Vulnerability Name:

CVE-2018-9234 (CCN-141380)

Assigned:2018-03-29
Published:2018-03-29
Updated:2019-02-27
Summary:GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-320
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2018-9234

Source: CCN
Type: GnuPG Web site
Able to certify public keys without a certify key present when using smartcard

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://dev.gnupg.org/T3844

Source: XF
Type: UNKNOWN
gnupg-cve20189234-sec-bypass(141380)

Source: UBUNTU
Type: Third Party Advisory
USN-3675-1

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnupg:gnupg:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnupg:gnupg:2.2.5:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

    • Configuration CCN 1:
  • cpe:/a:gnupg:gnupg:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnupg:gnupg:2.2.5:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20189234
    V
    		CVE-2018-9234
    2023-06-22
    oval:org.opensuse.security:def:7482
    P
    		dirmngr-2.2.27-150300.3.5.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:667
    P
    		Security update for postgresql-jdbc (Moderate)
    2022-08-03
    oval:org.opensuse.security:def:2908
    P
    		dirmngr-2.2.27-1.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94538
    P
    		dirmngr-2.2.27-1.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:85
    P
    		iscsiuio-0.7.8.6-30.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:44
    P
    		dirmngr-2.2.27-1.2 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:367
    P
    		tar-1.34-150000.3.12.1 on GA media (Moderate)
    2022-06-10
    oval:org.opensuse.security:def:100436
    P
    		 (Important)
    2022-03-15
    oval:org.opensuse.security:def:973
    P
    		Security update for chrony (Moderate)
    2022-03-15
    oval:org.opensuse.security:def:112155
    P
    		dirmngr-2.2.27-2.4 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:70854
    P
    		Security update for busybox (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:69759
    P
    		Security update for python-Pygments (Important)
    2021-12-01
    oval:org.opensuse.security:def:105691
    P
    		dirmngr-2.2.27-2.4 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:96576
    P
    		gpg2-2.2.5-4.6.2 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:103266
    P
    		gpg2-2.2.5-4.6.2 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:89611
    P
    		gpg2-2.2.5-4.6.2 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71197
    P
    		gpg2-2.2.5-4.6.2 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:61456
    P
    		gpg2-2.2.5-4.6.2 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:47159
    P
    		sudo-1.8.10p3-6.16 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:46903
    P
    		bzip2-1.0.6-29.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48014
    P
    		gdk-pixbuf-lang-2.34.0-19.17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47521
    P
    		update-alternatives-1.18.4-14.216 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47217
    P
    		busybox-1.21.1-3.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48116
    P
    		libgme0-0.6.0-5.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47667
    P
    		libQt5Concurrent5-5.6.2-6.12.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47441
    P
    		logwatch-7.4.3-15.65 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47763
    P
    		libplist3-1.12-20.3.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47803
    P
    		libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47067
    P
    		libpulse-mainloop-glib0-32bit-5.0-2.7 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:46889
    P
    		apache-commons-httpclient-3.1-4.364 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47949
    P
    		apache2-2.4.23-29.43.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47307
    P
    		libMagickCore-6_Q16-1-6.8.8.1-70.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47024
    P
    		libgraphite2-3-1.3.1-6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48045
    P
    		ibus-chewing-1.4.14-4.11 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47605
    P
    		evince-3.20.2-6.22.9 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47349
    P
    		libgoa-1_0-0-3.20.5-9.6 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47732
    P
    		libksba8-1.3.0-23.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47589
    P
    		cyrus-sasl-2.1.26-8.7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:46935
    P
    		eog-3.20.4-7.7 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:46888
    P
    		apache-commons-daemon-1.0.15-4.181 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47834
    P
    		openslp-2.0.0-18.17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47887
    P
    		shim-0.9-23.14 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:71803
    P
    		dirmngr-2.2.27-1.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62062
    P
    		dirmngr-2.2.27-1.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100820
    P
    		dirmngr-2.2.27-1.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:48808
    P
    		libwebkit2gtk-3_0-25-2.4.8-16.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46607
    P
    		aaa_base-13.2+git20140911.61c1681-9.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:70915
    P
    		gpg2-2.2.5-2.9 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46742
    P
    		liblcms1-1.19-17.31 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:70967
    P
    		libcroco-0.6.12-2.38 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48472
    P
    		libXrender1-0.9.8-3.55 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:61174
    P
    		gpg2-2.2.5-2.9 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46606
    P
    		MozillaFirefox-38.4.0esr-51.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48754
    P
    		pulseaudio-module-bluetooth-5.0-2.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46621
    P
    		avahi-0.6.31-20.59 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48526
    P
    		libmysqlclient18-10.0.27-12.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:69654
    P
    		Security update for nginx (Important)
    2021-06-02
    oval:org.opensuse.security:def:107102
    P
    		gpg2-2.2.5-4.14.4 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:116660
    P
    		gpg2-2.2.5-4.14.4 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:93723
    P
    		gpg2-2.2.5-4.14.4 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:71497
    P
    		gpg2-2.2.5-4.14.4 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:49054
    P
    		rhythmbox-3.4-6.14 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:61756
    P
    		gpg2-2.2.5-4.14.4 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:66403
    P
    		gpg2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64180
    P
    		Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:67614
    P
    		gpg2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49108
    P
    		gpg2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66311
    P
    		Security update for MozillaThunderbird (Important)
    2020-12-01
    oval:org.opensuse.security:def:73094
    P
    		gpg2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64267
    P
    		gpg2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:67514
    P
    		Security update for libraw (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:72976
    P
    		Security update for ffmpeg (Important)
    2020-12-01
    oval:com.ubuntu.bionic:def:201892340000000
    V
    		CVE-2018-9234 on Ubuntu 18.04 LTS (bionic) - low.
    2018-04-04
    oval:com.ubuntu.xenial:def:201892340000000
    V
    		CVE-2018-9234 on Ubuntu 16.04 LTS (xenial) - low.
    2018-04-04
    oval:com.ubuntu.artful:def:20189234000
    V
    		CVE-2018-9234 on Ubuntu 17.10 (artful) - low.
    2018-04-03
    oval:com.ubuntu.bionic:def:20189234000
    V
    		CVE-2018-9234 on Ubuntu 18.04 LTS (bionic) - low.
    2018-04-03
    oval:com.ubuntu.trusty:def:20189234000
    V
    		CVE-2018-9234 on Ubuntu 14.04 LTS (trusty) - low.
    2018-04-03
    oval:com.ubuntu.xenial:def:20189234000
    V
    		CVE-2018-9234 on Ubuntu 16.04 LTS (xenial) - low.
    2018-04-03
    BACK
    gnupg gnupg 2.2.4
    gnupg gnupg 2.2.5
    canonical ubuntu linux 14.04
    canonical ubuntu linux 16.04
    canonical ubuntu linux 17.10
    canonical ubuntu linux 18.04
    gnupg gnupg 2.2.4
    gnupg gnupg 2.2.5
    ibm cloud pak for security 1.7.2.0