Bug 2164487 (CVE-2022-4304)
| Summary: | CVE-2022-4304 openssl: timing attack in RSA Decryption implementation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acrosby, adudiak, bdettelb, berrange, bootloader-eng-team, caswilli, christopher.voltz, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, drieden, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jferlan, jkoehler, jmitchel, jtanner, jwon, kaycoth, kraxel, kshier, kyoshida, micjohns, mmadzin, mturk, ngough, nweather, pbonzini, peholase, pjindal, plodge, rgodfrey, rh-spice-bugs, rogbas, rravi, security-response-team, stcannon, sthirugn, szappis, tfister, tohughes, virt-maint, vkrizan, vkumar, vmugicag, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages for decryption. This issue affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP, and RSASVE.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-22 14:03:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2164541, 2164542, 2164543, 2164545, 2164546, 2164547, 2164548, 2164549, 2164550, 2164552, 2164553, 2164554, 2164555, 2166345, 2167914, 2167915, 2167917, 2167918, 2167919, 2167920, 2167921, 2167922, 2167923, 2167924, 2167925, 2167926, 2167927, 2167928, 2167929, 2167930, 2191726, 2191727, 2191728, 2208594, 2208595 | ||
| Bug Blocks: | 2164384 | ||
|
Description
Marian Rehak
2023-01-25 15:18:27 UTC
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2167917] Affects: fedora-37 [bug 2167925] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167918] Affects: fedora-37 [bug 2167924] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167919] Affects: fedora-37 [bug 2167926] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2167920] Affects: fedora-37 [bug 2167927] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2167915] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2167914] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2167921] Affects: fedora-37 [bug 2167928] Created shim-unsigned-aarch64 tracking bugs for this issue: Affects: fedora-36 [bug 2167922] Affects: fedora-37 [bug 2167929] Created shim-unsigned-x64 tracking bugs for this issue: Affects: fedora-36 [bug 2167923] Affects: fedora-37 [bug 2167930] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946 Do we have a schedule for when a RHEL 8 fix will be available? This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4304 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3408 https://access.redhat.com/errata/RHSA-2023:3408 This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4128 https://access.redhat.com/errata/RHSA-2023:4128 |