Wind River® is aware of and has analyzed the SSLv2 protocol vulnerabilities reported as CVE-2016-0702 (Side channel attack on modular exponentiation).
A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy Bridge microarchitecture that could lead to the recovery of RSA keys. The ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions.
Additional information: This issue has been rated as Low**
Further information can be found on the OpenSSL project site here: https://www.openssl.org/news/secadv/20160301.txt
Remediation
Wind River has released hot patches for all affected Wind River Linux versions.
Affected Product Information
The following is a list of Wind River products and their vulnerability to CVE-2016-0702.
|
Product |
Vulnerable |
Versions |
Remediation |
|
Wind River Linux |
Yes |
8.x |
|
|
Wind River Linux |
Yes |
7.x |
|
|
Wind River Linux |
Yes |
6.x |
|
|
Wind River Linux |
Yes |
5.0.1.x |
|
|
Wind River Linux |
Yes |
4.3.0.x |
|
|
Wind River Intelligent Device Platform |
Yes |
1.0, 2.0.x |
|
|
Wind River Intelligent Device Platform XT |
Yes |
3.0.x |
Note: *You need an account to access the Knowledge Library.