CVE-2018-10846

Published: 8/22/2018 Last updated: 8/5/2024 Reserved: 5/9/2018

A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.0	5.3	Medium	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Opam packages affected (5)

conf-gnutls conf-mingw-w64-gnutls-i686 conf-mingw-w64-gnutls-x86_64 conf-srt conf-srt-gnutls

Products affected (1)

Product	Vendor	Version
gnutls	[UNKNOWN]	n/a

References (20)

https://eprint.iacr.org/2018/747
https://gitlab.com/gnutls/gnutls/merge_requests/657
https://access.redhat.com/errata/RHSA-2018:3505
http://www.securityfocus.com/bid/105138
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10846
https://access.redhat.com/errata/RHSA-2018:3050
https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html
https://usn.ubuntu.com/3999-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/
https://eprint.iacr.org/2018/747
https://gitlab.com/gnutls/gnutls/merge_requests/657
https://access.redhat.com/errata/RHSA-2018:3505
http://www.securityfocus.com/bid/105138
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10846
https://access.redhat.com/errata/RHSA-2018:3050
https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html
https://usn.ubuntu.com/3999-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/