OpenSSL Timing Attack RSA Private Key Information Disclosure Vulnerability

Solution:
It is reported that certain versions of Computer Associates eTrust Security Command Center are prone to this vulnerability. Customers are advised to contact the vendor for further information pertaining to obtaining and applying appropriate updates.

Hewlett-Packard has released revision 1 of this advisory (HPSBUX0309-280), which contains fix information to address this issue in J2SE and JSSE, as well as new information on how to patch affected Servicecontrol Manager software. Users wishing to obtain an updated version of Servicecontrol Manager are advised to search for "SCM' and the following webpage:

http://software.hp.com

Hewlett-Packard ustomers are advised to upgrade as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

SGI have released an advisory (20030501-01-I) which contains a fix to address this issue.

Hewlett-Packard have released an advisory (HPSBUX0304-0255 rev. 2) which contains fix information to address this issue. Customers are advised to upgrade to hp-ux apache-based web server v.1.0.03.01 or later, which includes OpenSSL 0.9.6i with patches.

OpenPKG have released an advisory (OpenPKG-SA-2003.019), which contains fix details that address this issue. Additionally, OpenPKG has released advisory OpenPKG-SA-2003.020 to address the default configuration of mod_ssl in Apache.

Trustix have released an advisory (TSLSA-2003-0010: openssl), which contains fix details that address this issue.

Patches have been released for OpenBSD 3.1 and 3.2 which address this issue.

Gentoo Linux has released an advisory. Users who have installed dev-libs/openssl are advised to upgrade to openssl-0.9.6i-r1 by issuing the following commands:

emerge sync
emerge openssl
emerge clean

Gentoo Linux users who have installed net-www/mod_ssl are advised to upgrade to mod_ssl-2.8.14 by issuing the following commands:

emerge sync
emerge mod_ssl
emerge clean

Sorcerer Linux has released an advisory. Users are advised to issue the following commands to update affected systems:

augur synch && augur update

Stunnel has released patches which addresses this issue. When released, Stunnel 4.05 and 3.23 are also expected to address this vulnerability.

SCO has released a security advisory containing fixes which address this issue in OpenLinux.

Apple has released a security advisory (APPLE-SA-2003-03-24) which contains an update. Information on how to obtain the fix can be found in the attached advisory.

NetBSD has made a source tree fix available, and has addressed this issue in NetBSD advisory 2003-005. See referenced advisory for additional details.

Red Hat has released an advisory (RHSA-2003:101-01). Information about obtaining and applying fixes are available in the referenced advisory.

Debian has released a security advisory (DSA 288-1) containing fixes which address this and other issues. Further information regarding how to obtain and apply fixes can be found in the attached advisory.

Covalent have released patches which address this issue. Further information can be found in the attached update reference.

An updated version of Crypto++ has been released which addresses this issue. Users are advised to upgrade as soon as possible.

F5 has released a patch which address this issue in their vulnerable products. A patch and further information can be obtained from the following location:

http://tech.f5.com/home/bigip/solutions/security/sol2379.html

Foundry Networks has reported that Ironview is affected by this issue. A patch is currently being developed which will address this issue.

FreeBSD has released a security advisory containing patches which address this issue. Users are advised to upgrade as soon as possible.

A patch has been released for Intot iGateway 3.2 and can be obtained by contacting the vendor at: support@intotoinc.com

VanDyke has announced that SecureCRT implementing the SSH1 protocol is affected by this issue. A fix is currently being developed to address this issue in version 4.0.4 and earlier. However, SecureCRT 4.0.5 is not affected by this issue.

Immunix has released updated OpenSSL packages which address this issue. Users are advised to upgrade as soon as possible.

SSH has released a patch for IPSEC Express Toolkit. Users are advised to contact the vendor for further information.

HP has released SSL updates for OpenVMS systems. Please see the attached HP OpenVMS advisory (SSRT3499, SSRT3518) for details on obtaining and applying fixes. HP has also released an advisory for Tru64 UNIX systems that contains details about obtaining and applying patches. Please see advisory SSRT3499, SSRT3518 (Tru64) for further information.

Oracle has released an advisory and patches to address this issue. User are advised to obtain patches from the Oracle metalink site listed in references.

Fixes available:


Sun Cobalt RaQ XTR

OpenPKG OpenPKG Current

Stunnel Stunnel 3.20

Sun Cobalt RaQ 4

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 a

OpenSSL Project OpenSSL 0.9.6

OpenSSL Project OpenSSL 0.9.6 i

OpenSSL Project OpenSSL 0.9.6 c

OpenSSL Project OpenSSL 0.9.6 e

OpenSSL Project OpenSSL 0.9.7 a

Covalent Enterprise Ready Server 2.1

Redhat mgetty-sendfax-1.1.14-8.i386.rpm 2.2

Covalent Enterprise Ready Server 2.3

mod_ssl mod_ssl 2.8.14

Stunnel Stunnel 3.12

Stunnel Stunnel 3.14

Stunnel Stunnel 3.15

Stunnel Stunnel 3.16

Stunnel Stunnel 3.19

Stunnel Stunnel 3.8

Stunnel Stunnel 4.0 4

Stunnel Stunnel 4.0 2

Stunnel Stunnel 4.0 1

VanDyke SecureCRT 4.0.2

VanDyke SecureCRT 4.0.3

VanDyke SecureCRT 4.0.4

SGI IRIX 6.5.19


 

Privacy Statement
Copyright 2010, SecurityFocus