RSA pkcs1 decryption and signing is not constant memory access

It was reported by Eyal Ronen, that they can implement an attack against a gnutls RSA-decryption server, variant of the Bleichenbacher attack using cache-based side-channel methods. This attacks apply to gnutls' servers deployed on cloud infrastructure which share CPU with malicious players and which use an RSA key marked for both decryption and signing.

The severity of the issue is expected to be medium or low.

The report is "We have looked at your RSA decryption code. Although you have implemented countermeasures against the Bleichenbacher attack in your code, we think it is still vulnerable to cache attacks. The problems are both at the GnuTLS and the nettle code. In our paper, we are showing how any non-constant time code, including any conditional branch, function call, and memory access might be used to recreate the Bleichenbacher oracle."

Paper describing the attack: http://www.wisdom.weizmann.ac.il/~eyalro/project/cat/cat.pdf