Red Hat Bugzilla – Bug 757909
CVE-2011-4354 openssl: ECC private leak (disclosure of TLS server's private key)
Last modified: 2011-11-29 16:21:11 EST
It was reported that OpenSSL 0.9.8g (only in the 32-bit build) was vulnerable to a bug where, in extremely rare instances, the bug would cause incorrect computation of finite field operations when using NIST elliptic curves P-256 or P-384. This flaw could allow for the retrieval of a TLS server's private key. A paper was published  describing the attack.
There are some very specific pre-requisites for a successful attack:
- OpenSSL 0.9.8g (32-bit build)
- use of NIST elliptic curve P-256 and/or P-384
- the use of ECDH family ciphers and/or the use of ECDHE family ciphers *and* the lack of SSL_OP_SINGLE_ECDH_USE context option
This bug is corrected in OpenSSL >= 0.9.8h and does not affect earlier versions of OpenSSL than 0.9.8g. A series of patches  fix this upstream (starting with r.1.15).
(In reply to comment #0)
> A series of patches  fix this upstream (starting with r.1.15).
>  http://cvs.openssl.org/rlog?f=openssl%2Fcrypto%2Fbn%2Fbn_nist.c
Related upstream bug report:
which indicated last related revision is 1.20 / 1.21, i.e. mentioned series of patches should include following commits:
Cumulative bn_nist.c patch:
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6 as they did not include support for the ECDH or ECDHE ciphers.