Vulnerability Name: CVE-2003-0147 (CCN-11547) Assigned: 2003-03-13 Published: 2003-03-13 Updated: 2018-10-19 Summary: OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). CVSS v3 Severity: 4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N 1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-Other Vulnerability Consequences: Obtain Information References: Source: CALDERACSSA-2003-014.0 Multiple Security Vulnerabilities in OpenSSL 20030501-01-I Stunnel: RSA timing attacks / key discovery OpenSSL Private Key Disclosure 20030313 OpenSSL Private Key Disclosure http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf CVE-2003-0147 CVE-2004-2682 CLA-2003:625 openssl Security Update 2003-03-24 for Mac OS X: Information and Download Security Update 2003-03-24 20030313 Vulnerability in OpenSSL 20030317 [ADVISORY] Timing Attack on OpenSSL 20030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl) GLSA-200303-15 GLSA-200303-24 RSA_blinding_on(3) SSL Update for CERT CA200326
and older SSL issues Updated OpenSSL packages fix vulnerabilities openssl security update Updated OpenSSL packages fix vulnerabilities Timing Based Attack Vulnerabilities in the Java Secure Socket Extension OpenSSL Timing-based Attacks on RSA Keys Timing based attack vulnerabilities in the JAVA Secure Socket Extension DSA-288 openssl -- several vulnerabilities GLSA-200303-23 Cryptographic libraries and applications do not adequately defend against timing attacks VU#997481 Several vulnerabilities in the OpenSSL toolkit openssl -- There are four potential vulnerabilities in openssl. openssl buffer overflow vulnerability openssl, openssh, mod_ssl MDKSA-2003:035 Security Advisories - RSA Blinding OpenSSL OpenPKG-SA-2003.019 Timing-based attacks on RSA keys http://www.openssl.org/news/secadv_20030317.txt RHSA-2003:101 RHSA-2003:102 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL IMNX-2003-7+-001-01 OpenSSL Timing Attack RSA Private Key Information Disclosure Vulnerability [slackware-security] mod_ssl RSA blinding fixes (SSA:2003-141-05) Stunnel.org openssl -- Secret key recovery The RSA key is decoded ssl-rsa-information-leak(11547) oval:org.mitre.oval:def:466 Vulnerable Configuration: Configuration 1 :cpe:/a:openpkg:openpkg:*:*:*:*:*:*:*:* OR cpe:/a:openpkg:openpkg:1.1:*:*:*:*:*:*:* OR cpe:/a:openpkg:openpkg:1.2:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6a:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6b:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6c:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6d:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6e:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6g:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6h:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6i:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7a:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.7:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.8:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.9:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.10:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.11:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.12:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.13:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.14:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.15:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.16:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.17:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.18:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.19:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.20:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.21:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:3.22:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:4.0:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:4.01:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:4.02:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:4.03:*:*:*:*:*:*:* OR cpe:/a:stunnel:stunnel:4.04:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:openssl:openssl:0.9.7a:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6i:*:*:*:*:*:*:* AND cpe:/o:hp:hp-ux:11.00:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:6.2:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:2.2:*:*:*:*:*:*:* OR cpe:/o:trustix:secure_linux:1.1:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:7:*:*:*:*:*:*:* OR cpe:/o:hp:hp-ux:11.11:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:7.2:*:*:*:*:*:*:* OR