IBM Information for VU#997481
Cryptographic libraries and applications do not adequately defend against timing attacks
- Vendor Information Help Date Notified: 11 Mar 2003
- Statement Date:
- Date Updated: 21 Mar 2003
The AIX operating system in not vulnerable to the issues discussed in Vulnerability Note VU#997481.
However, OpenSSL and mod_ssl for Apache are available for installation on AIX via the AIX Toolbox for Linux. These items are shipped "as is" and are unwarranted.
OpenSSL 9.6g-2 and mod_ssl 2.8.11-2 are vulnerable to the issues discussed in Vulnerability Note VU#997481.
The AIX Toolbox team is aware of these issues and will provide patched versions of this software in the near future.
AIX Toolbox for Linux applications can be downloaded from:
Please note that the patched version of OpenSSL will be 0.9.6g-3 and the patched mod_ssl will be 2.8.14-1.
IBM's vendor statement will be updated when these patches are available.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.