Описание
Security update for compat-openssl098
This update for compat-openssl098 fixes the following issues:
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
Список пакетов
Image SLES12-SP5-Azure-SAP-BYOS
Image SLES12-SP5-Azure-SAP-On-Demand
Image SLES12-SP5-EC2-SAP-BYOS
Image SLES12-SP5-EC2-SAP-On-Demand
Image SLES12-SP5-GCE-SAP-BYOS
Image SLES12-SP5-GCE-SAP-On-Demand
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
SUSE Linux Enterprise Module for Legacy 12
SUSE Linux Enterprise Server for SAP Applications 12 SP4
SUSE Linux Enterprise Server for SAP Applications 12 SP5
Ссылки
- Link for SUSE-SU-2023:0581-1
- E-Mail link for SUSE-SU-2023:0581-1
- SUSE Security Ratings
- SUSE Bug 1207534
- SUSE CVE CVE-2022-4304 page
Описание
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
Затронутые продукты
Ссылки
- CVE-2022-4304
- SUSE Bug 1207534
- SUSE Bug 1210067
- SUSE Bug 1213146
- SUSE Bug 1213289
- SUSE Bug 1215014