CVE-2007-3108 - Vulnerability Details

The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:H/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openssl	Openssl
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 2.1
openssl-0:0.9.6b-48	cpe:/o:redhat:enterprise_linux:2.1	RHSA-2007:0813	2007-10-22T00:00:00Z
Red Hat Enterprise Linux 3
openssl-0:0.9.7a-33.24	cpe:/o:redhat:enterprise_linux:3	RHSA-2007:0813	2007-10-22T00:00:00Z
Red Hat Enterprise Linux 4
openssl-0:0.9.7a-43.17.el4_6.1	cpe:/o:redhat:enterprise_linux:4	RHSA-2007:1003	2007-11-15T00:00:00Z
Red Hat Enterprise Linux 5
openssl-0:0.9.8b-8.3.el5_0.2	cpe:/o:redhat:enterprise_linux:5	RHSA-2007:0964	2007-10-12T00:00:00Z

References

Link	Providers
http://cvs.openssl.org/chngview?cn=16275
http://lists.vmware.com/pipermail/security-announce/2008/000002.html
http://openssl.org/news/patch-CVE-2007-3108.txt
http://secunia.com/advisories/26411
http://secunia.com/advisories/26893
http://secunia.com/advisories/27021
http://secunia.com/advisories/27078
http://secunia.com/advisories/27097
http://secunia.com/advisories/27205
http://secunia.com/advisories/27330
http://secunia.com/advisories/27770
http://secunia.com/advisories/27870
http://secunia.com/advisories/28368
http://secunia.com/advisories/30161
http://secunia.com/advisories/30220
http://secunia.com/advisories/31467
http://secunia.com/advisories/31489
http://secunia.com/advisories/31531
http://security.gentoo.org/glsa/glsa-200710-06.xml
http://support.attachmate.com/techdocs/2374.html
http://support.avaya.com/elmodocs2/security/ASA-2007-485.htm
http://www.bluecoat.com/support/securityadvisories/advisory_openssl_rsa_key_reconstruction_vulnerability
http://www.debian.org/security/2008/dsa-1571
http://www.gentoo.org/security/en/glsa/glsa-200805-07.xml
http://www.kb.cert.org/vuls/id/724968
http://www.kb.cert.org/vuls/id/RGII-74KLP3
http://www.mandriva.com/security/advisories?name=MDKSA-2007:193
http://www.redhat.com/support/errata/RHSA-2007-0813.html
http://www.redhat.com/support/errata/RHSA-2007-0964.html
http://www.redhat.com/support/errata/RHSA-2007-1003.html
http://www.securityfocus.com/archive/1/476341/100/0/threaded
http://www.securityfocus.com/archive/1/485936/100/0/threaded
http://www.securityfocus.com/archive/1/486859/100/0/threaded
http://www.securityfocus.com/bid/25163
http://www.vmware.com/security/advisories/VMSA-2008-0001.html
http://www.vmware.com/security/advisories/VMSA-2008-0013.html
http://www.vupen.com/english/advisories/2007/2759
http://www.vupen.com/english/advisories/2007/4010
http://www.vupen.com/english/advisories/2008/0064
http://www.vupen.com/english/advisories/2008/2361
http://www.vupen.com/english/advisories/2008/2362
http://www.vupen.com/english/advisories/2008/2396
https://issues.rpath.com/browse/RPL-1613
https://issues.rpath.com/browse/RPL-1633
https://nvd.nist.gov/vuln/detail/CVE-2007-3108
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9984
https://usn.ubuntu.com/522-1/
https://www.cve.org/CVERecord?id=CVE-2007-3108

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2007-08-08T01:11:00

Updated: 2024-08-07T14:05:28.268Z

Reserved: 2007-06-07T00:00:00

Link: CVE-2007-3108

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-08-08T01:17:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-3108

