Description of problem: Timing attack on RSA decryption because RSA blinding isn't used in all applications (mod_ssl etc) Version-Release number of selected component (if applicable): This affects most applications that link to OpenSSL How reproducible: In order to exploit this issue you need to be local to the machine or be on a network that enables you to reliably observe sub 1ms timing differences. Additional info: http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf Note that enabling RSA blinding is not trivial
(also note that this issue was entered for OpenSSL under Red Hat Linux 8.0 but applies to all applications linked to OpenSSL under Red Hat Linux 6.2, 7, 7.1, 7.2, 8.0 and the Enterprise Linux family.
This is CAN-2003-0147. The OpenSSL team are currently working on a patch that enables RSA blinding by default, therefore only OpenSSL will need to be updated and applications linked to it will not.
Was fixed by http://rhn.redhat.com/errata/RHSA-2003-101.html