Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-3639 |
CWE-ID | CWE-362 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
openjdk8 (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU12911
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-3639
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to race conditions in CPU cache processing. A local attacker can conduct a side-channel attack to exploit a flaw in the speculative execution of Load and Store instructions to read privileged memory.
Note: the vulnerability is referred to as "Spectre variant 4".
Install update from vendor's website.
Vulnerable software versionsopenjdk8 (Alpine package): 8.171.11-r0 - 8.171.11-r2
CPE2.3http://git.alpinelinux.org/aports/commit/?id=ded1603ed10749cd90f410f5eba30e91d1c93c6e
http://git.alpinelinux.org/aports/commit/?id=a062ffc9e8b823fecbae65d23dae5f9c4b72b7f9
http://git.alpinelinux.org/aports/commit/?id=abd4eb399ba5d7a42b64764eded97622c6be29c2
http://git.alpinelinux.org/aports/commit/?id=b40f23f8d0765c072759e2a479ed8d550deab9aa
http://git.alpinelinux.org/aports/commit/?id=0a5db24a9098c540a6a120e62a594f36b5218a26
http://git.alpinelinux.org/aports/commit/?id=74dce6e0451466b8eb5078660886cc226f9704f4
http://git.alpinelinux.org/aports/commit/?id=66ff4f8a6b71dd204bc568c21c45941d612402c2
http://git.alpinelinux.org/aports/commit/?id=bafb572dda2d0814641af68fa0cceff256bc3705
http://git.alpinelinux.org/aports/commit/?id=519be0a2d18ff557306f965c717c58763d8e711a
http://git.alpinelinux.org/aports/commit/?id=afa60b4355e66c59078ac08cf7997c5f9c4d9f48
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.