CVE-2015-8804

x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
Affected Products (NVD)
VendorProductVersion
nettle_projectnettle
𝑥
≤ 3.1.1
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.10
opensuseleap
42.1
opensuseopensuse
13.1
opensuseopensuse
13.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nettle
bookworm
3.8.1-2
fixed
bullseye
3.7.3-1
fixed
sid
3.10-1
fixed
squeeze
not-affected
trixie
3.10-1
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nettle
precise
not-affected
trusty
Fixed 2.7.1-1ubuntu0.1
released
vivid
ignored
wily
Fixed 3.1.1-4ubuntu0.1
released
xenial
not-affected
yakkety
not-affected
zesty
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libhogweed2
suse enterprise sap 12
2.7.1-9.1
fixed
suse enterprise sap 12 SP1
2.7.1-9.1
fixed
suse enterprise sap 12 SP5
2.7.1-12.1
fixed
suse enterprise server 12
2.7.1-9.1
fixed
suse enterprise server 12 SP1
2.7.1-9.1
fixed
suse enterprise server 12 SP3
2.7.1-12.1
fixed
suse enterprise server 12 SP4
2.7.1-12.1
fixed
suse enterprise server 12 SP5
2.7.1-12.1
fixed
libhogweed2-32bit
suse enterprise sap 12
2.7.1-9.1
fixed
suse enterprise sap 12 SP1
2.7.1-9.1
fixed
suse enterprise sap 12 SP5
2.7.1-12.1
fixed
suse enterprise server 12
2.7.1-9.1
fixed
suse enterprise server 12 SP1
2.7.1-9.1
fixed
suse enterprise server 12 SP3
2.7.1-12.1
fixed
suse enterprise server 12 SP4
2.7.1-12.1
fixed
suse enterprise server 12 SP5
2.7.1-12.1
fixed
libhogweed4
suse enterprise desktop 15
3.4-2.12
fixed
suse enterprise desktop 15 SP1
3.4.1-4.9.1
fixed
suse enterprise desktop 15 SP2
3.4.1-4.12.1
fixed
suse enterprise desktop 15 SP3
3.4.1-4.15.1
fixed
suse enterprise sap 15
3.4-2.12
fixed
suse enterprise sap 15 SP1
3.4.1-4.9.1
fixed
suse enterprise sap 15 SP2
3.4.1-4.12.1
fixed
suse enterprise sap 15 SP3
3.4.1-4.15.1
fixed
suse enterprise server 15
3.4-2.12
fixed
suse enterprise server 15 SP1
3.4.1-4.9.1
fixed
suse enterprise server 15 SP2
3.4.1-4.12.1
fixed
suse enterprise server 15 SP3
3.4.1-4.15.1
fixed
libhogweed4-32bit
suse enterprise desktop 15
3.4-2.12
fixed
suse enterprise desktop 15 SP1
3.4.1-4.9.1
fixed
suse enterprise desktop 15 SP2
3.4.1-4.12.1
fixed
suse enterprise desktop 15 SP3
3.4.1-4.15.1
fixed
suse enterprise sap 15
3.4-2.12
fixed
suse enterprise sap 15 SP1
3.4.1-4.9.1
fixed
suse enterprise sap 15 SP2
3.4.1-4.12.1
fixed
suse enterprise sap 15 SP3
3.4.1-4.15.1
fixed
suse enterprise server 15
3.4-2.12
fixed
suse enterprise server 15 SP1
3.4.1-4.9.1
fixed
suse enterprise server 15 SP2
3.4.1-4.12.1
fixed
suse enterprise server 15 SP3
3.4.1-4.15.1
fixed
libhogweed6
suse enterprise desktop 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise desktop 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise desktop 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise desktop 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise sap 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise sap 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise sap 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise sap 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise server 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise server 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise server 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise server 15 SP7
3.10.1-150700.2.16
fixed
libhogweed6-32bit
suse enterprise desktop 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise desktop 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise desktop 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise desktop 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise sap 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise sap 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise sap 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise sap 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise server 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise server 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise server 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise server 15 SP7
3.10.1-150700.2.16
fixed
libnettle-devel
suse enterprise desktop 15
3.4-2.12
fixed
suse enterprise desktop 15 SP1
3.4.1-4.9.1
fixed
suse enterprise desktop 15 SP2
3.4.1-4.12.1
fixed
suse enterprise desktop 15 SP3
3.4.1-4.15.1
fixed
suse enterprise desktop 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise desktop 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise desktop 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise desktop 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise sap 15
3.4-2.12
fixed
suse enterprise sap 15 SP1
3.4.1-4.9.1
fixed
suse enterprise sap 15 SP2
3.4.1-4.12.1
fixed
suse enterprise sap 15 SP3
3.4.1-4.15.1
fixed
