You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it's probably worth getting this on the record. OpenSSL put this out today, a timing attack is possible on their RSA key generation. It's not critical enough to push out a new release and it'll be picked up in the next 1.0.2 and 1.1.0. But if we wanted to patch now we could grab the commits from their repo and float them.
As far as I know we don't expose APIs that touch RSA key generation so I don't believe we're exposed to this at all. @nodejs/crypto will clarify here if I'm not correct on that, however.
OpenSSL Security Advisory [16 Apr 2018]
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Severity: Low
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.
Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
repository.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.
The text was updated successfully, but these errors were encountered:
I think it's probably worth getting this on the record. OpenSSL put this out today, a timing attack is possible on their RSA key generation. It's not critical enough to push out a new release and it'll be picked up in the next 1.0.2 and 1.1.0. But if we wanted to patch now we could grab the commits from their repo and float them.
As far as I know we don't expose APIs that touch RSA key generation so I don't believe we're exposed to this at all. @nodejs/crypto will clarify here if I'm not correct on that, however.
OpenSSL Security Advisory [16 Apr 2018]
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Severity: Low
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.
Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
repository.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.
The text was updated successfully, but these errors were encountered: