[openssl-users] The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?
M K Saravanan
mksarav at gmail.com
Mon Dec 10 10:41:20 UTC 2018
Hi,
I read the recent research paper:
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
by
Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and
Yuval Yarom
Nov 30, 2018
Research Paper: https://eprint.iacr.org/2018/1173.pdf
As per this paper, OpenSSL was also vulnerable but OpenSSL fixed them
independently of the authors' disclosure.
=============
APPENDIX A
VULNERABILITIES DESCRIPTION
A. OpenSSL TLS Implementation
[...]
However, OpenSSL’s code does contain two side channel vulnerabilities.
One vulnerability has been described in Section IV-A and the other is
presented here. We note that OpenSSL replaced the vulnerable code in
both locations with constant-time implementations independently of our
disclosure.
=============
The paper does not list the CVE for the openssl vulnerability.
Is there a CVE for this? What are the affected versions and in which
version they were fixed?
with regards,
Saravanan
More information about the openssl-users
mailing list