Bug 2254432 (CVE-2023-50782)

Summary: CVE-2023-50782 python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bbuckingham, bcourt, cheimes, davidn, ehelms, epacific, gtanzill, hkario, jcammara, jhardy, jneedle, jobarker, jsherril, kshier, lzap, mabashia, mhulan, mminar, nmoumoul, orabin, pcreech, rbiba, rchan, simaishi, smcdonal, sskracic, stcannon, teagle, tfister, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cryptography-42.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254438, 2254439, 2254465, 2254466    
Bug Blocks: 2254430    

Description Robb Gatica 2023-12-13 21:45:44 UTC 
Description:
The fix for CVE-2020-25659 is not addressing the leakage in the RSA
decryption. Because of the API design, the fix is generally not
believed to be possible to be fully addressed. The issue can be
mitigated by using a cryptographic backed that implements implicit
rejection (Marvin workaround). Only applications that use RSA decryption
with PKCS#1 v1.5 padding are affected.

Implicit rejection in RHEL has shipped in 9.3.0. Will ship in 9.2.eus,
8.6.eus, 8.8.eus, and 8.9.z. No other releases are planned

References:
https://github.com/pyca/cryptography/issues/9785
https://people.redhat.com/~hkario/marvin/
https://github.com/openssl/openssl/pull/13817
Comment 2 Robb Gatica 2023-12-13 22:17:30 UTC 
Created python-cryptography tracking bugs for this issue:

Affects: openstack-rdo [bug 2254438]
Comment 5 Sandipan Roy 2023-12-14 04:51:10 UTC 
Created python-cryptography tracking bugs for this issue:

Affects: fedora-38 [bug 2254465]
Affects: fedora-39 [bug 2254466]
Comment 6 Christian Heimes 2024-01-02 08:52:04 UTC 
python-cryptography on Fedora is not affected by the timing oracle vulnerability, because Fedora's OpenSSL comes with a backport of implicit rejection for RSA PKCS#1 v1.5 encryption. The mitigation prevents timing attacks.
Comment 7 Alicja Kario 2024-01-04 15:53:32 UTC 
Note: this is mitigated through changes in RHEL-9 openssl since openssl-3.0.7-24.el9 (https://access.redhat.com/errata/RHBA-2023:6627) and in RHEL-8 openssl since openssl-1.1.1k-12.el8_9 (https://access.redhat.com/errata/RHSA-2023:7877)
Comment 10 Christian Heimes 2024-01-31 11:49:29 UTC 
Actually the "fixed version" is incorrect for Fedora, CentOS, and RHEL. The fix for the CVE is not in python-cryptography but in OpenSSL.

The binary packages from upstream PyCA Cryptography are no longer affected by the bug, because they are shipping binaries with OpenSSL 3.2.0. Upstream OpenSSL 3.2.0 comes with a fix for the timing oracle.

Fedora, CentOS, and RHEL are not using the binary packages from upstream. We are building against our own copy of OpenSSL. Our OpenSSL packages have a backport of the 3.2.0 mitigation since mid of last year. See Hubert's comment #7.