Описание
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needs-triage |
| devel | not-affected | 2023.05-1 |
| esm-apps/bionic | needs-triage | |
| esm-apps/xenial | needs-triage | |
| esm-infra/focal | needs-triage | |
| focal | ignored | end of standard support, was needs-triage |
| jammy | released | 2022.02-3ubuntu0.22.04.4 |
| kinetic | ignored | end of life, was needs-triage |
| lunar | ignored | end of life, was needs-triage |
| mantic | not-affected | 2023.05-1 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | uses system openssl1.0 |
| devel | not-affected | uses system openssl |
| esm-apps/bionic | not-affected | uses system openssl1.0 |
| esm-apps/focal | not-affected | uses system openssl |
| esm-apps/jammy | released | 12.22.9~dfsg-1ubuntu3.3 |
| esm-apps/noble | not-affected | uses system openssl |
| esm-apps/xenial | not-affected | code not present |
| esm-infra-legacy/trusty | not-affected | uses system openssl |
| focal | not-affected | uses system openssl |
| jammy | released | 12.22.9~dfsg-1ubuntu3.3 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 1.1.1-1ubuntu2.1~18.04.21 |
| devel | released | 3.0.8-1ubuntu1 |
| esm-infra-legacy/trusty | ignored | |
| esm-infra/bionic | released | 1.1.1-1ubuntu2.1~18.04.21 |
| esm-infra/focal | released | 1.1.1f-1ubuntu2.17 |
| esm-infra/xenial | ignored | |
| fips-preview/jammy | released | 3.0.2-0ubuntu1.8+fips.1 |
| fips-updates/bionic | released | 1.1.1-1ubuntu2.fips.2.1~18.04.21 |
| fips-updates/focal | released | 1.1.1f-1ubuntu2.fips.17 |
| fips-updates/jammy | released | 3.0.2-0ubuntu1.8+fips.1 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | |
| esm-infra/bionic | ignored | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| kinetic | DNE | |
| trusty | DNE | |
| upstream | needs-triage | |
| xenial | DNE |
Показывать по
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
A timing based side channel exists in the OpenSSL RSA Decryption imple ...
EPSS
5.9 Medium
CVSS3