Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.5
CVSSv3

CVE-2016-7056

Published: 10/09/2018 Updated: 12/02/2023
CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 187
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Openssl

Vulnerability Summary

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openssl openssl

debian debian linux 8.0

debian debian linux 9.0

redhat enterprise linux 7.0

redhat enterprise linux 6.0

canonical ubuntu linux 14.04

canonical ubuntu linux 12.04

Vendor Advisories

Ubuntu Security Notice: openssl vulnerabilities
Several security issues were fixed in OpenSSL ...
Debian Security Advisories: DSA-3773-1 openssl -- security update
Several vulnerabilities were discovered in OpenSSL: CVE-2016-7056 A local timing attack was discovered against ECDSA P-256 CVE-2016-8610 It was discovered that no limit was imposed on alert packets during an SSL handshake CVE-2017-3731 Robert Swiecki discovered that the RC4-MD5 cipher when running on 32 bit systems could be f ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 7
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2423 Service Pack 1 for RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Core Services on RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 6
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2423 Service Pack 1 for RHEL 6 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Core Services on RHEL 6Red Hat Product Security has rated this update as having a security impact of Important A ...
Red Hat: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update
Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 1 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and Red Hat JBoss Web Server 31 for RHEL 7Red Hat Product Security has rated this update as having a sec ...
Red Hat: Important: Red Hat JBoss Web Server Service Pack 1 security update
Synopsis Important: Red Hat JBoss Web Server Service Pack 1 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2423 Service Pack 1 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Core ServicesRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...
Red Hat: CVE-2016-7056
A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys ...
Arch Linux Issues:
The signing function in crypto/ecdsa/ecdsa_osslc in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code pa ...

References

CWE-385https://seclists.org/oss-sec/2017/q1/52https://eprint.iacr.org/2016/1195https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7056https://www.debian.org/security/2017/dsa-3773https://access.redhat.com/errata/RHSA-2017:1802https://access.redhat.com/errata/RHSA-2017:1801https://access.redhat.com/errata/RHSA-2017:1414https://access.redhat.com/errata/RHSA-2017:1413http://www.securitytracker.com/id/1037575http://www.securityfocus.com/bid/95375http://rhn.redhat.com/errata/RHSA-2017-1415.htmlhttps://security-tracker.debian.org/tracker/CVE-2016-7056https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7056.htmlhttps://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sighttps://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sighttps://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=8aed2a7548362e88e84a7feb795a3a97e8395008https://nvd.nist.govhttps://usn.ubuntu.com/3181-1/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38298CVE-2024-20356CVE-2023-21987CVE-2024-33217bypassCVE-2024-31804CVE-2024-32660unauthorizedSSRF
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook