Red Hat Bugzilla – Bug 1343400
CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
Last modified: 2017-08-11 06:45:01 EDT
Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. Upstream fix: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=d168705e11526a4b487640c7cac5b53ee3646cbc https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3681a4558c13198944e6f7f149c4be188e076e14
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1343403]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1343401]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1343402]
Lowering the initial impact because of the nature of time-channel attack.
References (thread contains a discussion about severity of this issue): http://seclists.org/oss-sec/2016/q2/493
Details of the issue and the attack taking advantage of it: http://eprint.iacr.org/2016/594 http://eprint.iacr.org/2016/594.pdf
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i. Constant time flag not preserved in DSA signing (CVE-2016-2178) =============================================================== Severity: Low Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by César Pereida. External References: https://www.openssl.org/news/secadv/20160922.txt http://eprint.iacr.org/2016/594
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658