Description
A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
Reserved 2023-11-07 | Published 2023-11-28 | Updated 2024-11-23 | Assigner
redhatMEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Problem types
Observable Discrepancy
Product status
Default status
affected
0:3.6.16-8.el8_9 before *
unaffected
Default status
affected
0:3.6.16-8.el8_9 before *
unaffected
Default status
affected
0:3.6.16-5.el8_6.2 before *
unaffected
Default status
affected
0:3.6.16-7.el8_8.1 before *
unaffected
Default status
affected
0:3.7.6-23.el9_3.3 before *
unaffected
Default status
affected
0:3.7.6-23.el9_3.3 before *
unaffected
Default status
affected
0:3.7.6-21.el9_2.1 before *
unaffected
Default status
affected
v4.15.0-37 before *
unaffected
Default status
affected
v4.15.0-68 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-39 before *
unaffected
Default status
affected
v4.15.0-58 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-13 before *
unaffected
Default status
affected
v4.15.0-81 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-79 before *
unaffected
Default status
affected
v4.15.0-22 before *
unaffected
Default status
affected
v4.15.0-57 before *
unaffected
Default status
affected
v4.15.0-6 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-15 before *
unaffected
Default status
affected
v4.15.0-15 before *
unaffected
Default status
affected
v4.15.0-54 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-10 before *
unaffected
Default status
affected
v4.15.0-26 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-19 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-158 before *
unaffected
Default status
affected
v4.15.0-21 before *
unaffected
Default status
affected
v4.15.0-103 before *
unaffected
Default status
affected
v5.8.6-22 before *
unaffected
Default status
affected
v5.8.6-11 before *
unaffected
Default status
affected
v6.8.1-407 before *
unaffected
Default status
affected
v5.8.6-19 before *
unaffected
Default status
affected
v1.0.0-479 before *
unaffected
Default status
affected
v5.8.6-7 before *
unaffected
Default status
affected
v0.4.0-247 before *
unaffected
Default status
affected
v5.8.6-5 before *
unaffected
Default status
affected
v1.1.0-227 before *
unaffected
Default status
affected
v5.8.1-470 before *
unaffected
Default status
affected
v2.9.6-14 before *
unaffected
Default status
affected
v5.8.6-2 before *
unaffected
Default status
affected
v5.8.6-24 before *
unaffected
Default status
affected
v5.8.6-10 before *
unaffected
Default status
affected
v0.1.0-525 before *
unaffected
Default status
affected
v0.1.0-224 before *
unaffected
Default status
affected
v0.28.1-56 before *
unaffected
Default status
unknown
Default status
unknown
Timeline
| 2023-11-07: | Reported to Red Hat. |
| 2023-11-15: | Made public. |
Credits
This issue was discovered by Daiki Ueno (Red Hat).
References
access.redhat.com/errata/RHSA-2024:0155 (RHSA-2024:0155) vendor-advisory
access.redhat.com/errata/RHSA-2024:0319 (RHSA-2024:0319) vendor-advisory
access.redhat.com/errata/RHSA-2024:0399 (RHSA-2024:0399) vendor-advisory
access.redhat.com/errata/RHSA-2024:0451 (RHSA-2024:0451) vendor-advisory
access.redhat.com/errata/RHSA-2024:0533 (RHSA-2024:0533) vendor-advisory
access.redhat.com/errata/RHSA-2024:1383 (RHSA-2024:1383) vendor-advisory
access.redhat.com/errata/RHSA-2024:2094 (RHSA-2024:2094) vendor-advisory
access.redhat.com/security/cve/CVE-2023-5981 vdb-entry
bugzilla.redhat.com/show_bug.cgi?id=2248445 (RHBZ#2248445) issue-tracking
gnutls.org/security-new.html
cve.org (CVE-2023-5981)
nvd.nist.gov (CVE-2023-5981)
Download JSON
