Re: [openssl-users] The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?

[Dr. Matthias St. Pierre]

> The paper does not list the CVE for the openssl vulnerability.
> 
> Is there a CVE for this?  What are the affected versions and in which
> version they were fixed?

A similar question has been asked at the end of the GitHub issue
https://github.com/openssl/openssl/issues/7739. As far as I know,
the question is still unanswered...

HTH
Matthias



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?

[M K Saravanan]

Hi,

I read the recent research paper:

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
by
Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and
Yuval Yarom
Nov 30, 2018

Research Paper: https://eprint.iacr.org/2018/1173.pdf

As per this paper, OpenSSL was also vulnerable but OpenSSL fixed them
independently of the authors' disclosure.

=
APPENDIX A

VULNERABILITIES DESCRIPTION

A. OpenSSL TLS Implementation

[...]
However, OpenSSL’s code does contain two side channel vulnerabilities.
One vulnerability has been described in Section IV-A and the other is
presented here. We note that OpenSSL replaced the vulnerable code in
both locations with constant-time implementations independently of our
disclosure.
=

The paper does not list the CVE for the openssl vulnerability.

Is there a CVE for this?  What are the affected versions and in which
version they were fixed?

with regards,
Saravanan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users