Redhat

Severity : Moderate

Publid Date: 2007-08-01T00:00:00Z

Links: CVE-2007-3108 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-08-01T00:00:00", "descriptions": [{"lang": "en", "value": "The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://support.attachmate.com/techdocs/2374.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.kb.cert.org/vuls/id/RGII-74KLP3"}, {"name": "VU#724968", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/724968"}, {"name": "26893", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26893"}, {"name": "DSA-1571", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1571"}, {"name": "27205", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27205"}, {"name": "20070813 FLEA-2007-0043-1 openssl", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/476341/100/0/threaded"}, {"name": "27097", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27097"}, {"name": "ADV-2008-2362", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2362"}, {"name": "ADV-2007-2759", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/2759"}, {"name": "oval:org.mitre.oval:def:9984", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9984"}, {"name": "31489", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31489"}, {"name": "RHSA-2007:1003", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2007-1003.html"}, {"name": "31531", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31531"}, {"name": "MDKSA-2007:193", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:193"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.bluecoat.com/support/securityadvisories/advisory_openssl_rsa_key_reconstruction_vulnerability"}, {"name": "30220", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30220"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.rpath.com/browse/RPL-1633"}, {"name": "ADV-2007-4010", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/4010"}, {"name": "20080108 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/485936/100/0/threaded"}, {"name": "27770", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27770"}, {"name": "[Security-announce] 20080107 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.vmware.com/pipermail/security-announce/2008/000002.html"}, {"name": "26411", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26411"}, {"name": "USN-522-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/522-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://openssl.org/news/patch-CVE-2007-3108.txt"}, {"name": "ADV-2008-2361", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2361"}, {"name": "31467", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31467"}, {"name": "RHSA-2007:0964", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2007-0964.html"}, {"name": "27870", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27870"}, {"name": "ADV-2008-2396", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2396"}, {"name": "27330", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27330"}, {"name": "30161", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30161"}, {"name": "GLSA-200805-07", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://www.gentoo.org/security/en/glsa/glsa-200805-07.xml"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0013.html"}, {"name": "28368", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/28368"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-485.htm"}, {"name": "27078", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27078"}, {"name": "GLSA-200710-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200710-06.xml"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://cvs.openssl.org/chngview?cn=16275"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.rpath.com/browse/RPL-1613"}, {"name": "RHSA-2007:0813", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2007-0813.html"}, {"name": "25163", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/25163"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0001.html"}, {"name": "ADV-2008-0064", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/0064"}, {"name": "27021", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27021"}, {"name": "20080123 UPDATED VMSA-2008-0001.1 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/486859/100/0/threaded"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:05:28.268Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.attachmate.com/techdocs/2374.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/RGII-74KLP3"}, {"name": "VU#724968", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/724968"}, {"name": "26893", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26893"}, {"name": "DSA-1571", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2008/dsa-1571"}, {"name": "27205", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27205"}, {"name": "20070813 FLEA-2007-0043-1 openssl", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/476341/100/0/threaded"}, {"name": "27097", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27097"}, {"name": "ADV-2008-2362", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2362"}, {"name": "ADV-2007-2759", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/2759"}, {"name": "oval:org.mitre.oval:def:9984", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9984"}, {"name": "31489", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31489"}, {"name": "RHSA-2007:1003", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://www.redhat.com/support/errata/RHSA-2007-1003.html"}, {"name": "31531", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31531"}, {"name": "MDKSA-2007:193", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:193"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.bluecoat.com/support/securityadvisories/advisory_openssl_rsa_key_reconstruction_vulnerability"}, {"name": "30220", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30220"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.rpath.com/browse/RPL-1633"}, {"name": "ADV-2007-4010", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/4010"}, {"name": "20080108 