Описание
Security update for openssl-1_1
This update for openssl-1_1 fixes the following issues:
-
CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).
-
Update further expiring certificates that affect tests [bsc#1201627]
- Add openssl-Update-further-expiring-certificates.patch
Список пакетов
Container caasp/v4/cilium-operator:1.6.6
Container caasp/v4/cilium:1.6.6
Container suse/sle15:15.1
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP1
Ссылки
- Link for SUSE-SU-2023:2622-1
- E-Mail link for SUSE-SU-2023:2622-1
- SUSE Security Ratings
- SUSE Bug 1201627
- SUSE Bug 1207534
- SUSE CVE CVE-2022-4304 page
Описание
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
Затронутые продукты
Ссылки
- CVE-2022-4304
- SUSE Bug 1207534
- SUSE Bug 1210067
- SUSE Bug 1213146
- SUSE Bug 1213289
- SUSE Bug 1215014