REDHAT-BUG-2254426
First published: Wed Dec 13 2023(Updated: )
Description: The fix for <a href="https://access.redhat.com/security/cve/CVE-2020-25657">CVE-2020-25657</a> is not addressing the leakage in the RSA decryption. Because of the API design, the fix is generally not believed to be possible to be fully addressed. The issue can be mitigated by using a cryptographic backend that implements implicit rejection (Marvin workaround). Only applications that use RSA decryption with PKCS#1 v1.5 padding are affected. References: <a href="https://gitlab.com/m2crypto/m2crypto/-/issues/342">https://gitlab.com/m2crypto/m2crypto/-/issues/342</a> <a href="https://people.redhat.com/~hkario/marvin/">https://people.redhat.com/~hkario/marvin/</a> <a href="https://github.com/openssl/openssl/pull/13817">https://github.com/openssl/openssl/pull/13817</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL | ||
| M2Crypto |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2020-25657
- https://gitlab.com/m2crypto/m2crypto/-/issues/342
- https://people.redhat.com/~hkario/marvin/
- https://github.com/openssl/openssl/pull/13817
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2254436
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2254734
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2254735
- https://bugzilla.redhat.com/show_bug.cgi?id=2254426
- agent/references
- agent/severity
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-50781
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/openssl
- canonical/openssl
- vendor/m2crypto
- canonical/m2crypto