Lucene search

Veracode Vulnerability DatabaseVERACODE:7664

HistoryNov 01, 2018 - 3:10 a.m.

Side-Channel Attack

2018-11-0103:10:27

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

JSON

libgnutls.so is vulnerable to plain text recovery via cache-based side channel. An attacker is able to use a combination of Just in Time Prime+probe and Lucky-13 attacks to recover plain text using crafted packets in a cross-VM setting.

CPENameOperatorVersion
libgnutls.sole28.43.3
gnutlseq3.3.26__9.el7
libgnutls.sole28.43.3
gnutlseq3.3.26__9.el7

Name	Operator	Version
libgnutls.so	le	28.43.3
gnutls	eq	3.3.26__9.el7
libgnutls.so	le	28.43.3
gnutls	eq	3.3.26__9.el7

References

www.securityfocus.com/bid/105138

access.redhat.com/errata/RHSA-2018:3050

access.redhat.com/errata/RHSA-2018:3505

access.redhat.com/security/cve/CVE-2018-10846

bugzilla.redhat.com/show_bug.cgi?id=1582574

bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10846

eprint.iacr.org/2018/747

github.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39

gitlab.com/gnutls/gnutls/merge_requests/657

lists.debian.org/debian-lts-announce/2018/10/msg00022.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/

lists.fedoraproject.org/archives/list/[email protected]/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/

lists.fedoraproject.org/archives/list/[email protected]/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/

usn.ubuntu.com/3999-1/

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

JSON

Related for VERACODE:7664