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/485936/100/0/threaded"}, {"name": "27770", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27770"}, {"name": "[Security-announce] 20080107 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.vmware.com/pipermail/security-announce/2008/000002.html"}, {"name": "26411", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26411"}, {"name": "USN-522-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/522-1/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://openssl.org/news/patch-CVE-2007-3108.txt"}, {"name": "ADV-2008-2361", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2361"}, {"name": "31467", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31467"}, {"name": "RHSA-2007:0964", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://www.redhat.com/support/errata/RHSA-2007-0964.html"}, {"name": "27870", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27870"}, {"name": "ADV-2008-2396", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2396"}, {"name": "27330", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27330"}, {"name": "30161", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30161"}, {"name": "GLSA-200805-07", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://www.gentoo.org/security/en/glsa/glsa-200805-07.xml"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0013.html"}, {"name": "28368", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/28368"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-485.htm"}, {"name": "27078", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27078"}, {"name": "GLSA-200710-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200710-06.xml"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://cvs.openssl.org/chngview?cn=16275"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.rpath.com/browse/RPL-1613"}, {"name": "RHSA-2007:0813", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://www.redhat.com/support/errata/RHSA-2007-0813.html"}, {"name": "25163", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/25163"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0001.html"}, {"name": "ADV-2008-0064", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/0064"}, {"name": "27021", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27021"}, {"name": "20080123 UPDATED VMSA-2008-0001.1 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/486859/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2007-3108", "datePublished": "2007-08-08T01:11:00", "dateReserved": "2007-06-07T00:00:00", "dateUpdated": "2024-08-07T14:05:28.268Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "636B0CAF-5A47-4CC7-9DAF-52090894B647", "versionEndIncluding": "0.9.8e", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys."}, {"lang": "es", "value": "La funci\u00f3n BN_from_montgomery en el crypto/bn/bn_mont.c del OpenSSL 0.9.8e y anteriores, no interpreta adecuadamente la multiplicaci\u00f3n Montgomery, lo que permite a usuarios locales llevar a cabo ataques por canal colateral (side-channel) y recuperar claves privadas RSA."}], "id": "CVE-2007-3108", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-08-08T01:17:00.000", "references": [{"source": "secalert@redhat.com", "url": "http://cvs.openssl.org/chngview?cn=16275"}, {"source": "secalert@redhat.com", "url": "http://lists.vmware.com/pipermail/security-announce/2008/000002.html"}, {"source": "secalert@redhat.com", "url": "http://openssl.org/news/patch-CVE-2007-3108.txt"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/26411"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/26893"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/27021"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/27078"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/27097"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/27205"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/27330"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/27770"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/27870"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/28368"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/30161"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/30220"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/31467"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/31489"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/31531"}, {"source": "secalert@redhat.com", "url": "http://security.gentoo.org/glsa/glsa-200710-06.xml"}, {"source": "secalert@redhat.com", "url": "http://support.attachmate.com/techdocs/2374.html"}, {"source": "secalert@redhat.com", "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-485.htm"}, {"source": "secalert@redhat.com", "url": "http://www.bluecoat.com/support/securityadvisories/advisory_openssl_rsa_key_reconstruction_vulnerability"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2008/dsa-1571"}, {"source": "secalert@redhat.com", "url": "http://www.gentoo.org/security/en/glsa/glsa-200805-07.xml"}, {"source": "secalert@redhat.com", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/724968"}, {"source": "secalert@redhat.com", "url": "http://www.kb.cert.org/vuls/id/RGII-74KLP3"}, {"source": "secalert@redhat.com", "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:193"}, {"source": "secalert@redhat.com", "url": "http://www.redhat.com/support/errata/RHSA-2007-0813.html"}, {"source": "secalert@redhat.com", "url": "http://www.redhat.com/support/errata/RHSA-2007-0964.html"}, {"source": "secalert@redhat.com", "url": "http://www.redhat.com/support/errata/RHSA-2007-1003.