DEBIAN-CVE-2022-4304
- Source
- https://security-tracker.debian.org/tracker/DEBIAN-CVE-2022-4304
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-4304.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-4304
- Upstream
- Published
- 2023-02-08T20:15:23Z
- Modified
- 2025-09-19T07:32:28.989313Z
- Summary
- [none]
- Details
-
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
- References
Affected packages
Debian:11 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.1n-0+deb11u4
Debian:12 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source
Debian:13 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source
Debian:14 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source