CVE-2018-5407 - OpenCVE

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Physical

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Nodejs	Node.js
Openssl	Openssl
Oracle	Api Gateway Application Server Enterprise Manager Base Platform Enterprise Manager Ops Center Mysql Enterprise Backup Peoplesoft Enterprise Peopletools Primavera P6 Enterprise Project Portfolio Management Tuxedo Vm Virtualbox
Redhat	Enterprise Linux Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus Enterprise Linux Server Eus Enterprise Linux Server Tus Enterprise Linux Workstation Jboss Core Services Jboss Enterprise Web Server
Tenable	Nessus

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:nodejs:node.js::::::::
	cpe:2.3:a:nodejs:node.js::::::::
	cpe:2.3:a:nodejs:node.js::::::::

Configuration 4 [-]

OR	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::

Configuration 5 [-]

cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*

Configuration 6 [-]

OR	cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:::::::*
	cpe:2.3:a:oracle:application_server:0.9.8:::::::*
	cpe:2.3:a:oracle:application_server:1.0.0:::::::*
	cpe:2.3:a:oracle:application_server:1.0.1:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
	cpe:2.3:a:oracle:mysql_enterprise_backup::::::::
	cpe:2.3:a:oracle:mysql_enterprise_backup::::::::
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:::::::*
	cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:::::::*
	cpe:2.3:a:oracle:vm_virtualbox::::::::

Configuration 7 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Package	CPE	Advisory	Released Date
JBoss Core Services on RHEL 6
jbcs-httpd24-apr-0:1.6.3-63.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-curl-0:7.64.1-14.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-jansson-0:2.11-20.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2019:3932	2019-11-20T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-jansson-0:2.11-20.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2019:3933	2019-11-20T00:00:00Z
Red Hat Enterprise Linux 7
openssl-1:1.0.2k-16.el7_6.1	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:0483	2019-03-13T00:00:00Z
ovmf-0:20180508-6.gitee3198e672e2.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:2125	2019-08-06T00:00:00Z
Red Hat JBoss Core Services 1
openssl	cpe:/a:redhat:jboss_core_services:1	RHSA-2019:3935	2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5
openssl	cpe:/a:redhat:jboss_enterprise_web_server:5.2	RHSA-2019:3931	2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 6
jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 7
jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 8
jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
imgbased-0:1.1.7-0.1.el7ev	cpe:/o:redhat:enterprise_linux:7::hypervisor	RHBA-2019:1053	2019-05-08T00:00:00Z
ovirt-node-ng-0:4.3.0-0.20181213.0.el7ev	cpe:/o:redhat:enterprise_linux:7::hypervisor	RHBA-2019:1053	2019-05-08T00:00:00Z
redhat-release-virtualization-host-0:4.3-0.5.el7	cpe:/o:redhat:enterprise_linux:7::hypervisor	RHBA-2019:1053	2019-05-08T00:00:00Z
redhat-virtualization-host-0:4.3-20190409.0.el7_6	cpe:/o:redhat:enterprise_linux:7::hypervisor	RHBA-2019:1053	2019-05-08T00:00:00Z
rhvm-appliance-0:4.3-20190409.0.el7	cpe:/o:redhat:enterprise_linux:7::hypervisor	RHBA-2019:1088	2019-05-08T00:00:00Z

References

Link	Providers
http://www.securityfocus.com/bid/105897
https://access.redhat.com/errata/RHSA-2019:0483
https://access.redhat.com/errata/RHSA-2019:0651
https://access.redhat.com/errata/RHSA-2019:0652
https://access.redhat.com/errata/RHSA-2019:2125
https://access.redhat.com/errata/RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3931
https://access.redhat.com/errata/RHSA-2019:3932
https://access.redhat.com/errata/RHSA-2019:3933
https://access.redhat.com/errata/RHSA-2019:3935
https://eprint.iacr.org/2018/1060.pdf
https://github.com/bbbrumley/portsmash
https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2018-5407
https://security.gentoo.org/glsa/201903-10
https://security.netapp.com/advisory/ntap-20181126-0001/
https://support.f5.com/csp/article/K49711130?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3840-1/
https://www.cve.org/CVERecord?id=CVE-2018-5407
https://www.debian.org/security/2018/dsa-4348
https://www.debian.org/security/2018/dsa-4355
https://www.exploit-db.com/exploits/45785/
https://www.openssl.org/news/secadv/20181112.txt
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.tenable.com/security/tns-2018-16
https://www.tenable.com/security/tns-2018-17

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2018-11-15T21:00:00

Updated: 2024-08-05T05:33:44.232Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5407

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-11-15T21:29:00.233

Modified: 2023-11-07T02:58:42.920

Link: CVE-2018-5407

Redhat

Severity : Moderate

Publid Date: 2018-10-30T00:00:00Z

Links: CVE-2018-5407 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Physical

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Physical

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object