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/476341/100/0/threaded"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/485936/100/0/threaded"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/486859/100/0/threaded"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/25163"}, {"source": "secalert@redhat.com", "url": "http://www.vmware.com/security/advisories/VMSA-2008-0001.html"}, {"source": "secalert@redhat.com", "url": "http://www.vmware.com/security/advisories/VMSA-2008-0013.html"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2007/2759"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2007/4010"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2008/0064"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2008/2361"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2008/2362"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2008/2396"}, {"source": "secalert@redhat.com", "url": "https://issues.rpath.com/browse/RPL-1613"}, {"source": "secalert@redhat.com", "url": "https://issues.rpath.com/browse/RPL-1633"}, {"source": "secalert@redhat.com", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9984"}, {"source": "secalert@redhat.com", "url": "https://usn.ubuntu.com/522-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://cvs.openssl.org/chngview?cn=16275"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.vmware.com/pipermail/security-announce/2008/000002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openssl.org/news/patch-CVE-2007-3108.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/26411"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/26893"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/27021"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/27078"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/27097"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/27205"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/27330"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/27770"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/27870"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/28368"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/30161"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/30220"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31467"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31489"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31531"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://security.gentoo.org/glsa/glsa-200710-06.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://support.attachmate.com/techdocs/2374.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-485.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.bluecoat.com/support/securityadvisories/advisory_openssl_rsa_key_reconstruction_vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2008/dsa-1571"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.gentoo.org/security/en/glsa/glsa-200805-07.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/724968"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.kb.cert.org/vuls/id/RGII-74KLP3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:193"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.redhat.com/support/errata/RHSA-2007-0813.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.redhat.com/support/errata/RHSA-2007-0964.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.redhat.com/support/errata/RHSA-2007-1003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/476341/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/485936/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/486859/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/25163"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vmware.com/security/advisories/VMSA-2008-0001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vmware.com/security/advisories/VMSA-2008-0013.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2007/2759"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2007/4010"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/0064"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/2361"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/2362"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/2396"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://issues.rpath.com/browse/RPL-1613"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://issues.rpath.com/browse/RPL-1633"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9984"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/522-1/"}], "sourceIdentifier": "secalert@redhat.com", "vendorComments": [{"comment": "This paper describes a possible side-channel attack that hasn\u2019t been proven outside of a lab environment. In reality many factors would make this harder to exploit. If exploited, a local user could obtain RSA private keys (for example for web sites being run on the server). We have rated this as affecting Red Hat products with moderate security severity. Although the OpenSSL team have produced a patch for this issue, it is non-trivial and will require more testing before we can deploy it in a future update. Our current plan is as follows:\n\n- To include a backported fix in an OpenSSL update as part of Enterprise Linux 4.6. This will get testing via beta and give time for more extensive internal and upstream testing\n- To release an update for OpenSSL for other platforms at the same time as 4.6 is released\n http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3108\n", "lastModified": "2007-08-14T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2007:0813", "cpe": "cpe:/o:redhat:enterprise_linux:2.1", "package": "openssl-0:0.9.6b-48", "product_name": "Red Hat Enterprise Linux 2.1", "release_date": "2007-10-22T00:00:00Z"}, {"advisory": "RHSA-2007:0813", "cpe": "cpe:/o:redhat:enterprise_linux:3", "package": "openssl-0:0.9.7a-33.24", "product_name": "Red Hat Enterprise Linux 3", "release_date": "2007-10-22T00:00:00Z"}, {"advisory": "RHSA-2007:1003", "cpe": "cpe:/o:redhat:enterprise_linux:4", "package": "openssl-0:0.9.7a-43.17.el4_6.1", "product_name": "Red Hat Enterprise Linux 4", "release_date": "2007-11-15T00:00:00Z"}, {"advisory": "RHSA-2007:0964", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "openssl-0:0.9.8b-8.3.el5_0.2", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2007-10-12T00:00:00Z"}], "bugzilla": {"description": "openssl: RSA side-channel attack", "id": "245732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=245732"}, "csaw": false, "details": ["The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys."], "name": "CVE-2007-3108", "public_date": "2007-08-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2007-3108\nhttps://nvd.nist.gov/vuln/detail/CVE-2007-3108"], "threat_severity": "Moderate"}

Metrics

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object