[openssl-users] The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?

M K Saravanan mksarav at gmail.com
Mon Dec 10 10:41:20 UTC 2018


I read the recent research paper:

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and
Yuval Yarom
Nov 30, 2018

Research Paper: https://eprint.iacr.org/2018/1173.pdf

As per this paper, OpenSSL was also vulnerable but OpenSSL fixed them
independently of the authors' disclosure.



A. OpenSSL TLS Implementation

However, OpenSSL’s code does contain two side channel vulnerabilities.
One vulnerability has been described in Section IV-A and the other is
presented here. We note that OpenSSL replaced the vulnerable code in
both locations with constant-time implementations independently of our

The paper does not list the CVE for the openssl vulnerability.

Is there a CVE for this?  What are the affected versions and in which
version they were fixed?

with regards,

More information about the openssl-users mailing list