Vulnerability in The Openssl Project
CVE-2016-7056
A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
EPSS: 0.002 (38.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.
Affected products
- The Openssl Project — versions openssl 1.0.1u
Weakness classification (CWE)
Public proof-of-concept exploits
References
- eprint.iacr.org/2016/1195 (x_refsource_MISC)
- RHSA-2017:1801 (x_refsource_REDHAT, vendor-advisory)
- git.openssl.org/ (x_refsource_CONFIRM)
- RHSA-2017:1413 (x_refsource_REDHAT, vendor-advisory)
- ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig (x_refsource_CONFIRM)
- 1037575 (vdb-entry, x_refsource_SECTRACK)
- RHSA-2017:1414 (x_refsource_REDHAT, vendor-advisory)
- [oss-security] 20170110 CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) (mailing-list, x_refsource_MLIST)
- DSA-3773 (vendor-advisory, x_refsource_DEBIAN)
- bugzilla.redhat.com/show_bug.cgi (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2016-7056?
- CVE-2016-7056 is a medium-severity vulnerability in The Openssl Project, classified under CWE-385. CVSS score: 5.5/10. Published 2018-09-10.
- How severe is CVE-2016-7056?
- Medium severity. CVSS v3 base score is 5.5 out of 10.
- Is CVE-2016-7056 known to be exploited?
- 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.