CVE-2016-2178
MEDIUM severity · CVSS 5.5 · CWE-203
5.5CVSS MEDIUM
Summary
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactNone
Availability impactNone
Exploit probability (EPSS)0%
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://eprint.iacr.org/2016/594.pdfAdvisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.htmlAdvisory