Bug 1060433 (CVE-2017-14737) - VUL-0: CVE-2017-14737: Botan: A cryptographic cache-based side channel in the RSA implementation allows local attacker to recover information about RSA secret keys.
Summary: VUL-0: CVE-2017-14737: Botan: A cryptographic cache-based side channel in the...
Status: RESOLVED FIXED
Alias: CVE-2017-14737
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/192499/
Whiteboard: CVSSv2:SUSE:CVE-2017-14737:1.0:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-26 11:55 UTC by Victor Pereira
Modified: 2024-05-22 14:23 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-09-26 11:55:30 UTC 
CVE-2017-14737

A cryptographic cache-based side channel in the RSA implementation in Botan
before 1.10.17, and 1.11.x and 2.x before 2.3.0, allows a local attacker to
recover information about RSA secret keys, as demonstrated by CacheD. This
occurs because an array is indexed with bits derived from a secret key.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14737
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai
https://github.com/randombit/botan/issues/1222
Comment 5 Swamp Workflow Management 2017-10-26 13:09:13 UTC 
SUSE-SU-2017:2855-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1060433
CVE References: CVE-2017-14737
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    Botan-1.10.9-4.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    Botan-1.10.9-4.3.1
Comment 11 Jason Sikes 2022-08-26 04:46:55 UTC 
SLE 11 is EOL. Assigning to Security Team.
Comment 12 Jason Sikes 2022-09-07 20:36:46 UTC 
My mistake. SLE11 is *not* EOL. Reassigning to me.

(In reply to Jason Sikes from comment #11)
> SLE 11 is EOL. Assigning to Security Team.
Comment 13 Jason Sikes 2022-09-08 21:45:23 UTC 
My mistake again. We don't maintain Botan in SLE-11. Reassigning back to security-team

(In reply to Jason Sikes from comment #12)
> My mistake. SLE11 is *not* EOL. Reassigning to me.
> 
> (In reply to Jason Sikes from comment #11)
> > SLE 11 is EOL. Assigning to Security Team.
Comment 14 Andrea Mattiazzo 2024-05-22 14:23:35 UTC 
All done, closing.