ALAS-2019-1188 --- opensslID: oval:org.secpod.oval:def:1600996 | Date: (C)2019-06-19 (M)2024-01-29 |
Class: PATCH | Family: unix |
A microprocessor side-channel vulnerability was found on SMT architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information. If an application encounters a fatal protocol error and then calls SSL_shutdown twice then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown twice even if a protocol error has occurred
Platform: |
Amazon Linux AMI |