Wind River Support Network

HomeDefectsLIN5-21238
Fixed

LIN5-21238 : Security Advisory - OpenSSL - CVE-2016-0702

Created: Feb 28, 2016    Updated: May 29, 2018
Resolved Date: Mar 6, 2016
Previous ID: LIN6-10959
Found In Version: 5.0.1.34
Fix Version: 5.0.1.36
Severity: Standard
Applicable for: Wind River Linux 5
Component/s: Userspace

Description

Wind River Linux 5 has both a 1.0.0 and 1.0.1 version of OpenSSL.  
The default is 1.0.0.  Only the 1.0.1 version is vulnerable to this issue.

This issue is specific to the Intel Sandy-Bridge microarchitecture.

Side channel attack on modular exponentiation (CVE-2016-0702)
=============================================================

Severity: Low

A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys.  The ability to exploit this issue is limited as it relies on an attacker
who has control of code in a thread running on the same hyper-threaded core as
the victim thread which is performing decryptions.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on Jan 8th 2016 by Yuval Yarom, The
University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv
University, and Nadia Heninger, University of Pennsylvania with more
information at http://cachebleed.info.  The fix was developed by Andy Polyakov
of OpenSSL.

Security Notices


Other Downloads


Live chat
Online