K79215841 : OpenSSL vulnerability CVE-2016-0702

Security Advisory Description

The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a “CacheBleed” attack. (CVE-2016-0702)
Impact
An authenticated local user with administrator or root level access to the Advanced Shell (bash) may be able to exploit this vulnerability to discover RSA keys.
This attack is only possible on platforms that support Intel Hyper-Threading Technology (HT Technology) and have HT enabled. F5 does not believe cryptographic operations that are processed with a Secure Sockets Layer (SSL) hardware acceleration card are an exploitable vector on BIG-IP systems. Additionally, adjacent Virtual Clustered Multiprocessing (vCMP) systems or BIG-IP Virtual Edition (VE) virtual machines are not exploitable vectors on BIG-IP systems.
For a list of BIG-IP hardware that includes HT Technology, refer to the following articles:

• K14358: Overview of Clustered Multiprocessing (11.3.0 and later)
• K14248: Overview of Clustered Multiprocessing (11.0.0 - 11.2.x)
• K7751: Overview of Clustered Multiprocessing (9.x - 10.x)