Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.1.0

Description A timing-based side channel issue exists in the OpenSSL RSA decryption implementation, potentially allowing the recovery of plaintext from across the network. This issue affects all RSA padding modes. A server agent compiled with OpenSSL could be made to give up plaintext payloads over the network, but this would require a large amount of malicious payloads from a third-party actor as trial messages.

Recommendations For versions prior to 1.1.0, consider updating to a version that uses Rust-based TLS, such as the one implemented in bottlerocket version 1.1.0, which removed OpenSSL in favor of rustls.