===================================================================== CERT-Renater Note d'Information No. 2012/VULN115 ____________________________________________________________________ DATE : 12/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running OpenSSL versions prior to 1.0.0h, 0.9.8u. ====================================================================== http://www.openssl.org/news/secadv_20120312.txt _______________________________________________________________________ OpenSSL Security Advisory [12 Mar 2012] ======================================= CMS and S/MIME Bleichenbacher attack (CVE-2012-0884) ==================================================== A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages. SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code. Thanks to Ivan Nestlerode for discovering this weakness. The fix was developed by Stephen Henson of the OpenSSL core team. Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u. References ========== RFC3218 URL for this Security Advisory: http://www.openssl.org/news/secadv_20120312.txt ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================