CVE-2016-0702 - Medium Severity Vulnerability
Vulnerable Library - opensslOpenSSL_1_0_1i
TLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: archived-io.js-v0.10
Vulnerable Source Files (1)
node/deps/openssl/openssl/crypto/bn/bn_exp.c
Vulnerability Details
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
Publish Date: 2016-03-03
URL: CVE-2016-0702
CVSS 3 Score Details (5.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0702
Release Date: 2016-03-03
Fix Resolution: 1.0.1s,1.0.2g
Step up your Open Source Security Game with WhiteSource here
CVE-2016-0702 - Medium Severity Vulnerability
TLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: archived-io.js-v0.10
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
Publish Date: 2016-03-03
URL: CVE-2016-0702
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0702
Release Date: 2016-03-03
Fix Resolution: 1.0.1s,1.0.2g
Step up your Open Source Security Game with WhiteSource here