Security Work Items
These work items related to security vulnerabilities in the spec.
Section 7: Says: "We note that none of the attacks just described can compromise keys marked “sensitive,” since a key that is sensitive will always remain sensitive. Similarly, a key that is unextractable cannot be modified to be extractable."
There are a number of vulnerabilities in the spec with regards to extracting keys that should not be extractable. These can be theoretically fixed by tightening up the spec (although in practice a test suite would be needed).
Other vulns have been known for many years, e.g. extracting a key by using a derive on it one bit at a time. Many of these are mitigated by the fact that no known implementation actually implements them.
If we feel a need to address a padded oracle attack, the following recommendation can be used: "To protect against chosen ciphertext attacks, like the Bleichenbacher attack, use PKCS #1 Version 2, with OAEP, and disable support for PKCS #1, Version 1.5"