{ "threat_severity" : "Low", "public_date" : "2015-01-08T00:00:00Z", "bugzilla" : { "description" : "openssl: Bignum squaring may produce incorrect results", "id" : "1180240", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1180240" }, "cvss" : { "cvss_base_score" : "2.6", "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "3.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "details" : [ "The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.", "It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it." ], "statement" : "This issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and does not plan to address this flaw for the above components in any future security updates.\nThis issue affects the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-01-21T00:00:00Z", "advisory" : "RHSA-2015:0066", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "openssl-0:1.0.1e-30.el6_6.5" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-01-21T00:00:00Z", "advisory" : "RHSA-2015:0066", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "openssl-1:1.0.1e-34.el7_0.7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4", "release_date" : "2015-04-16T00:00:00Z", "advisory" : "RHSA-2015:0849", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6.4" }, { "product_name" : "Red Hat JBoss Web Server 2.1", "release_date" : "2016-08-22T00:00:00Z", "advisory" : "RHSA-2016:1650", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1", "package" : "openssl" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Affected", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "openssl097a", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Affected", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1", "fix_state" : "Will not fix", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1" }, { "product_name" : "Red Hat Storage 2.1", "fix_state" : "Affected", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:storage:2.1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-3570\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3570\nhttps://www.openssl.org/news/secadv_20150108.txt" ], "name" : "CVE-2014-3570", "csaw" : false }