Wind River Support Network

HomeDefectsLIN8-2890
Fixed

LIN8-2890 : Security Advisory - OpenSSL - CVE-2016-0702

Created: Feb 26, 2016    Updated: Dec 3, 2018
Resolved Date: Mar 3, 2016
Found In Version: 8.0
Fix Version: 8.0.0.3
Severity: Standard
Applicable for: Wind River Linux 8
Component/s: Userspace

Description

This issue is specific to the Intel Sandy-Bridge microarchitecture.

Side channel attack on modular exponentiation (CVE-2016-0702)
=============================================================

Severity: Low

A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys.  The ability to exploit this issue is limited as it relies on an attacker
who has control of code in a thread running on the same hyper-threaded core as
the victim thread which is performing decryptions.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on Jan 8th 2016 by Yuval Yarom, The
University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv
University, and Nadia Heninger, University of Pennsylvania with more
information at http://cachebleed.info.  The fix was developed by Andy Polyakov
of OpenSSL.

Security Notices


Other Downloads


CVEs


Live chat
Online