Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Use of a Broken or Risky Cryptographic Algorithm
Created by: armorcodegithubpreprod[bot]
Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Use of a Broken or Risky Cryptographic Algorithm
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.7.6-2+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libgcrypt20
package.
See How to fix?
for Debian:9
relevant versions.
The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><3.5.8-5+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream gnutls28
package.
See How to fix?
for Debian:9
relevant versions.
A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.
References
- CONFIRM
- Debian Security Announcement
- Debian Security Tracker
- FEDORA
- FEDORA
- MISC
- RedHat Bugzilla Bug
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.1.0j-1~deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl
package.
See How to fix?
for Debian:9
relevant versions.
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
References
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- Gentoo Security Advisory
- N/A
- Netapp Security Advisory
- OpenSSL Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.1.0j-1~deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl
package.
See How to fix?
for Debian:9
relevant versions.
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
References
- CONFIRM
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- MISC
- Netapp Security Advisory
- OpenSSL Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2:3.26.2-1.1+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream nss
package.
See How to fix?
for Debian:9
relevant versions.
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><3.5.8-5+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream gnutls28
package.
See How to fix?
for Debian:9
relevant versions.
It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
References
- CONFIRM
- Debian Security Announcement
- Debian Security Tracker
- FEDORA
- FEDORA
- MISC
- RedHat Bugzilla Bug
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.1.0j-1~deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl
package.
See How to fix?
for Debian:9
relevant versions.
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
References
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Tracker
- FEDORA
- FEDORA
- FEDORA
- MISC
- MISC
- N/A
- Netapp Security Advisory
- Netapp Security Advisory
- Netapp Security Advisory
- OpenSSL Security Advisory
- OpenSuse Security Announcement
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- Security Focus
- SUSE
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2:3.26.2-1.1+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream nss
package.
See How to fix?
for Debian:9
relevant versions.
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. Note: An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><3.5.8-5+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream gnutls28
package.
See How to fix?
for Debian:9
relevant versions.
It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
References
- CONFIRM
- Debian Security Announcement
- Debian Security Tracker
- FEDORA
- FEDORA
- MISC
- RedHat Bugzilla Bug
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.0.2q-1~deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl1.0
package.
See How to fix?
for Debian:9
relevant versions.
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
References
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- Gentoo Security Advisory
- N/A
- Netapp Security Advisory
- OpenSSL Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.0.2q-1~deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl1.0
package.
See How to fix?
for Debian:9
relevant versions.
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
References
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Tracker
- FEDORA
- FEDORA
- FEDORA
- MISC
- MISC
- N/A
- Netapp Security Advisory
- Netapp Security Advisory
- Netapp Security Advisory
- OpenSSL Security Advisory
- OpenSuse Security Announcement
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- Security Focus
- SUSE
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active