Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:2634-1

Опубликовано: 26 июн. 2023
Источник: suse-cvrf

Описание

Security update for openssl

This update for openssl fixes the following issues:

  • CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

Список пакетов

SUSE Linux Enterprise Server 12 SP2-BCL
libopenssl-devel-1.0.2j-60.98.1
libopenssl1_0_0-1.0.2j-60.98.1
libopenssl1_0_0-32bit-1.0.2j-60.98.1
libopenssl1_0_0-hmac-1.0.2j-60.98.1
libopenssl1_0_0-hmac-32bit-1.0.2j-60.98.1
openssl-1.0.2j-60.98.1
openssl-doc-1.0.2j-60.98.1

Ссылки

Описание

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl-devel-1.0.2j-60.98.1
SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-1.0.2j-60.98.1
SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-32bit-1.0.2j-60.98.1
SUSE Linux Enterprise Server 12 SP2-BCL:libopenssl1_0_0-hmac-1.0.2j-60.98.1
Ссылки