{"containers": {"cna": {"affected": [{"product": "openssl", "vendor": "The OpenSSL Project", "versions": [{"status": "affected", "version": "openssl 1.0.1u"}]}], "datePublic": "2017-01-10T00:00:00", "descriptions": [{"lang": "en", "value": "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-385", "description": "CWE-385", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-09-11T20:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://eprint.iacr.org/2016/1195"}, {"name": "RHSA-2017:1801", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1801"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=8aed2a7548362e88e84a7feb795a3a97e8395008"}, {"name": "RHSA-2017:1413", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1413"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig"}, {"name": "1037575", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037575"}, {"name": "RHSA-2017:1414", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1414"}, {"name": "[oss-security] 20170110 CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://seclists.org/oss-sec/2017/q1/52"}, {"name": "DSA-3773", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-3773"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7056"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7056.html"}, {"name": "95375", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95375"}, {"name": "RHSA-2017:1415", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-1415.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security-tracker.debian.org/tracker/CVE-2016-7056"}, {"name": "RHSA-2017:1802", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1802"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:50:46.703Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://eprint.iacr.org/2016/1195"}, {"name": "RHSA-2017:1801", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1801"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=8aed2a7548362e88e84a7feb795a3a97e8395008"}, {"name": "RHSA-2017:1413", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1413"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig"}, {"name": "1037575", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037575"}, {"name": "RHSA-2017:1414", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1414"}, {"name": "[oss-security] 20170110 CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://seclists.org/oss-sec/2017/q1/52"}, {"name": "DSA-3773", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-3773"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7056"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7056.html"}, {"name": "95375", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95375"}, {"name": "RHSA-2017:1415", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-1415.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security-tracker.debian.org/tracker/CVE-2016-7056"}, {"name": "RHSA-2017:1802", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1802"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-7056", "datePublished": "2018-09-10T16:00:00", "dateReserved": "2016-08-23T00:00:00", "dateUpdated": "2024-08-06T01:50:46.703Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8171E97-CCEE-4CE4-8BEE-472FCE7ABCD8", "versionEndIncluding": "1.0.1u", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys."}, {"lang": "es", "value": "Se ha encontrado un error de ataque de sincronizaci\u00f3n en OpenSSL, en versiones 1.0.1u y anteriores, que podr\u00eda permitir que un usuario malicioso con acceso local recupere claves privadas ECDSA P-256"}], "id": "CVE-2016-7056", "lastModified": "2023-02-12T23:25:16.890", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-09-10T16:29:00.543", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-1415.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95375"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1037575"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1413"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1414"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1801"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1802"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7056"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://eprint.iacr.org/2016/1195"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig"}, {"source": "secalert@redhat.com", "url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=8aed2a7548362e88e84a7feb795a3a97e8395008"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7056.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/oss-sec/2017/q1/52"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "https://security-tracker.debian.org/tracker/CVE-2016-7056"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-3773"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-385"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-320"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2017:1414", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-httpd-0:2.4.23-120.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2017-06-07T00:00:00Z"}, {"advisory": "RHSA-2017:1414", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-mod_security-0:2.9.1-19.GA.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2017-06-07T00:00:00Z"}, {"advisory": "RHSA-2017:1414", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2017-06-07T00:00:00Z"}, {"advisory": "RHSA-2017:1413", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.23-120.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2017-06-07T00:00:00Z"}, {"advisory": "RHSA-2017:1413", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.1-19.GA.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2017-06-07T00:00:00Z"}, {"advisory": "RHSA-2017:1413", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2017-06-07T00:00:00Z"}, {"advisory": "RHBA-2017:1929", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "openssl-1:1.0.2k-8.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-01T00:00:00Z"}, {"advisory": "RHSA-2017:1415", "cpe": "cpe:/a:redhat:jboss_core_services:1", "product_name": "Red Hat JBoss Core Services 1", "release_date": "2017-06-07T00:00:00Z"}, {"advisory": "RHSA-2017:1802", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "product_name": "Red Hat JBoss Web Server 3.1", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package": "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el6", "product_name": "Red Hat JBoss Web Server 3 for RHEL 6", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package": "tomcat7-0:7.0.70-22.ep7.el6", "product_name": "Red Hat JBoss Web Server 3 for RHEL 6", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package": "tomcat8-0:8.0.36-24.ep7.el6", "product_name": "Red Hat JBoss Web Server 3 for RHEL 6", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package": "tomcat-native-0:1.2.8-10.redhat_10.ep7.el6", "product_name": "Red Hat JBoss Web Server 3 for RHEL 6", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package": "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el7", "product_name": "Red Hat JBoss Web Server 3 for RHEL 7", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package": "tomcat7-0:7.0.70-22.ep7.el7", "product_name": "Red Hat JBoss Web Server 3 for RHEL 7", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package": "tomcat8-0:8.0.36-24.ep7.el7", "product_name": "Red Hat JBoss Web Server 3 for RHEL 7", "release_date": "2017-07-25T00:00:00Z"}, {"advisory": "RHSA-2017:1801", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package": "tomcat-native-0:1.2.8-10.redhat_10.ep7.el7", "product_name": "Red Hat JBoss Web Server 3 for RHEL 7", "release_date": "2017-07-25T00:00:00Z"}], "bugzilla": {"description": "openssl: ECDSA P-256 timing attack key recovery", "id": "1412120", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412120"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-385", "details": ["A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.", "A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys."], "name": "CVE-2016-7056", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "openssl097a", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "openssl098e", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "openssl098e", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_linux:7::hypervisor", "fix_state": "Will not fix", "package_name": "mingw-virt-viewer", "product_name": "Red Hat Enterprise Virtualization 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Fix deferred", "package_name": "openssl", "product_name": "Red Hat JBoss Web Server 3"}], "public_date": "2017-01-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-7056\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-7056"], "statement": "In order to exploit this flaw, the attacker needs to be have local (shell) access to the machine where the message is being signed using the ECDSA algorithm with a P-256 elliptic curve key. Then using cache timing attacks (which needs precise timing), on multiple signature runs, the private key could be obtained. Based on the factor that exploitation is difficult, Red Hat Product Security Team has rated this flaw as having Moderate impact. A further security release may address this flaw.", "threat_severity": "Moderate"}