Bug 1310599 (CVE-2016-0702)
| Summary: | CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dosoudil, fdeutsch, gzaronik, hkario, jawilson, jgreguske, lgao, myarboro, pgier, psakar, pslavice, rnetuka, rsvoboda, sardella, security-response-team, slawomir, tmraz, twalsh, vtunka, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssl 1.0.1s, openssl 1.0.2g | Doc Type: | Bug Fix |
| Doc Text: |
A side-channel attack was found that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. An attacker who has the ability to control code in a thread running on the same hyper-threaded core as the victim's thread that is performing decryption, could use this flaw to recover RSA private keys.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:48:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1301849, 1301850, 1301851, 1301852, 1313535, 1313595, 1313598, 1331752 | ||
| Bug Blocks: | 1301847, 1395463 | ||
|
Description
Huzaifa S. Sidhpurwala
2016-02-22 10:34:34 UTC
Acknowledgments: Name: the OpenSSL project Upstream: Yuval Yarom (University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv University), Nadia Heninger (University of Pennsylvania) External References: http://cachebleed.info/ https://www.openssl.org/news/secadv/20160301.txt Related upstream commits: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=d6482a82bc2228327aa4ba98aeeecd9979542a31 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5ea08bd2fe6538cbccd89f07e6f1cdd5d3e75e3f https://git.openssl.org/?p=openssl.git;a=commitdiff;h=d6d422e1ec48fac1c6194ab672e320281a214a32 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8fc8f486f7fa098c9fbb6a6ae399e3c6856e0d87 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=317be63875e59efa34be0075eaff3c033ef6969f This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0301 https://rhn.redhat.com/errata/RHSA-2016-0301.html openssl-1.0.2g-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 RHEV-H and Agents for RHEL-7 Via RHSA-2016:0379 https://rhn.redhat.com/errata/RHSA-2016-0379.html openssl-1.0.1k-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. openssl101e-1.0.1e-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html |