CVE-2024-0914: Opencryptoki: timing side-channel in handling of rsa pkcs#1 v1.5 padded ciphertexts (marvin)
First published: Thu Jan 25 2024(Updated: )
A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <3.23.0 | ||
| =8.0 | ||
| =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:1239
- https://access.redhat.com/errata/RHSA-2024:1411
- https://access.redhat.com/errata/RHSA-2024:1608
- https://access.redhat.com/errata/RHSA-2024:1856
- https://access.redhat.com/security/cve/CVE-2024-0914
- https://bugzilla.redhat.com/show_bug.cgi?id=2260407
- https://people.redhat.com/~hkario/marvin/
- https://github.com/opencryptoki/opencryptoki/issues/731
- https://github.com/opencryptoki/opencryptoki/pull/737
- https://github.com/opencryptoki/opencryptoki/commit/2ea019ee2b09f15724d808382d53baca03403288
- https://github.com/opencryptoki/opencryptoki/commit/7ffc0e135b4d923d686be536aa7bf69405a360a1
- https://github.com/opencryptoki/opencryptoki/commit/c26e049bf40d656bc51429bad190b82fbf63f0c7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2260408
- https://access.redhat.com/errata/RHSA-2024:1992
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/remedy
- agent/softwarecombine
- agent/event
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-0914
- vendor/opencryptoki project
- canonical/opencryptoki project opencryptoki
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0