Vulnerability Name:

CVE-2018-0733 (CCN-140849)

Assigned:2017-11-30
Published:2018-03-27
Updated:2020-08-24
Summary:Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2018-0733

Source: CCN
Type: IBM Security Bulletin 0716285 (Cognos TM1)
Multiple Security Vulnerabilities exist in IBM Cognos TM1

Source: CCN
Type: IBM Security Bulletin 0716289 (Cognos Insight)
Multiple Security Vulnerabilities exist in IBM Cognos Insight

Source: CCN
Type: IBM Security Bulletin 716653 (Cloud Private)
Multiple Security Vulnerabilities affect IBM Cloud Private

Source: CCN
Type: IBM Security Bulletin 0716741 (Other xSeries)
OpenSSL vulnerabilties affect IBM NeXtScale Fan Power Controller (FPC)

Source: CCN
Type: IBM Security Bulletin 0717163 (Workload Automation)
Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler

Source: CCN
Type: IBM Security Bulletin 717405 (Spectrum Protect)
Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client NetApp Services (CVE-2017-3737, CVE-2017-3738, CVE-2018-0733, CVE-2018-0739)

Source: CCN
Type: IBM Security Bulletin 717409 (Spectrum Protect for Virtual Environments)
Multiple vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware

Source: CCN
Type: IBM Security Bulletin 0732834 (MobileFirst Platform Foundation)
Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation

Source: CCN
Type: IBM Security Bulletin N1022561 (i)
Multiple Vulnerabilities in OpenSSL affect IBM i

Source: CCN
Type: IBM Security Bulletin 2015539 (PredictiveInsight)
Multiple Security Vulnerabilities Impact IBM Predictive Insights

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Source: BID
Type: Third Party Advisory, VDB Entry
103517

Source: CCN
Type: BID-103517
OpenSSL CVE-2018-0733 Security Bypass Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040576

Source: XF
Type: UNKNOWN
openssl-cve20180733-sec-bypass(140849)

Source: CONFIRM
Type: Patch, Vendor Advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f

Source: GENTOO
Type: UNKNOWN
GLSA-201811-21

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20180330-0002/

Source: CCN
Type: IBM Security Bulletin 887987 (Contact Optimization)
Multiple OpenSSL Vulnerabilities Affect IBM Campaign and IBM Contact Optimization

Source: CCN
Type: IBM Security Bulletin 1143442 (Watson Studio Local)
Mutiple Vulnerabilities in OpenSSL affects IBM Watson Studio Local

Source: CCN
Type: IBM Security Bulletin 2015176 (Security Identity Adapter for Computer Associates ACF2)
BM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015176 (Security Identity Adapter for Computer Associates TopSecret)
BM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015176 (Security Identity Adapter for Lotus Notes)
BM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015176 (Security Identity Adapter for Microsoft SQL Server)
BM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015176 (Security Identity Adapter for RACF)
BM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015176 (Security Identity Adapter for Windows Active Directory)
BM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015176 (Security Identity Adapter for Windows Local Accounts)
BM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities

Source: CCN
Type: OpenSSL Security Advisory [27 Mar 2018]
OpenSSL Security Advisory [27 Mar 2018]

Source: CONFIRM
Type: Vendor Advisory
https://www.openssl.org/news/secadv/20180327.txt

Source: MISC
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: CONFIRM
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: MISC
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: CONFIRM
Type: UNKNOWN
https://www.tenable.com/security/tns-2018-04

Source: CONFIRM
Type: UNKNOWN
https://www.tenable.com/security/tns-2018-06

Source: CONFIRM
Type: UNKNOWN
https://www.tenable.com/security/tns-2018-07

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-0733

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openssl:openssl:*:*:*:*:*:*:*:* (Version >= 1.1.0 and <= 1.1.0g)

    • Configuration CCN 1:
  • cpe:/a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cognos_tm1:10.2.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_insight:10.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_insight:10.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_tm1:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:6.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_for_virtual_environments:7.1:*:*:*:*:hyper-v:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:8.1:*:*:*:virtual_environments:*:*:*
  • OR cpe:/a:ibm:contact_optimization:9.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_automation:9.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_automation:9.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_automation:9.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_automation:9.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:contact_optimization:9.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:6.0.14:*:*:*:lotus_notes:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:7.1.14:*:*:*:lotus_notes:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:6.0.15:*:*:*:microsoft_sql_server:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:7.1.16:*:*:*:microsoft_sql_server:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:6.1.31:*:*:*:windows_active_directory:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:7.1.31:*:*:*:windows_active_directory:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:6.0.18:*:*:*:windows_local_accounts:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:7.1.18:*:*:*:windows_local_accounts:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:6.0.36:*:*:*:racf:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:7.1.36:*:*:*:racf:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:6.0.17:*:*:*:computer_associates_topsecret:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:7.1.17:*:*:*:computer_associates_topsecret:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:6.0.28:*:*:*:computer_associates_acf2:*:*:*
  • OR cpe:/a:ibm:security_identity_adapter:7.1.28:*:*:*:computer_associates_acf2:*:*:*
  • OR cpe:/a:ibm:watson_studio_local:1.2.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.artful:def:20180733000
    V
    		CVE-2018-0733 on Ubuntu 17.10 (artful) - medium.
    2018-03-27
    oval:com.ubuntu.trusty:def:20180733000
    V
    		CVE-2018-0733 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-03-27
    oval:com.ubuntu.xenial:def:20180733000
    V
    		CVE-2018-0733 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-03-27
    oval:com.ubuntu.xenial:def:201807330000000
    V
    		CVE-2018-0733 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-03-27
    BACK
    openssl openssl *
    openssl openssl 1.1.0
    ibm cognos tm1 10.2.2
    ibm i 7.1
    ibm i 7.2
    ibm cognos insight 10.2.1
    ibm cognos insight 10.2.2
    ibm cognos tm1 10.2
    ibm predictiveinsight 8.0
    ibm predictiveinsight 8.1
    ibm predictiveinsight 8.2
    ibm predictiveinsight 8.3
    ibm predictiveinsight 8.5
    ibm predictiveinsight 8.6
    ibm predictiveinsight 9.0
    ibm mobilefirst platform foundation 6.3
    ibm spectrum protect for virtual environments 7.1
    ibm mobilefirst platform foundation 7.1
    ibm spectrum protect 7.1
    ibm i 7.3
    ibm mobilefirst platform foundation 6.1
    ibm mobilefirst platform foundation 6.2
    ibm mobilefirst platform foundation 8.0
    ibm spectrum protect 8.1
    ibm spectrum protect 8.1
    ibm contact optimization 9.1.2
    ibm workload automation 9.1.0
    ibm workload automation 9.2.0
    ibm workload automation 9.3.0
    ibm workload automation 9.4.0
    ibm cloud private 2.1.0
    ibm contact optimization 9.1.0
    ibm security identity adapter 6.0.14
    ibm security identity adapter 7.1.14
    ibm security identity adapter 6.0.15
    ibm security identity adapter 7.1.16
    ibm security identity adapter 6.1.31
    ibm security identity adapter 7.1.31
    ibm security identity adapter 6.0.18
    ibm security identity adapter 7.1.18
    ibm security identity adapter 6.0.36
    ibm security identity adapter 7.1.36
    ibm security identity adapter 6.0.17
    ibm security identity adapter 7.1.17
    ibm security identity adapter 6.0.28
    ibm security identity adapter 7.1.28
    ibm watson studio local 1.2.3