Solaris vulnerabilities in openssl (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-2178 |
| CWE-ID | CWE-203 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
openssl (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Observable discrepancy
EUVDB-ID: #VU1589
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2178
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform timing attack.
The vulnerability exists due to an error within the dsa_sign_setup() function in crypto/dsa/dsa_ossl.c. A local user can obtain a DSA private key via a timing side-channel attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsopenssl (Alpine package): 1.0.1t-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=be71850614d4346dc7cd2243591ca908f4475a1d
https://git.alpinelinux.org/aports/commit/?id=38c6e1fd86f4d9cba4c146b8bdcd71f84e1a4ee7
https://git.alpinelinux.org/aports/commit/?id=510da6cf43e86bf53a64a018de95bd1e1621aee1
https://git.alpinelinux.org/aports/commit/?id=7d2ebac3c49c357dc1b35746dbd9c1bcbbcee2e0
https://git.alpinelinux.org/aports/commit/?id=d8e0efebf3c84cd361bc21b86aa763b373e87620
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
