OpenSSL CVE-2022-4304 Timing Oracle in RSA Decryption

[iyyapa]

Hi Team,

The CVE-2022-4304 is vulnerable to our product and it support openSSL 1.0.2h. We have accommodated other CVE's into the same openSSL version.
We tried to accommodate the CVE-2022-4304 changes into openSSL1.0.2h release. But we are seeing many build issue and looks like it's not direct porting.
PS: We took the below changes from below link and the changes are done for openSSL3.0.8.

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43d8f88511991533f53680a751e9326999a6a31f

The CVE also fixed in OpenSSL1.0.2zg, but I don't see any code diffs in forums. Kindly share the link for 1.0.2zg changes for mentioned CVE.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers
only).

[tom-cosgrove-arm]

OpenSSL 1.0.2 went out of support in 2019, as far as I can tell.

OpenSSL 1.0.2zg is available for premium support customers, so if you are a premium support customer please reach out to your support contact.

Looking at the OpenSSL vulnerability list, rather than the Rust version, since 1.1.1 is also end-of-life now, if you're not a premium support customer, you should upgrade to 3.0.8

[iyyapa]

Thanks for your response.
There was no plan is OpenSSL upgradation. As our product is also going EOL soon, hence we are not going to upgrade any openSSL version.

[rsbeckerca]

I hate to be blunt here, and I say this with respect, it is a choice being made by your product managers. If you do not want to upgrade to a supported OpenSSL product, any vulnerabilities to CVEs that have fixes are your responsibility, not that of the OpenSSL team, who are doing their due diligence on supported versions. That is a key reason my team keeps up to date with OpenSSL as urgently as possible (often in the middle of the night). The fundamental choice here is how best to service and protect your customers. If staying on 1.0.2h is the decision, then it is your decision.

[iyyapa]

Thanks for your inputs/suggestion. I will talk to my PLM about upgrade the OpenSSL version and see how it works.
Thanks Again for your value inputs.

[t8m]

Please also note that as the premium support contracts are the source of funding for any further development of the project we will not be able to provide you backported patches for the vulnerabilities for these extended support releases and we will not allow them here in the openssl organization on github.

Of course we cannot prevent anyone to backport the fixes to older versions and publish them on their own repositories but these patches will never be official OpenSSL fixes.

[iyyapa]

Okay. Thank you for your support.