The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?

M K Saravanan
Hi,

I read the recent research paper:

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
by
Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and
Yuval Yarom
Nov 30, 2018

Research Paper: https://eprint.iacr.org/2018/1173.pdf

As per this paper, OpenSSL was also vulnerable but OpenSSL fixed them
independently of the authors' disclosure.

=============
APPENDIX A

VULNERABILITIES DESCRIPTION

A. OpenSSL TLS Implementation

[...]
However, OpenSSL’s code does contain two side channel vulnerabilities.
One vulnerability has been described in Section IV-A and the other is
presented here. We note that OpenSSL replaced the vulnerable code in
both locations with constant-time implementations independently of our
disclosure.
=============

The paper does not list the CVE for the openssl vulnerability.

Is there a CVE for this?  What are the affected versions and in which
version they were fixed?

with regards,
Saravanan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?

Dr. Matthias St. Pierre
> The paper does not list the CVE for the openssl vulnerability.
>
> Is there a CVE for this?  What are the affected versions and in which
> version they were fixed?

A similar question has been asked at the end of the GitHub issue
https://github.com/openssl/openssl/issues/7739. As far as I know,
the question is still unanswered...

HTH
Matthias



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users