SUSE update for openCryptoki
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-0914 |
| CWE-ID | CWE-203 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Software Development Kit 12 Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 12 Operating systems & Components / Operating system SUSE Linux Enterprise Server 12 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 12 Operating systems & Components / Operating system openCryptoki-32bit Operating systems & Components / Operating system package or component openCryptoki-64bit Operating systems & Components / Operating system package or component openCryptoki Operating systems & Components / Operating system package or component openCryptoki-debuginfo Operating systems & Components / Operating system package or component openCryptoki-devel Operating systems & Components / Operating system package or component openCryptoki-debugsource Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Observable discrepancy
EUVDB-ID: #VU87279
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-0914
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a timing side-channel attack.
The vulnerability exists due to observable discrepancy when processing RSA PKCS#1 v1.5 padded ciphertexts. A remote attacker can perform unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.
MitigationUpdate the affected package openCryptoki to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Software Development Kit 12: SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
openCryptoki-32bit: before 3.17.0-5.9.2
openCryptoki-64bit: before 3.17.0-5.9.2
openCryptoki: before 3.17.0-5.9.2
openCryptoki-debuginfo: before 3.17.0-5.9.2
openCryptoki-devel: before 3.17.0-5.9.2
openCryptoki-debugsource: before 3.17.0-5.9.2
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_software_development_kit_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:a:suse:opencryptoki-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:opencryptoki-64bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:opencryptoki:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:opencryptoki-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:opencryptoki-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:opencryptoki-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20242298-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
