4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
5.7 Medium
AI Score
Confidence
High
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
24.0%
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on ‘port contention.’ (CVE-2018-5407 also known as PortSmash)
Impact
The vulnerability allows an attacker who can provide and run binary code of their choosing on the F5 platform to steal secret cryptographic information.
Processes running on hyperthread-enabled cores are subject to a side-channel attack by other processes running on the same core, if their program control flow is impacted by private data. A common case for this behavior is encryption, where the secret key can influence program flow. While high-security contexts typically guard against this known behavior, a flaw in OpenSSL’s protection of elliptic curve processing is vulnerable to this class of attack. Other encryption algorithms (RSA) are not affected, so configurations that do not install EC keys are not impacted.
Note: Hyper-threading is Intel’s implementation of SMT.
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
5.7 Medium
AI Score
Confidence
High
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
24.0%