Vulnerability Name:

CVE-2016-2849 (CCN-113800)

Assigned:2015-03-23
Published:2015-03-23
Updated:2017-07-01
Summary:Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: CONFIRM
Type: Vendor Advisory
http://botan.randombit.net/security.html

Source: MITRE
Type: CNA
CVE-2016-2849

Source: FEDORA
Type: UNKNOWN
FEDORA-2016-a545f81683

Source: MLIST
Type: Vendor Advisory
[botan-devel] 20160428 Botan 1.10.13 released

Source: DEBIAN
Type: UNKNOWN
DSA-3565

Source: CCN
Type: IBM Security Bulletin 2001108 (PureData System for Analytics)
A vulnerability in Open Source Botan affects IBM Netezza Platform Software clients (CVE-2016-2849).

Source: CCN
Type: Botan Web site
Botan

Source: XF
Type: UNKNOWN
botan-cve20162849-info-disc(113800)

Source: GENTOO
Type: UNKNOWN
GLSA-201701-23

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-2849

Vulnerable Configuration:Configuration 1:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:24:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:botan_project:botan:1.10.12:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.1:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.2:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.3:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.4:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.5:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.6:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.7:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.8:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.9:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.10:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.11:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.12:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.13:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.14:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.15:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.16:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.17:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.18:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.19:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.20:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.21:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.22:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.23:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.24:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.25:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.26:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.27:*:*:*:*:*:*:*
  • OR cpe:/a:botan_project:botan:1.11.28:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:botan_project:botan:1.11.28:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:puredata_system:1.0.0:*:*:*:analytics:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20162849
    V
    		CVE-2016-2849
    2022-09-02
    oval:org.opensuse.security:def:112602
    P
    		libbotan-1_10-1-1.10.13-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:10440
    P
    		Security update for MozillaFirefox (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:9879
    P
    		Security update for libsndfile (Important)
    2022-01-11
    oval:org.opensuse.security:def:10425
    P
    		Security update for java-1_8_0-ibm (Important) (in QA)
    2022-01-04
    oval:org.opensuse.security:def:10378
    P
    		Security update for MozillaFirefox (Important)
    2021-12-10
    oval:org.opensuse.security:def:9817
    P
    		Security update for ruby2.5 (Important)
    2021-12-01
    oval:org.opensuse.security:def:10700
    P
    		Security update for ffmpeg (Moderate)
    2021-10-26
    oval:org.opensuse.security:def:10158
    P
    		Security update for grilo (Important)
    2021-10-06
    oval:org.opensuse.security:def:106086
    P
    		libbotan-1_10-1-1.10.13-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:10332
    P
    		Security update for spectre-meltdown-checker (Moderate)
    2021-08-27
    oval:org.opensuse.security:def:10322
    P
    		Security update for openexr (Important)
    2021-08-20
    oval:org.opensuse.security:def:9771
    P
    		Security update for openexr (Important)
    2021-08-20
    oval:org.opensuse.security:def:10139
    P
    		Security update for djvulibre (Important)
    2021-08-20
    oval:org.opensuse.security:def:10310
    P
    		Security update for qemu (Important)
    2021-08-02
    oval:org.opensuse.security:def:10124
    P
    		Security update for MozillaFirefox (Important)
    2021-07-27
    oval:org.opensuse.security:def:10309
    P
    		Security update for MozillaFirefox (Important)
    2021-07-27
    oval:org.opensuse.security:def:10302
    P
    		Security update for dbus-1 (Important)
    2021-07-12
    oval:org.opensuse.security:def:9741
    P
    		Security update for libgcrypt (Important)
    2021-06-24
    oval:org.opensuse.security:def:17134
    P
    		libssh4-0.6.3-11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:16495
    P
    		libbotan-1_10-0-1.10.9-4.3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17228
    P
    		cyrus-sasl-digestmd5-32bit-2.1.26-8.7.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:11283
    P
    		cvs-1.12.12-181.63 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17082
    P
    		libwmf-0_2-7-0.2.8.4-242.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17168
    P
    		gnome-online-accounts-3.20.5-9.6 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:16994
    P
    		bash-lang-4.2-75.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17260
    P
    		libjavascriptcoregtk-1_0-0-2.4.11-23.20 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17126
    P
    		libnewt0_52-0.52.16-1.83 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:16235
    P
    		libbotan-1_10-0-1.10.9-3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17118
    P
    		libfbembed2_5-2.5.2.26539-13.42 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17253
    P
    		libdirectfb-1_7-1-32bit-1.7.1-6.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:124501
    P
    		libbotan-1_10-0-1.10.9-4.3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:11261
    P
    		MozillaFirefox-31.1.0esr-1.20 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:17051
    P
    		gcc48-gij-32bit-4.8.5-24.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:10258
    P
    		Security update for the Linux Kernel (Important)
