Bug 2264569 (CVE-2023-46809)

Summary: CVE-2023-46809 nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jorton, mvanderw, nodejs-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: node 18.19.1 Doc Type: ---
Doc Text:
A flaw was found in Node.js. The privateDecrypt() API of the crypto library may allow a covert timing side-channel during PKCS#1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing JSON Web Encryption messages.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2264570, 2264800, 2264801, 2264571, 2264572, 2264802, 2264803, 2265710    
Bug Blocks: 2264565    

Description Robb Gatica 2024-02-16 17:16:44 UTC 
A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.

This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.
Comment 1 Robb Gatica 2024-02-16 17:23:31 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264570]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2264571]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2264572]
Comment 3 Sandipan Roy 2024-02-19 04:09:56 UTC 
Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2264802]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264800]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264801]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2264803]
Comment 7 errata-xmlrpc 2024-03-26 09:22:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1510 https://access.redhat.com/errata/RHSA-2024:1510
Comment 8 errata-xmlrpc 2024-04-08 08:49:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688
Comment 9 errata-xmlrpc 2024-04-08 09:04:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687
Comment 10 errata-xmlrpc 2024-04-18 02:08:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1880 https://access.redhat.com/errata/RHSA-2024:1880
Comment 11 errata-xmlrpc 2024-04-22 01:09:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1932 https://access.redhat.com/errata/RHSA-2024:1932