|Summary:||CVE-2014-3570 openssl: Bignum squaring may produce incorrect results|
|Product:||[Other] Security Response||Reporter:||Vasyl Kaigorodov <vkaigoro>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||carnil, cdewolf, chazlett, chrisw, dandread, darran.lofthouse, erich, grocha, jason.greene, jawilson, jclere, jdoyle, john.haxby, lgao, myarboro, nlevinki, pgier, pslavice, rfortier, rhs-bugs, rsvoboda, ssaha, tmraz, vbellur, vtunka, weli|
|Fixed In Version:||OpenSSL 1.0.1k, OpenSSL 1.0.0p, OpenSSL 0.9.8zd||Doc Type:||Bug Fix|
It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it.
|Last Closed:||2019-06-08 02:37:39 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1181013, 1181015, 1181016, 1181017, 1181018, 1182870, 1182871, 1182872|
|Bug Blocks:||1180194, 1192260, 1192263, 1212496|
Description Vasyl Kaigorodov 2015-01-08 17:01:01 UTC
OpenSSL released security advisory  which fixes the below issue: Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. The following has been determined: *) The probability of BN_sqr producing an incorrect result at random is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128 on affected 64-bit platforms. *) On most platforms, RSA follows a different code path and RSA operations are not affected at all. For the remaining platforms (e.g. OpenSSL built without assembly support), pre-existing countermeasures thwart bug attacks . *) Static ECDH is theoretically affected: it is possible to construct elliptic curve points that would falsely appear to be on the given curve. However, there is no known computationally feasible way to construct such points with low order, and so the security of static ECDH private keys is believed to be unaffected. *) Other routines known to be theoretically affected are modular exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No exploits are known and straightforward bug attacks fail - either the attacker cannot control when the bug triggers, or no private key material is involved. : https://www.openssl.org/news/secadv_20150108.txt : http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
Comment 1 Vincent Danen 2015-01-08 18:50:49 UTC
Upstream commit that looks to fix the problem: https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0 External References: https://www.openssl.org/news/secadv_20150108.txt
Comment 2 Huzaifa S. Sidhpurwala 2015-01-12 08:30:07 UTC
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1181013]
Comment 4 Fedora Update System 2015-01-13 00:02:38 UTC
openssl-1.0.1k-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-01-20 21:06:12 UTC
openssl-1.0.1e-41.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 errata-xmlrpc 2015-01-21 21:29:15 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html
Comment 13 errata-xmlrpc 2015-04-16 15:39:22 UTC
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
Comment 16 errata-xmlrpc 2016-08-22 18:08:48 UTC
This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.1 Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html
Comment 17 Andrej Nemec 2017-09-08 12:23:16 UTC
Statement: This issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and does not plan to address this flaw for the above components in any future security updates. This issue affects the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.