cpe:/a:oracle:database_server:8.1.7:*:*:*:*:*:*:* OR cpe:/o:conectiva:linux:6.0:*:*:*:*:*:*:* OR cpe:/o:engardelinux:secure_community:1.0.1:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:* OR cpe:/o:trustix:secure_linux:1.01:*:*:*:*:*:*:* OR cpe:/o:trustix:secure_linux:1.2:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.0:*:*:*:*:*:*:* OR cpe:/a:mandrakesoft:mandrake_single_network_firewall:7.2:*:*:*:*:*:*:* OR cpe:/o:conectiva:linux:7.0:*:*:*:*:*:*:* OR cpe:/o:trustix:secure_linux:1.5:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:* OR cpe:/o:engardelinux:secure_linux:-:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:* OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:* OR cpe:/o:engardelinux:secure_professional:-:*:*:*:*:*:*:* OR cpe:/a:openpkg:openpkg:current:*:*:*:*:*:*:* OR cpe:/a:oracle:application_server:9.0.2:*:*:*:*:*:*:* OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:* OR cpe:/a:openpkg:openpkg:1.1:*:*:*:*:*:*:* OR cpe:/o:hp:hp-ux:11.22:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:9.0:*:*:*:*:*:*:* OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:8.2:*:*:*:*:*:*:* OR cpe:/a:openpkg:openpkg:1.2:*:*:*:*:*:*:* OR cpe:/a:oracle:application_server:9.0.3:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:9.1:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:* OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:* OR cpe:/o:slackware:slackware_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:sgi:irix:6.5.19:*:*:*:*:*:*:* OR cpe:/a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:application_server:1.0.2.1s:*:*:*:*:*:*:* OR cpe:/a:oracle:http_server:9.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:http_server:9.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:http_server:8.1.7:*:*:*:*:*:*:* OR cpe:/a:sun:jsse:1.0.3:*:*:*:*:*:*:* OR cpe:/a:sun:jsse:1.0.3_01:*:*:*:*:*:*:* OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.0::ppc:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.1::ia64:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.2::ppc:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:9.1::ppc:*:*:*:*:* Oval Definitions BACK
openpkg openpkg *
openpkg openpkg 1.1
openpkg openpkg 1.2
openssl openssl 0.9.6
openssl openssl 0.9.6a
openssl openssl 0.9.6b
openssl openssl 0.9.6c
openssl openssl 0.9.6d
openssl openssl 0.9.6e
openssl openssl 0.9.6g
openssl openssl 0.9.6h
openssl openssl 0.9.6i
openssl openssl 0.9.7
openssl openssl 0.9.7a
stunnel stunnel 3.7
stunnel stunnel 3.8
stunnel stunnel 3.9
stunnel stunnel 3.10
stunnel stunnel 3.11
stunnel stunnel 3.12
stunnel stunnel 3.13
stunnel stunnel 3.14
stunnel stunnel 3.15
stunnel stunnel 3.16
stunnel stunnel 3.17
stunnel stunnel 3.18
stunnel stunnel 3.19
stunnel stunnel 3.20
stunnel stunnel 3.21
stunnel stunnel 3.22
stunnel stunnel 4.0
stunnel stunnel 4.01
stunnel stunnel 4.02
stunnel stunnel 4.03
stunnel stunnel 4.04
openssl openssl 0.9.7a
openssl openssl 0.9.6i
hp hp-ux 11.00
redhat linux 6.2
debian debian linux 2.2
trustix secure linux 1.1
redhat linux 7
hp hp-ux 11.11
mandrakesoft mandrake linux 7.2
oracle database server 8.1.7
conectiva linux 6.0
engardelinux secure community 1.0.1
redhat linux 7.1
trustix secure linux 1.01
trustix secure linux 1.2
mandrakesoft mandrake linux 8.0
mandrakesoft mandrake single network firewall 7.2
conectiva linux 7.0
trustix secure linux 1.5
mandrakesoft mandrake linux 8.1
redhat linux 7.2
engardelinux secure linux -
mandrakesoft mandrake linux 8.2
conectiva linux 8.0
redhat linux 7.3
debian debian linux 3.0
engardelinux secure professional -
openpkg openpkg current
oracle application server 9.0.2
gentoo linux *
redhat linux 8.0
openpkg openpkg 1.1
hp hp-ux 11.22
mandrakesoft mandrake linux 9.0
mandrakesoft mandrake multi network firewall 8.2
openpkg openpkg 1.2
oracle application server 9.0.3
mandrakesoft mandrake linux corporate server 2.1
mandrakesoft mandrake linux 9.1
redhat enterprise linux 2.1
redhat enterprise linux 2.1
redhat enterprise linux 2.1
redhat linux 9.0
slackware slackware linux 9.0
sgi irix 6.5.19
oracle application server 1.0.2.2
oracle application server 1.0.2.1s
oracle http server 9.2.0
oracle http server 9.0.1
oracle http server 8.1.7
sun jsse 1.0.3
sun jsse 1.0.3_01
redhat linux advanced workstation 2.1
mandrakesoft mandrake linux 8.0
mandrakesoft mandrake linux 8.1
mandrakesoft mandrake linux 8.2
mandrakesoft mandrake linux 9.1
Denotes that component is vulnerable