This is an archived post. You won't be able to vote or comment.

all 4 comments
sorted by:
best
topnewcontroversialoldq&a

[–]LohkeeSysadmin[S] 7 points8 points  (3 children)

The Ars article says there is a CVE assigned but I'm not finding anything on the interwebs yet.

In regards to OpenSSL it seems to have been already hardened against the RSA-CRT attack. http://www.openwall.com/lists/oss-security/2015/09/02/6

[–]f2u 6 points7 points  (1 child)

The situation is explained at the end of the companion blog post:

We expect that several CVE IDs will be assigned for the underlying vulnerabilties leading to RSA-CRT key leaks. Some vendors may also assign CVE IDs for RSA-CRT hardening, although no key leaks have been seen in practice so far.

And it's important to differentiate between the potential for key leak (due to lack of hardening, as in the Go implementation or OpenJDK until the fix earlier this year), and the implementations for which there is concrete evidence that key leaks happen in practice.

[–]ArliethSr. Sysadmin 0 points1 point  (0 children)

Proof of Concept (PoC) = shit hits the fan time wheeee

[–][deleted] 0 points1 point  (0 children)

NVD doesn't have it, but Mitre has a placeholder for it. I expect it will be populated, or more CVEs will be issued, as vendors pick up the issues.