{
  "threat_severity" : "Moderate",
  "public_date" : "2017-01-10T00:00:00Z",
  "bugzilla" : {
    "description" : "openssl: ECDSA P-256 timing attack key recovery",
    "id" : "1412120",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1412120"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-385",
  "details" : [ "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.", "A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys." ],
  "statement" : "In order to exploit this flaw, the attacker needs to be have local (shell) access to the machine where the message is being signed using the ECDSA algorithm with a P-256 elliptic curve key. Then using cache timing attacks (which needs precise timing), on multiple signature runs, the private key could be obtained. Based on the factor that exploitation is difficult, Red Hat Product Security Team has rated this flaw as having Moderate impact. A further security release may address this flaw.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1414",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-httpd-0:2.4.23-120.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1414",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_security-0:2.9.1-19.GA.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1414",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1413",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.23-120.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1413",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_security-0:2.9.1-19.GA.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1413",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-01T00:00:00Z",
    "advisory" : "RHBA-2017:1929",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "openssl-1:1.0.2k-8.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3.1",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1802",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat7-0:7.0.70-22.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat8-0:8.0.36-24.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat7-0:7.0.70-22.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat8-0:8.0.36-24.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el7"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1415",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "openssl097a",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "openssl098e",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "openssl098e",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Will not fix",
    "package_name" : "mingw-virt-viewer",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 1",
    "fix_state" : "Will not fix",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Fix deferred",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-7056\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-7056" ],
  "name" : "CVE-2016-7056",
  "csaw" : false
}