A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
The details of the vulnerability are on the https://people.redhat.com/~hkario/marvin/ page.
Script to reproduce it: https://github.com/tlsfuzzer/tlsfuzzer/blob/master/scripts/test-bleichenbacher-timing-pregenerate.py
Instructions to the reproducer: https://tlsfuzzer.readthedocs.io/en/latest/timing-analysis.html
Credit is acknowledged on the security advisory page: https://www.openssl.org/news/secadv/20230207.txt
Decryption of captured RSA ciphertexts and signature forgery for endpoints allowing timing of RSA decryption operation (local or remote).