Bug 2254432 (CVE-2023-50782) - CVE-2023-50782 python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659
Summary: CVE-2023-50782 python-cryptography: Bleichenbacher timing oracle attack again...
Status: NEW
Alias: CVE-2023-50782
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2254438 2254439 2254465 2254466
Blocks: 2254430
TreeView+ depends on / blocked
Reported: 2023-12-13 21:45 UTC by Robb Gatica
Modified: 2024-04-11 13:50 UTC (History)
33 users (show)

Fixed In Version: cryptography-42.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2153470 0 unspecified CLOSED Backport implicit rejection for RSA PKCS#1 v1.5 encryption 2024-01-02 08:52:04 UTC

Description Robb Gatica 2023-12-13 21:45:44 UTC
The fix for CVE-2020-25659 is not addressing the leakage in the RSA
decryption. Because of the API design, the fix is generally not
believed to be possible to be fully addressed. The issue can be
mitigated by using a cryptographic backed that implements implicit
rejection (Marvin workaround). Only applications that use RSA decryption
with PKCS#1 v1.5 padding are affected.

Implicit rejection in RHEL has shipped in 9.3.0. Will ship in 9.2.eus,
8.6.eus, 8.8.eus, and 8.9.z. No other releases are planned


Comment 2 Robb Gatica 2023-12-13 22:17:30 UTC
Created python-cryptography tracking bugs for this issue:

Affects: openstack-rdo [bug 2254438]

Comment 5 Sandipan Roy 2023-12-14 04:51:10 UTC
Created python-cryptography tracking bugs for this issue:

Affects: fedora-38 [bug 2254465]
Affects: fedora-39 [bug 2254466]

Comment 6 Christian Heimes 2024-01-02 08:52:04 UTC
python-cryptography on Fedora is not affected by the timing oracle vulnerability, because Fedora's OpenSSL comes with a backport of implicit rejection for RSA PKCS#1 v1.5 encryption. The mitigation prevents timing attacks.

Comment 7 Hubert Kario 2024-01-04 15:53:32 UTC
Note: this is mitigated through changes in RHEL-9 openssl since openssl-3.0.7-24.el9 (https://access.redhat.com/errata/RHBA-2023:6627) and in RHEL-8 openssl since openssl-1.1.1k-12.el8_9 (https://access.redhat.com/errata/RHSA-2023:7877)

Comment 10 Christian Heimes 2024-01-31 11:49:29 UTC
Actually the "fixed version" is incorrect for Fedora, CentOS, and RHEL. The fix for the CVE is not in python-cryptography but in OpenSSL.

The binary packages from upstream PyCA Cryptography are no longer affected by the bug, because they are shipping binaries with OpenSSL 3.2.0. Upstream OpenSSL 3.2.0 comes with a fix for the timing oracle.

Fedora, CentOS, and RHEL are not using the binary packages from upstream. We are building against our own copy of OpenSSL. Our OpenSSL packages have a backport of the 3.2.0 mitigation since mid of last year. See Hubert's comment #7.

Note You need to log in before you can comment on or make changes to this bug.