Bug 2257028 (CVE-2023-52323)

Summary: CVE-2023-52323 pycryptodome: side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, apevec, bbuckingham, bcourt, dalley, davidn, dfreiber, drow, eglynn, ehelms, epacific, jburrell, jcammara, jhardy, jjoyce, jneedle, jobarker, jschluet, jsherril, kshier, kyoshida, lhh, lmadsen, lsvaty, lzap, mabashia, mburns, mgarciac, mhulan, mrunge, nmoumoul, orabin, osapryki, pcreech, pgrist, rchan, rhos-maint, simaishi, smcdonal, stcannon, teagle, tfister, vkumar, yguenane, ytale, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pycryptodome 3.19.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PyCryptodome/pycryptodomex which may allow for side-channel leakage when performing OAEP decryption, which could be exploited to carry out a Manger attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2257029, 2257030, 2264203, 2257031, 2257032, 2257033, 2257034, 2257035, 2261628, 2261630, 2261631, 2261632    
Bug Blocks: 2257027    

Description Rohit Keshri 2024-01-06 06:13:32 UTC 
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.

https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst
https://pypi.org/project/pycryptodomex/#history
Comment 1 Rohit Keshri 2024-01-06 06:23:48 UTC 
Created 2ping tracking bugs for this issue:

Affects: fedora-all [bug 2257030]


Created pysnmp tracking bugs for this issue:

Affects: openstack-rdo [bug 2257034]
Comment 6 Daniel Alley 2024-02-14 19:24:34 UTC 
pulp_container, and the dependency pyjwkest, seem to be perfectly compatible with pycryptodome 3.19.1+.  Our upstream CI seems to currently use 3.20.0 with no issues

Therefore, we can resolve this issue by simply upgrading the pycrytpodome package without needing any other code changes.
Comment 7 Yadnyawalk Tale 2024-02-15 18:19:21 UTC 
Thank you for confirming Daniel. We have now revised the impact of Satellite to Low and updated the corresponding statement.
Comment 9 errata-xmlrpc 2024-02-29 19:41:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
Comment 10 errata-xmlrpc 2024-03-05 18:08:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1155 https://access.redhat.com/errata/RHSA-2024:1155
Comment 11 errata-xmlrpc 2024-04-23 17:16:59 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010
Comment 12 errata-xmlrpc 2024-04-30 09:36:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2132 https://access.redhat.com/errata/RHSA-2024:2132
Comment 13 errata-xmlrpc 2024-05-22 09:14:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2952 https://access.redhat.com/errata/RHSA-2024:2952
Comment 14 errata-xmlrpc 2024-05-22 09:23:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2968 https://access.redhat.com/errata/RHSA-2024:2968