: August 27, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Spyrus Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Stunnel Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: August 01, 2007 Updated: August 01, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

lsh Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

mod_ssl Unknown

Notified: June 28, 2007 Updated: June 28, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 64 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 0 AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Dr. Onur Aciicmez, Samsung Information Systems America, Samsung Electronics R&D Center, USA, and Prof. Werner Schindler, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2007-3108
Severity Metric: 1.77 Date Public:

Related

securityvulns 3
prion 1
altlinux 3
cve 1
checkpoint_security 1
seebug 1
openvas 19
nessus 27
debiancve 1
fedora 3
f5 2
ubuntucve 1
redhat 3
oraclelinux 6
centos 4
ubuntu 1
osv 1
debian 1
gentoo 2
vmware 4
lenovo 2
securityvulns
securityvulns
rPSA-2007-0155-1 openssl openssl-scripts
2007-08-13 00:00:00
OpenSSL cryptographic vulnerability
2007-08-13 00:00:00
VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
2008-01-08 00:00:00
prion
prion
Design/Logic Flaw
2007-08-08 01:17:00
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl10 version 0.9.8d-alt3
2007-08-07 00:00:00
Security fix for the ALT Linux 9 package openssl1.1 version 0.9.8d-alt3
2007-08-07 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 0.9.8d-alt3
2007-08-07 00:00:00
cve
cve
CVE-2007-3108
2007-08-08 01:17:00
checkpoint_security
checkpoint_security
Check Point response to OpenSSL vulnerability CVE-2007-3108
2007-10-16 22:00:00
seebug
seebug
OpenSSL本地密钥信息泄露漏洞
2007-08-03 00:00:00
openvas
openvas
Fedora Update for openssl FEDORA-2007-1444
2009-02-27 00:00:00
Fedora Update for openssl FEDORA-2007-661
2009-02-27 00:00:00
Fedora Update for openssl FEDORA-2007-1444
2009-02-27 00:00:00
nessus
nessus
Fedora 7 : openssl-0.9.8b-14.fc7 (2007-1444)
2007-11-06 00:00:00
Fedora Core 6 : openssl-0.9.8b-14.fc6 (2007-661)
2007-08-21 00:00:00
F5 Networks BIG-IP : OpenSSL vulnerability (SOL8108)
2014-10-10 00:00:00
debiancve
debiancve
CVE-2007-3108
2007-08-08 01:17:00
fedora
fedora
[SECURITY] Fedora 7 Update: openssl-0.9.8b-14.fc7
2007-08-06 17:57:54
[SECURITY] Fedora Core 6 Update: openssl-0.9.8b-14.fc6
2007-08-13 21:49:38
[SECURITY] Fedora 7 Update: openssl-0.9.8b-15.fc7
2007-10-18 02:26:18
f5
f5
K8108 : OpenSSL vulnerability CVE-2007-3108
2013-03-18 00:00:00
SOL8108 - OpenSSL vulnerability CVE-2007-3108
2007-11-18 00:00:00
ubuntucve
ubuntucve
CVE-2007-3108
2007-08-07 00:00:00
redhat
redhat
(RHSA-2007:0813) Moderate: openssl security update
2007-10-22 00:00:00
(RHSA-2007:1003) Moderate: openssl security and bug fix update
2007-11-15 00:00:00
(RHSA-2007:0964) Important: openssl security update
2007-10-12 00:00:00
oraclelinux
oraclelinux
openssl security and bug fix update
2007-11-27 00:00:00
Moderate: openssl security update
2007-10-22 00:00:00
Important: openssl security update
2007-10-12 00:00:00
centos
centos
openssl security update
2007-10-23 23:23:09
openssl security update
2007-11-15 15:53:13
openssl security update
2007-10-22 12:29:21
ubuntu
ubuntu
openssl vulnerabilities
2007-09-28 00:00:00
osv
osv
openssl - predictable random number generator
2008-05-13 00:00:00
debian
debian
[SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
2008-05-13 12:06:39
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2007-10-07 00:00:00
AMD64 x86 emulation base libraries: Multiple vulnerabilities
2014-12-12 00:00:00
vmware
vmware
Updated ESX packages for OpenSSL, net-snmp, perl
2008-08-12 00:00:00
Updated ESX packages for OpenSSL, net-snmp, perl
2008-08-12 00:00:00
Updated service console patches.
2008-01-07 00:00:00
lenovo
lenovo
Intel® PROSet/Wireless WiFi Software Vulnerabilities - Lenovo Support US
2018-11-13 17:10:51
Intel® PROSet/Wireless WiFi Software Vulnerabilities - US
2018-11-13 17:10:51

1.2 Low

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:H/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

14.3%

JSON
Related for VU:724968
securityvulns3prion1altlinux3cve1checkpoint_security1seebug1openvas19nessus27debiancve1fedora3f52ubuntucve1redhat3oraclelinux6centos4ubuntu1osv1debian1gentoo2vmware4lenovo2