A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2167917] Affects: fedora-37 [bug 2167925] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167918] Affects: fedora-37 [bug 2167924] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167919] Affects: fedora-37 [bug 2167926] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2167920] Affects: fedora-37 [bug 2167927] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2167915] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2167914] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2167921] Affects: fedora-37 [bug 2167928] Created shim-unsigned-aarch64 tracking bugs for this issue: Affects: fedora-36 [bug 2167922] Affects: fedora-37 [bug 2167929] Created shim-unsigned-x64 tracking bugs for this issue: Affects: fedora-36 [bug 2167923] Affects: fedora-37 [bug 2167930]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946
Do we have a schedule for when a RHEL 8 fix will be available?
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4304
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3408 https://access.redhat.com/errata/RHSA-2023:3408
This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4128 https://access.redhat.com/errata/RHSA-2023:4128