    2021-05-18
    oval:org.opensuse.security:def:10077
    P
    		Security update for the Linux Kernel (Important)
    2021-05-12
    oval:org.opensuse.security:def:10062
    P
    		Security update for xen (Important)
    2021-04-19
    oval:org.opensuse.security:def:10233
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:9864
    P
    		Security update for python (Moderate)
    2021-03-11
    oval:org.opensuse.security:def:10300
    P
    		Security update for nodejs8 (Moderate)
    2021-01-26
    oval:org.opensuse.security:def:9749
    P
    		Security update for nodejs8 (Moderate)
    2021-01-26
    oval:org.opensuse.security:def:10031
    P
    		Security update for openssl-1_0_0 (Important)
    2020-12-11
    oval:org.opensuse.security:def:17377
    P
    		libzzip-0-13-0.13.67-10.14.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16909
    P
    		libvirt-devel-5.1.0-11.10 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:17310
    P
    		cyrus-sasl-digestmd5-32bit-2.1.26-8.7.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16797
    P
    		libbotan-1_10-0-1.10.9-4.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16867
    P
    		libplist++-devel-1.12-20.3.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:17329
    P
    		imobiledevice-tools-1.2.0-7.31 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3961
    P
    		libbotan-1_10-0-1.10.9-4.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:17341
    P
    		libgadu3-1.11.4-1.12 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16875
    P
    		libpulse-devel-5.0-4.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:17351
    P
    		libndp0-1.6-2.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:17317
    P
    		gcc48-gij-32bit-4.8.5-31.20.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:10982
    P
    		libbotan-1_10-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:17610
    P
    		Recommended update for openssl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10610
    P
    		xfig on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10040
    P
    		bash-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10009
    P
    		vino on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:17989
    P
    		Security update for rrdtool (Low)
    2020-12-01
    oval:org.opensuse.security:def:17576
    P
    		Security update for wireshark (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10559
    P
    		libvirt-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:9973
    P
    		python-cupshelpers on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:17487
    P
    		Security update for java-1_7_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:10459
    P
    		krb5-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18248
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:10623
    P
    		alsa-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10049
    P
    		dbus-1-glib-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18015
    P
    		Security update for Botan (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10960
    P
    		libXfixes-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:17588
    P
    		Security update for postgresql93 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10601
    P
    		sudo-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:9998
    P
    		sysconfig on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10001
    P
    		sysvinit-tools on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10722
    P
    		libbotan-1_10-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:17519
    P
    		Security update for python, python-base, python-doc (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10534
    P
    		libpulse-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18274
    P
    		Security update for Botan (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:9898
    P
    		libopenssl-devel on GA media (Moderate)
    2020-12-01
    oval:org.cisecurity:def:593
    P
    		DSA-3565-2 -- botan1.10 -- security update
    2016-07-01
    oval:org.cisecurity:def:552
    P
    		DSA-3565-1 -- botan1.10 -- security update
    2016-07-01
    oval:com.ubuntu.artful:def:20162849000
    V
    		CVE-2016-2849 on Ubuntu 17.10 (artful) - medium.
    2016-05-13
    oval:com.ubuntu.xenial:def:201628490000000
    V
    		CVE-2016-2849 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-05-13
    oval:com.ubuntu.trusty:def:20162849000
    V
    		CVE-2016-2849 on Ubuntu 14.04 LTS (trusty) - medium.
    2016-05-13
    oval:com.ubuntu.bionic:def:20162849000
    V
    		CVE-2016-2849 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-05-13
    oval:com.ubuntu.xenial:def:20162849000
    V
    		CVE-2016-2849 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-05-13
    oval:com.ubuntu.cosmic:def:201628490000000
    V
    		CVE-2016-2849 on Ubuntu 18.10 (cosmic) - medium.
    2016-05-13
    oval:com.ubuntu.cosmic:def:20162849000
    V
    		CVE-2016-2849 on Ubuntu 18.10 (cosmic) - medium.
    2016-05-13
    oval:com.ubuntu.bionic:def:201628490000000
    V
    		CVE-2016-2849 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-05-13
    oval:com.ubuntu.precise:def:20162849000
    V
    		CVE-2016-2849 on Ubuntu 12.04 LTS (precise) - medium.
    2016-05-13
    BACK
    debian debian linux 8.0
    fedoraproject fedora 24
    botan_project botan 1.10.12
    botan_project botan 1.11.0
    botan_project botan 1.11.1
    botan_project botan 1.11.2
    botan_project botan 1.11.3
    botan_project botan 1.11.4
    botan_project botan 1.11.5
    botan_project botan 1.11.6
    botan_project botan 1.11.7
    botan_project botan 1.11.8
    botan_project botan 1.11.9
    botan_project botan 1.11.10
    botan_project botan 1.11.11
    botan_project botan 1.11.12
    botan_project botan 1.11.13
    botan_project botan 1.11.14
    botan_project botan 1.11.15
    botan_project botan 1.11.16
    botan_project botan 1.11.17
    botan_project botan 1.11.18
    botan_project botan 1.11.19
    botan_project botan 1.11.20
    botan_project botan 1.11.21
    botan_project botan 1.11.22
    botan_project botan 1.11.23
    botan_project botan 1.11.24
    botan_project botan 1.11.25
    botan_project botan 1.11.26
    botan_project botan 1.11.27
    botan_project botan 1.11.28
    botan_project botan 1.11.28
    ibm puredata system 1.0.0