suse enterprise sap 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise sap 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise sap 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise sap 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise server 15
3.4-2.12
fixed
suse enterprise server 15 SP1
3.4.1-4.9.1
fixed
suse enterprise server 15 SP2
3.4.1-4.12.1
fixed
suse enterprise server 15 SP3
3.4.1-4.15.1
fixed
suse enterprise server 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise server 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise server 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise server 15 SP7
3.10.1-150700.2.16
fixed
libnettle4
suse enterprise sap 12
2.7.1-9.1
fixed
suse enterprise sap 12 SP1
2.7.1-9.1
fixed
suse enterprise sap 12 SP5
2.7.1-12.1
fixed
suse enterprise server 12
2.7.1-9.1
fixed
suse enterprise server 12 SP1
2.7.1-9.1
fixed
suse enterprise server 12 SP3
2.7.1-12.1
fixed
suse enterprise server 12 SP4
2.7.1-12.1
fixed
suse enterprise server 12 SP5
2.7.1-12.1
fixed
libnettle4-32bit
suse enterprise sap 12
2.7.1-9.1
fixed
suse enterprise sap 12 SP1
2.7.1-9.1
fixed
suse enterprise sap 12 SP5
2.7.1-12.1
fixed
suse enterprise server 12
2.7.1-9.1
fixed
suse enterprise server 12 SP1
2.7.1-9.1
fixed
suse enterprise server 12 SP3
2.7.1-12.1
fixed
suse enterprise server 12 SP4
2.7.1-12.1
fixed
suse enterprise server 12 SP5
2.7.1-12.1
fixed
libnettle6
suse enterprise desktop 15
3.4-2.12
fixed
suse enterprise desktop 15 SP1
3.4.1-4.9.1
fixed
suse enterprise desktop 15 SP2
3.4.1-4.12.1
fixed
suse enterprise desktop 15 SP3
3.4.1-4.15.1
fixed
suse enterprise sap 15
3.4-2.12
fixed
suse enterprise sap 15 SP1
3.4.1-4.9.1
fixed
suse enterprise sap 15 SP2
3.4.1-4.12.1
fixed
suse enterprise sap 15 SP3
3.4.1-4.15.1
fixed
suse enterprise server 15
3.4-2.12
fixed
suse enterprise server 15 SP1
3.4.1-4.9.1
fixed
suse enterprise server 15 SP2
3.4.1-4.12.1
fixed
suse enterprise server 15 SP3
3.4.1-4.15.1
fixed
libnettle6-32bit
suse enterprise desktop 15
3.4-2.12
fixed
suse enterprise desktop 15 SP1
3.4.1-4.9.1
fixed
suse enterprise desktop 15 SP2
3.4.1-4.12.1
fixed
suse enterprise desktop 15 SP3
3.4.1-4.15.1
fixed
suse enterprise sap 15
3.4-2.12
fixed
suse enterprise sap 15 SP1
3.4.1-4.9.1
fixed
suse enterprise sap 15 SP2
3.4.1-4.12.1
fixed
suse enterprise sap 15 SP3
3.4.1-4.15.1
fixed
suse enterprise server 15
3.4-2.12
fixed
suse enterprise server 15 SP1
3.4.1-4.9.1
fixed
suse enterprise server 15 SP2
3.4.1-4.12.1
fixed
suse enterprise server 15 SP3
3.4.1-4.15.1
fixed
libnettle8
suse enterprise desktop 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise desktop 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise desktop 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise desktop 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise sap 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise sap 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise sap 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise sap 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise server 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise server 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise server 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise server 15 SP7
3.10.1-150700.2.16
fixed
libnettle8-32bit
suse enterprise desktop 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise desktop 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise desktop 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise desktop 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise sap 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise sap 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise sap 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise sap 15 SP7
3.10.1-150700.2.16
fixed
suse enterprise server 15 SP4
3.7.3-150400.2.21
fixed
suse enterprise server 15 SP5
3.8.1-150500.2.25
fixed
suse enterprise server 15 SP6
3.9.1-150600.1.46
fixed
suse enterprise server 15 SP7
3.10.1-150700.2.16
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
nettle
RHEL 7
0:2.7.1-8.el7
fixed
nettle-devel
RHEL 7
0:2.7.1-8.el7
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html
http://rhn.redhat.com/errata/RHSA-2016-2582.html
http://www.openwall.com/lists/oss-security/2016/02/02/2
http://www.openwall.com/lists/oss-security/2016/02/03/1
http://www.ubuntu.com/usn/USN-2897-1
https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003024.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html
http://rhn.redhat.com/errata/RHSA-2016-2582.html
http://www.openwall.com/lists/oss-security/2016/02/02/2
http://www.openwall.com/lists/oss-security/2016/02/03/1
http://www.ubuntu.com/usn/USN-2897-1
https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003024.html