IBM Information for VU#997481

Cryptographic libraries and applications do not adequately defend against timing attacks

Status

Affected

Vendor Statement

The AIX operating system in not vulnerable to the issues discussed in Vulnerability Note VU#997481.

However, OpenSSL and mod_ssl for Apache are available for installation on AIX via the AIX Toolbox for Linux. These items are shipped "as is" and are unwarranted.

OpenSSL 9.6g-2 and mod_ssl 2.8.11-2 are vulnerable to the issues discussed in Vulnerability Note VU#997481.

The AIX Toolbox team is aware of these issues and will provide patched versions of this software in the near future.

AIX Toolbox for Linux applications can be downloaded from:


Please note that the patched version of OpenSSL will be 0.9.6g-3 and the patched mod_ssl will be 2.8.14-1.

IBM's vendor statement will be updated when these patches are available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.