CVE-2018-0737

Description

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

How to fix CVE-2018-0737

To remediate CVE-2018-0737, upgrade the affected package to a fixed version below.

—upgrade to 1.0.2o-r1 or later
—upgrade to 1.1.0h-3 or later

Is CVE-2018-0737 being exploited?

Moderate — EPSS is 38.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.0.2o-r1
from 0, < 1.1.0h-3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2018-0737
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-0737