Information Exposure The advisory has been revoked - it doesn't affect any version of package openjdk-11 Open this link in a new tab

Threat Intelligence

EPSS 0.07% (30^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN10-OPENJDK11-263258
published 15 Jun 2018
disclosed 15 Jun 2018

Report a new vulnerability Found a mistake?

Introduced: 15 Jun 2018

CVE-2018-12438 Open this link in a new tab CWE-200 Open this link in a new tab CWE-320 Open this link in a new tab

Amendment

The Debian security team deemed this advisory irrelevant for Debian:10.

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk-11 package and not the openjdk-11 package as distributed by Debian.

The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

References

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/