CVE-2024-0914
Public on 2024-01-26
Modified on 2024-02-13
Description
A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.
This issue requires a significant effort to exploit, requiring special conditions allowing an attacker to send a large number of crafted packets to a vulnerable service. The resolution for this issue (adding support for implicit rejection for RSA PKCS#1) introduces a functional change in the library that may break existing applications. Considering the tradeoff between the stability of Amazon Linux and the impact of CVE-2024-0914 a fix will not be provided for opencryptoki in Amazon Linux 2 at this time.
This issue requires a significant effort to exploit, requiring special conditions allowing an attacker to send a large number of crafted packets to a vulnerable service. The resolution for this issue (adding support for implicit rejection for RSA PKCS#1) introduces a functional change in the library that may break existing applications. Considering the tradeoff between the stability of Amazon Linux and the impact of CVE-2024-0914 a fix will not be provided for opencryptoki in Amazon Linux 2 at this time.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | opencryptoki | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| NVD | CVSSv3 | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |