Vulnerability CVE-2015-8618

Vulnerability Name:

CVE-2015-8618 (CCN-110311)

Assigned:

2015-12-22

Published:

2016-01-13

Updated:

2018-10-30

Summary:

The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.2 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2015-8618

Source: FEDORA
Type: UNKNOWN
FEDORA-2016-5a073cbd93

Source: FEDORA
Type: UNKNOWN
FEDORA-2016-2dcc094217

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2016:1331

Source: MLIST
Type: UNKNOWN
[oss-security] 20151221 CVE request for math/big.Exp

Source: MLIST
Type: UNKNOWN
[oss-security] 20151222 Re: CVE request for math/big.Exp

Source: CCN
Type: oss-sec Mailing List, Wed, 13 Jan 2016 21:06:57 +0000
Go security release v1.5.3

Source: MLIST
Type: UNKNOWN
[oss-security] 20160113 [security] Go security release v1.5.3

Source: XF
Type: UNKNOWN
go-cve20158618-info-disc(110311)

Source: CCN
Type: Go Language - GitHub Web site
math/big: incorrect result from Exp on 386 architecture

Source: CONFIRM
Type: Patch
https://github.com/golang/go/issues/13515

Source: CONFIRM
Type: UNKNOWN
https://go-review.googlesource.com/#/c/17672/

Source: MLIST
Type: UNKNOWN
[golang-announce] 20160113 [security] Go 1.5.3 is released

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-8618

Vulnerable Configuration:

Configuration 1:

cpe:/o:opensuse:leap:42.1:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:golang:go:1.5:*:*:*:*:*:*:*

OR cpe:/a:golang:go:1.5.1:*:*:*:*:*:*:*

OR cpe:/a:golang:go:1.5.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20158618	V	CVE-2015-8618	2023-06-22
oval:org.opensuse.security:def:8012	P	go-1.19-150000.3.26.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:112331	P	go1.12-1.12.17-4.8 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112328	P	go-1.7.0-2.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112344	P	go1.9-1.9.7-11.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112329	P	go1.10-1.10.8-8.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112330	P	go1.11-1.11.13-10.5 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:11160	P	Security update for nextcloud (Important)	2021-12-20
oval:org.opensuse.security:def:105859	P	Security update for java-11-openjdk (Important)	2021-11-16
oval:org.opensuse.security:def:105850	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:105851	P	Security update for libvirt (Important)	2021-10-27
oval:org.opensuse.security:def:105849	P	Security update for dnsmasq (Moderate)	2021-10-27
oval:org.opensuse.security:def:105852	P	go1.12-1.12.17-4.8 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:11236	P	Security update for roundcubemail (Important)	2021-07-06
oval:org.opensuse.security:def:11887	P	libgif6-32bit-5.0.5-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11909	P	libmms0-0.6.2-15.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11227	P	Security update for inn (Moderate)	2021-06-07
oval:org.opensuse.security:def:11185	P	Security update for chromium (Important)	2021-03-19
oval:org.opensuse.security:def:11249	P	lhasa-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:11051	P	libproxy-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10936	P	gstreamer-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:11066	P	libsoup-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10958	P	libXdmcp-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:11085	P	libvorbis-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:11004	P	libguestfs-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10928	P	glib2-devel on GA media (Moderate)	2020-12-01
oval:com.ubuntu.precise:def:20158618000	V	CVE-2015-8618 on Ubuntu 12.04 LTS (precise) - medium.	2016-01-27
oval:com.ubuntu.trusty:def:20158618000	V	CVE-2015-8618 on Ubuntu 14.04 LTS (trusty) - medium.	2016-01-27

BACK