CVE-2023-0361
First published: Fri Jan 20 2023(Updated: )
GnuTLS could allow a remote attacker to obtain sensitive information, caused by a timing side-channel flaw in the handling of RSA ClientKeyExchange messages. By recovering the secret from the ClientKeyExchange message, an attacker could exploit this vulnerability to decrypt the application data exchanged over that connection, and use this information to launch further attacks against the affected system.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/gnutls | <0:3.6.16-6.el8_7 | 0:3.6.16-6.el8_7 |
| redhat/gnutls | <0:3.6.16-5.el8_6.1 | 0:3.6.16-5.el8_6.1 |
| redhat/gnutls | <0:3.7.6-18.el9_1 | 0:3.7.6-18.el9_1 |
| redhat/gnutls | <0:3.7.6-18.el9_0 | 0:3.7.6-18.el9_0 |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF004 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF020 | |
| IBM Cloud Pak for Business Automation | <=V22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| Gnu Gnutls | =3.6.8-11.el8_2 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Converged Systems Advisor Agent | ||
| NetApp ONTAP Select Deploy administration utility |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247680
- https://www.ibm.com/support/pages/node/6998727 (Advisory)
- https://access.redhat.com/security/cve/CVE-2023-0361
- https://github.com/tlsfuzzer/tlsfuzzer/pull/679
- https://gitlab.com/gnutls/gnutls/-/issues/1050
- https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/
- https://security.netapp.com/advisory/ntap-20230324-0005/
- https://security.netapp.com/advisory/ntap-20230725-0005/
- https://github.com/tomato42/tlsfuzzer/pull/679
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2169608
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2169609
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2169607
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2169610
- https://access.redhat.com/errata/RHSA-2023:1141
- https://access.redhat.com/errata/RHSA-2023:1200
- https://access.redhat.com/errata/RHSA-2023:1569
- https://access.redhat.com/security/cve/cve-2023-0361
- https://access.redhat.com/errata/RHSA-2023:3361
- https://bugzilla.redhat.com/show_bug.cgi?id=2162596
- https://www.cve.org/CVERecord?id=CVE-2023-0361 https://nvd.nist.gov/vuln/detail/CVE-2023-0361
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-0361?
CVE-2023-0361 is a timing side-channel vulnerability found in RSA ClientKeyExchange messages in GnuTLS.
What is the severity level of CVE-2023-0361?
CVE-2023-0361 has a high severity level with a value of 7.
Who discovered the CVE-2023-0361 vulnerability?
The CVE-2023-0361 vulnerability was discovered by the GnuTLS security team.
Which software versions are affected by CVE-2023-0361?
Versions 0:3.6.16-6.el8_7, 0:3.6.16-5.el8_6.1, 0:3.7.6-18.el9_1, and 0:3.7.6-18.el9_0 of GnuTLS are affected by CVE-2023-0361.
How can I fix the CVE-2023-0361 vulnerability?
To fix the CVE-2023-0361 vulnerability, update GnuTLS to version 3.7.7 or higher.
- collector/redhat-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-0361
- agent/weakness
- agent/remedy
- agent/severity
- agent/references
- agent/description
- agent/event
- collector/ibm-support
- agent/software-canonical-lookup-request
- agent/tags
- collector/nvd-api
- collector/nvd-index
- package-manager/redhat
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if004
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if020
- version/ibm cloud pak for business automation/v22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes
- vendor/gnu
- canonical/gnu gnutls
- version/gnu gnutls/3.6.8-11.el8_2
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp converged systems advisor agent
- canonical/netapp ontap select deploy administration utility