SUSE update for openCryptoki
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Observable discrepancy
EUVDB-ID: #VU87279
Risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0914
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a timing side-channel attack.
The vulnerability exists due to observable discrepancy when processing RSA PKCS#1 v1.5 padded ciphertexts. A remote attacker can perform unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.
MitigationUpdate the affected package openCryptoki to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Micro: 5.5
Server Applications Module: 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP5
SUSE Linux Enterprise Server 15: SP5
SUSE Linux Enterprise Real Time 15: SP5
SUSE Linux Enterprise High Performance Computing 15: SP5
openSUSE Leap: 15.5
openCryptoki-32bit: before 3.23.0-150500.3.3.13
openCryptoki-32bit-debuginfo: before 3.23.0-150500.3.3.13
openCryptoki-devel-debuginfo: before 3.23.0-150500.3.3.13
openCryptoki-devel: before 3.23.0-150500.3.3.13
openCryptoki-64bit: before 3.23.0-150500.3.3.13
openCryptoki-64bit-debuginfo: before 3.23.0-150500.3.3.13
openCryptoki: before 3.23.0-150500.3.3.13
openCryptoki-debugsource: before 3.23.0-150500.3.3.13
openCryptoki-debuginfo: before 3.23.0-150500.3.3.13
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241447-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
