Lucene search

Redhat.comRH:CVE-2022-24436

HistoryJun 15, 2022 - 5:34 a.m.

CVE-2022-24436

2022-06-1505:34:19

redhat.com

access.redhat.com

intel processor

frequency scaling

timing attack

information disclosure

hertzbleed

mitigation

cryptographic software hardening

amd

security advisories

frequency boost

performance impact.

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.4%

JSON

A potential vulnerability in some Intel® processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure.

Mitigation

Currently, there is no mitigation for this flaw. Intel has provided some guidance to developers of Cryptographic software to harden their libraries and applications against Hertzbleed. More information is available in the official Intel and AMD security advisories linked at the bottom of this document.

A workload-independent workaround to mitigate Hertzbleed is to disable frequency boost. However, this is not recommended since it will significantly affect performance.

Reference:
<https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/frequency-throttling-side-channel-guidance.html>