Amazon Linux 2 Security Advisory: ALAS-2021-1687
Advisory Release Date: 2021-07-14 20:39 Pacific
Advisory Updated Date: 2021-07-15 21:41 Pacific
An integer overflow was found in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. As per upstream:
* No EC algorithms are affected.
* Attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely.
* Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway.
* Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME (CVE-2019-1551)
Affected Packages:
openssl
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update openssl to update your system.
aarch64:
openssl-1.0.2k-19.amzn2.0.7.aarch64
openssl-libs-1.0.2k-19.amzn2.0.7.aarch64
openssl-devel-1.0.2k-19.amzn2.0.7.aarch64
openssl-static-1.0.2k-19.amzn2.0.7.aarch64
openssl-perl-1.0.2k-19.amzn2.0.7.aarch64
openssl-debuginfo-1.0.2k-19.amzn2.0.7.aarch64
i686:
openssl-1.0.2k-19.amzn2.0.7.i686
openssl-libs-1.0.2k-19.amzn2.0.7.i686
openssl-devel-1.0.2k-19.amzn2.0.7.i686
openssl-static-1.0.2k-19.amzn2.0.7.i686
openssl-perl-1.0.2k-19.amzn2.0.7.i686
openssl-debuginfo-1.0.2k-19.amzn2.0.7.i686
src:
openssl-1.0.2k-19.amzn2.0.7.src
x86_64:
openssl-1.0.2k-19.amzn2.0.7.x86_64
openssl-libs-1.0.2k-19.amzn2.0.7.x86_64
openssl-devel-1.0.2k-19.amzn2.0.7.x86_64
openssl-static-1.0.2k-19.amzn2.0.7.x86_64
openssl-perl-1.0.2k-19.amzn2.0.7.x86_64
openssl-debuginfo-1.0.2k-19.amzn2.0.7.x86_64