CVE-2018-12438

Publication date 15 June 2018

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openjdk-7	22.04 LTS jammy	Not in release
	21.10 impish	Not in release
	21.04 hirsute	Not in release
	20.10 groovy	Not in release
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
openjdk-8	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not in release
openjdk-lts	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

mdeslaur

Ubuntu packages don't contain the SunEC Security Provider

Severity score breakdown

CVSS version: CVSS v3.0

Base score 4.9 · Medium

Base metrics

Parameter	Value
Attack vector	Physical
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Changed
Confidentiality impact	High
Integrity impact	None
Availability impact	None

Scores

Parameter	Value
Base score	4.9 · Medium
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

Other references

https://www.cve.org/CVERecord?id=CVE-2018-12438