Steffan Karger

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to 2.3.1 **Description** The issue allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher. Multiple vulnerabilities in the OpenVPN package can lead to disruption of integrity and availability of protected information, and exploitation can be carried out remotely. **Recommendations** For OpenVPN versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `openvpn decrypt` function in crypto.c until a patch is available. Avoid using the CBC mode cipher in UDP mode until the issue is resolved.