Wind River® is aware of and has analyzed the SSLv2 protocol vulnerabilities reported as CVE-2016-0702 (Side channel attack on modular exponentiation).

A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy Bridge microarchitecture that could lead to the recovery of RSA keys. The ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions.


Additional information: This issue has been rated as Low**


Further information can be found on the OpenSSL project site here: https://www.openssl.org/news/secadv/20160301.txt


** https://knowledge.windriver.com/en-us/020_Product_Support_Policies/010/000_Security_Vulnerability_Response_Policy

Remediation

Wind River has released hot patches for all affected Wind River Linux versions.