CVE-2018-5407 - 漏洞详情

CVE-2018-5407 (CNNVD-201811-279)

MEDIUM 有利用代码

中文标题:

OpenSSL 信息泄露漏洞

英文标题:

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerab...

CVSS分数: 4.7

发布时间: 2018-11-15 21:00:00

漏洞类型: 信息泄露

状态: PUBLISHED

数据质量分数: 0.30

数据版本: v4

漏洞描述

中文描述:

OpenSSL是OpenSSL团队的一个开源的能够实现安全套接层（SSLv2/v3）和安全传输层（TLSv1）协议的通用加密库。该产品支持多种加密算法，包括对称密码、哈希算法、安全散列算法等。 OpenSSL中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。

英文描述:

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

CWE类型:

CWE-203 CWE-200

受影响产品

厂商	产品	版本	版本范围	平台	CPE
N/A	Processors supporting Simultaneous Multi-Threading	N/A	-	-	`cpe:2.3:a:n_a:processors_supporting_simultaneous_multi-threading:n_a:::::::*`
canonical	ubuntu_linux	14.04	-	-	`cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::`
canonical	ubuntu_linux	16.04	-	-	`cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::`
canonical	ubuntu_linux	18.04	-	-	`cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::`
canonical	ubuntu_linux	18.10	-	-	`cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*`
debian	debian_linux	8.0	-	-	`cpe:2.3:o:debian:debian_linux:8.0:::::::*`
debian	debian_linux	9.0	-	-	`cpe:2.3:o:debian:debian_linux:9.0:::::::*`
nodejs	node.js	*	-	-	`cpe:2.3:a:nodejs:node.js::::::::`
openssl	openssl	*	-	-	`cpe:2.3:a:openssl:openssl::::::::`
tenable	nessus	*	-	-	`cpe:2.3:a:tenable:nessus::::::::`
oracle	api_gateway	11.1.2.4.0	-	-	`cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:::::::*`
oracle	application_server	0.9.8	-	-	`cpe:2.3:a:oracle:application_server:0.9.8:::::::*`
oracle	application_server	1.0.0	-	-	`cpe:2.3:a:oracle:application_server:1.0.0:::::::*`
oracle	application_server	1.0.1	-	-	`cpe:2.3:a:oracle:application_server:1.0.1:::::::*`
oracle	enterprise_manager_base_platform	12.1.0.5.0	-	-	`cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*`
oracle	enterprise_manager_base_platform	13.2.0.0.0	-	-	`cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:::::::*`
oracle	enterprise_manager_base_platform	13.3.0.0.0	-	-	`cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:::::::*`
oracle	enterprise_manager_ops_center	12.3.3	-	-	`cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*`
oracle	mysql_enterprise_backup	*	-	-	`cpe:2.3:a:oracle:mysql_enterprise_backup::::::::`
oracle	peoplesoft_enterprise_peopletools	8.55	-	-	`cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*`
oracle	peoplesoft_enterprise_peopletools	8.56	-	-	`cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*`
oracle	peoplesoft_enterprise_peopletools	8.57	-	-	`cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*`
oracle	primavera_p6_enterprise_project_portfolio_management	*	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::`
oracle	primavera_p6_enterprise_project_portfolio_management	8.4	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:::::::*`
oracle	primavera_p6_enterprise_project_portfolio_management	15.1	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:::::::*`
oracle	primavera_p6_enterprise_project_portfolio_management	15.2	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:::::::*`
oracle	primavera_p6_enterprise_project_portfolio_management	16.1	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:::::::*`
oracle	primavera_p6_enterprise_project_portfolio_management	16.2	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:::::::*`
oracle	primavera_p6_enterprise_project_portfolio_management	18.8	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:::::::*`
oracle	tuxedo	12.1.1.0.0	-	-	`cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:::::::*`
oracle	vm_virtualbox	*	-	-	`cpe:2.3:a:oracle:vm_virtualbox::::::::`
redhat	enterprise_linux_desktop	7.0	-	-	`cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*`
redhat	enterprise_linux_server	7.0	-	-	`cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*`
redhat	enterprise_linux_server	7.6	-	-	`cpe:2.3:o:redhat:enterprise_linux_server:7.6:::::::*`
redhat	enterprise_linux_server_aus	7.6	-	-	`cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*`
redhat	enterprise_linux_server_eus	7.6	-	-	`cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:::::::*`
redhat	enterprise_linux_server_tus	7.6	-	-	`cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*`
redhat	enterprise_linux_workstation	7.0	-	-	`cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

