CVE-ID

CVE-2003-0147

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
20030314 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20071129)
Votes (Legacy)
ACCEPT(4) Baker, Cole, Green, Wall
MODIFY(1) Cox
NOOP(1) Christey
Comments (Legacy)
 Christey> ENGARDE:ESA-20030320-010
   BUGTRAQ:20030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104819602408063&w=2
 Christey> FREEBSD:FreeBSD-SA-03:06.openssl
 Cox> Addref:http://www.openssl.org/news/secadv_20030317.txt
 Christey> MANDRAKE:MDKSA-2003:035
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:035
 Christey> BUGTRAQ:20030325 GLSA:  stunnel (200303-24)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104861762028637&w=2
   
   Need to change desc to include stunnel
 Cox> REDHAT:RHSA-2003:102
   URL:http://www.redhat.com/support/errata/RHSA-2003-102.html
 Cox> REDHAT:RHSA-2003:101
   URL:http://www.redhat.com/support/errata/RHSA-2003-101.html
 Christey> CONECTIVA:CLA-2003:625
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000625
 Christey> DEBIAN:DSA-288
   URL:http://www.debian.org/security/2003/dsa-288
 Christey> MANDRAKE:MDKSA-2003:035
   (as suggested by Vincent Danen of Mandrake)
 Christey> SGI:20030501-01-I
   URL:ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
 Christey> REDHAT:RHSA-2003:205
 Christey> CERT-VN:VU#997481
   URL:http://www.kb.cert.org/vuls/id/997481

Proposed (Legacy)
20030317
This is an entry on the CVE list, which standardizes names for security problems.