22.0.0.SPC5

This section describes the issues that are resolved by the patch for Kunpeng BoostKit 22.0.0.SPC5 Confidential Computing TrustZone Kit.

Trouble Ticket No.	DTS: DTS2023020815039 Vulnerability ID: HWPSIRT-2023-25691
Description	Condition: RSA asymmetric encryption/decryption and signature verification are used in the TEE. Symptom: Plaintext data can be restored through the network. Impact: Applications in the TEE are not affected. The product involves a security vulnerability in OpenSSL 1.1.1n. The CVE number is CVE-2022-4304.
Severity	Major
Cause Analysis	A time-based side channel vulnerability exists in OpenSSL RSA decryption. As a result, attackers may restore plaintext through the network.
Solution	Incorporate the vulnerability fixing patch into the open source component to update the TEE OS firmware.
Impact	The defect is rectified, and no other impact is imposed.
Test Case	After the open source patch for this OpenSSL vulnerability is installed, use the test suite provided by OpenSSL to check whether the vulnerability is fixed. It is confirmed that the patch for this vulnerability has been incorporated into the open source component introduced into this product.

Parent topic: Resolved Issues