RHSA-2019:0483 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

USN-3840-1 vendor-advisory
cve.org

访问

DSA-4355 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

GLSA-201903-10 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

45785 exploit
cve.org

访问

[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update mailing-list
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

DSA-4348 vendor-advisory
cve.org

访问

105897 vdb-entry
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

RHSA-2019:0651 vendor-advisory
cve.org

访问

RHSA-2019:0652 vendor-advisory
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

RHSA-2019:2125 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

RHSA-2019:3929 vendor-advisory
cve.org

访问

RHSA-2019:3933 vendor-advisory
cve.org

访问

RHSA-2019:3931 vendor-advisory
cve.org

访问

RHSA-2019:3935 vendor-advisory
cve.org

访问

RHSA-2019:3932 vendor-advisory
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

ExploitDB EDB-45785 EXPLOIT
exploitdb

访问

Download Exploit EDB-45785 EXPLOIT
exploitdb

访问

CVE Reference: CVE-2018-5407 ADVISORY
cve.org

访问

CVSS评分详情

4.7

MEDIUM

CVSS向量: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS版本: 3.1

机密性

HIGH

完整性

NONE

可用性

NONE

时间信息

发布时间:

2018-11-15 21:00:00

修改时间:

2024-08-05 05:33:44

创建时间:

2025-11-11 15:35:19

更新时间:

2025-11-11 16:49:16

利用信息

此漏洞有可利用代码！

利用代码数量: 1

利用来源:

未知

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2018-5407`	2025-11-11 15:19:52	2025-11-11 07:35:19
NVD	`nvd_CVE-2018-5407`	2025-11-11 14:56:00	2025-11-11 07:43:53
CNNVD	`cnnvd_CNNVD-201811-279`	2025-11-11 15:10:07	2025-11-11 07:54:07
EXPLOITDB	`exploitdb_EDB-45785`	2025-11-11 15:05:22	2025-11-11 08:49:16

版本与语言

当前版本: v4

主要语言: EN

支持语言:

EN ZH

其他标识符:

安全公告

暂无安全公告信息

变更历史

v4 EXPLOITDB

2025-11-11 16:49:16

references_count: 28 → 31; tags_count: 0 → 3; data_sources: ['cnnvd', 'cve', 'nvd'] → ['cnnvd', 'cve', 'exploitdb', 'nvd']

查看详细变更

references_count: 28 -> 31
tags_count: 0 -> 3
data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']

v3 CNNVD

2025-11-11 15:54:07

vulnerability_type: 未提取 → 信息泄露; cnnvd_id: 未提取 → CNNVD-201811-279; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 信息泄露
cnnvd_id: 未提取 -> CNNVD-201811-279
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:43:53

cvss_score: 未提取 → 4.7; cvss_vector: NOT_EXTRACTED → CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N; cvss_version: NOT_EXTRACTED → 3.1; affected_products_count: 1 → 38; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

cvss_score: 未提取 -> 4.7
cvss_vector: NOT_EXTRACTED -> CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss_version: NOT_EXTRACTED -> 3.1
affected_products_count: 1 -> 38
data_sources: ['cve'] -> ['cve', 'nvd']

CVE-2018-5407 (CNNVD-201811-279)

中文标题:

OpenSSL 信息泄露漏洞

英文标题:

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerab...

漏洞描述

中文描述:

英文描述:

CWE类型:

标签:

受影响产品

解决方案

中文解决方案:

英文解决方案:

临时解决方案:

参考链接

CVSS评分详情

时间信息

利用信息

数据源详情

版本与语言

安全公告

变更历史