Lucene search

K
gentooGentoo FoundationGLSA-201706-21
HistoryJun 22, 2017 - 12:00 a.m.

nettle: Information disclosure

2017-06-2200:00:00
Gentoo Foundation
security.gentoo.org
11

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

71.9%

Background

Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space.

Description

It was found that nettle’s RSA and DSA decryption code was vulnerable to cache-related side channel attacks.

See the referenced technical paper β€œCache Attacks Enable Bulk Key Recovery on the Cloud” below for details.

Impact

An attacker could recover the private key from a co-located virtual-machine instance.

Workaround

There is no known workaround at this time.

Resolution

All nettle users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/nettle-3.2-r1"
OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-libs/nettle<Β 3.2-r1UNKNOWN

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

71.9%