You are here

OpenSSL: ECDSA P-256 timing attack key recovery

IDs: 
CVE-2016-7056
Keywords: 
OpenSSL, ECDSA, P-256
Description: 

OpenSSL 1.0.1u and previous versions are affected by a timing attack vulnerability [1]. A local user may be able to extract the private key.

Airlock WAF is not affected.

Details:

Airlock WAF 6.0 and 6.1 are using OpenSSL version 1.0.2 which is not affected.

Airlock WAF 5.3.1 is using the affected OpenSSL version 1.0.1. Exploiting the vulnerability required local access to the system. There are no interactive local users in Airlock WAF besides root which is trusted and has access to the private key anyway.

Resolution: 

No action required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required