CVE-2024-13176: 
MySQL vulnerability analysis and mitigation

A timing side-channel vulnerability (CVE-2024-13176) was discovered in OpenSSL's ECDSA signature computation. The vulnerability affects OpenSSL versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1, and 1.0.2. The issue was reported on September 4, 2024, by George Pantelakis and Alicja Kario from Red Hat, and the fix was developed by Tomas Mraz (OpenSSL Advisory).

The vulnerability manifests as a timing signal of approximately 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This timing leak occurs with significant probability only for certain supported elliptic curves, particularly affecting the NIST P-521 curve. The vulnerability has been assigned a Low severity rating, with a CVSS score of 5.9 (Medium) using the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NetApp Advisory).

If successfully exploited, this vulnerability could allow an attacker to recover the private key through timing analysis. However, the practical impact is limited by the requirement that the attacker must either have local access to the signing application or maintain a very fast network connection with low latency to measure the timing differences effectively (OpenSSL Advisory).

OpenSSL has released fixes for all affected versions. Users are advised to upgrade to the following versions once released: OpenSSL 3.4.1, 3.3.3, 3.2.4, 3.1.8, and 3.0.16. Premium support customers should upgrade to OpenSSL 1.1.1zb and 1.0.2zl respectively. The fixes are available in specific commits for each version: 77c608f4 (3.4), 392dcb33 (3.3), 4b1cb94 (3.2), 2af62e74 (3.1), and 07272b05 (3.0) (OpenSSL Advisory).