Bug 2257837 (CVE-2024-20952) - CVE-2024-20952 OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547)
Summary: CVE-2024-20952 OpenJDK: RSA padding issue and timing side-channel attack agai...
Keywords:
Status: NEW
Alias: CVE-2024-20952
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: 2243636 (view as bug list)
Depends On: 2257303
Blocks: 2257260
TreeView+ depends on / blocked
 
Reported: 2024-01-11 09:16 UTC by Mauro Matteo Cascella
Modified: 2024-02-26 11:35 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0303 0 None None None 2024-01-18 20:02:21 UTC
Red Hat Product Errata RHBA-2024:0309 0 None None None 2024-01-22 01:01:35 UTC
Red Hat Product Errata RHBA-2024:0314 0 None None None 2024-01-22 03:26:18 UTC
Red Hat Product Errata RHBA-2024:0321 0 None None None 2024-01-22 14:00:30 UTC
Red Hat Product Errata RHBA-2024:0323 0 None None None 2024-01-22 14:38:19 UTC
Red Hat Product Errata RHBA-2024:0324 0 None None None 2024-01-22 18:01:33 UTC
Red Hat Product Errata RHBA-2024:0326 0 None None None 2024-01-22 18:05:14 UTC
Red Hat Product Errata RHBA-2024:0327 0 None None None 2024-01-22 17:59:02 UTC
Red Hat Product Errata RHBA-2024:0328 0 None None None 2024-01-22 18:04:24 UTC
Red Hat Product Errata RHBA-2024:0329 0 None None None 2024-01-22 18:04:15 UTC
Red Hat Product Errata RHBA-2024:0330 0 None None None 2024-01-22 18:04:37 UTC
Red Hat Product Errata RHBA-2024:0331 0 None None None 2024-01-22 18:00:08 UTC
Red Hat Product Errata RHBA-2024:0377 0 None None None 2024-01-23 17:17:54 UTC
Red Hat Product Errata RHBA-2024:0491 0 None None None 2024-01-25 11:26:20 UTC
Red Hat Product Errata RHBA-2024:0492 0 None None None 2024-01-25 13:00:26 UTC
Red Hat Product Errata RHBA-2024:0493 0 None None None 2024-01-25 13:07:03 UTC
Red Hat Product Errata RHBA-2024:0496 0 None None None 2024-01-25 14:35:12 UTC
Red Hat Product Errata RHBA-2024:0534 0 None None None 2024-01-29 01:08:58 UTC
Red Hat Product Errata RHBA-2024:0535 0 None None None 2024-01-29 01:16:32 UTC
Red Hat Product Errata RHBA-2024:0544 0 None None None 2024-01-29 13:44:05 UTC
Red Hat Product Errata RHBA-2024:0560 0 None None None 2024-01-30 10:53:59 UTC
Red Hat Product Errata RHBA-2024:0567 0 None None None 2024-01-30 13:27:24 UTC
Red Hat Product Errata RHBA-2024:0707 0 None None None 2024-02-06 18:43:57 UTC
Red Hat Product Errata RHBA-2024:0708 0 None None None 2024-02-06 18:44:17 UTC
Red Hat Product Errata RHBA-2024:0784 0 None None None 2024-02-12 13:13:27 UTC
Red Hat Product Errata RHBA-2024:0787 0 None None None 2024-02-12 14:57:42 UTC
Red Hat Product Errata RHBA-2024:0794 0 None None None 2024-02-12 18:44:31 UTC
Red Hat Product Errata RHBA-2024:0935 0 None None None 2024-02-21 19:16:00 UTC
Red Hat Product Errata RHBA-2024:0985 0 None None None 2024-02-26 11:35:55 UTC
Red Hat Product Errata RHSA-2024:0222 0 None None None 2024-01-17 13:54:45 UTC
Red Hat Product Errata RHSA-2024:0223 0 None None None 2024-01-17 15:56:06 UTC
Red Hat Product Errata RHSA-2024:0224 0 None None None 2024-01-17 15:44:29 UTC
Red Hat Product Errata RHSA-2024:0225 0 None None None 2024-01-17 09:01:24 UTC
Red Hat Product Errata RHSA-2024:0226 0 None None None 2024-01-17 15:57:42 UTC
Red Hat Product Errata RHSA-2024:0228 0 None None None 2024-01-17 19:06:57 UTC
Red Hat Product Errata RHSA-2024:0230 0 None None None 2024-01-17 13:55:05 UTC
Red Hat Product Errata RHSA-2024:0231 0 None None None 2024-01-17 14:00:55 UTC
Red Hat Product Errata RHSA-2024:0232 0 None None None 2024-01-17 15:56:24 UTC
Red Hat Product Errata RHSA-2024:0233 0 None None None 2024-01-17 16:52:51 UTC
Red Hat Product Errata RHSA-2024:0234 0 None None None 2024-01-17 09:01:44 UTC
Red Hat Product Errata RHSA-2024:0235 0 None None None 2024-01-17 17:51:26 UTC
Red Hat Product Errata RHSA-2024:0237 0 None None None 2024-01-17 19:15:07 UTC
Red Hat Product Errata RHSA-2024:0239 0 None None None 2024-01-17 14:01:06 UTC
Red Hat Product Errata RHSA-2024:0240 0 None None None 2024-01-17 14:07:12 UTC
Red Hat Product Errata RHSA-2024:0241 0 None None None 2024-01-17 09:01:58 UTC
Red Hat Product Errata RHSA-2024:0242 0 None None None 2024-01-17 19:14:52 UTC
Red Hat Product Errata RHSA-2024:0244 0 None None None 2024-01-17 19:15:55 UTC
Red Hat Product Errata RHSA-2024:0246 0 None None None 2024-01-17 14:06:59 UTC
Red Hat Product Errata RHSA-2024:0247 0 None None None 2024-01-17 14:15:30 UTC
Red Hat Product Errata RHSA-2024:0248 0 None None None 2024-01-17 19:19:56 UTC
Red Hat Product Errata RHSA-2024:0249 0 None None None 2024-01-17 08:56:51 UTC
Red Hat Product Errata RHSA-2024:0250 0 None None None 2024-01-17 14:15:45 UTC
Red Hat Product Errata RHSA-2024:0265 0 None None None 2024-01-17 18:59:34 UTC
Red Hat Product Errata RHSA-2024:0266 0 None None None 2024-01-18 18:06:41 UTC
Red Hat Product Errata RHSA-2024:0267 0 None None None 2024-01-17 19:01:03 UTC

Description Mauro Matteo Cascella 2024-01-11 09:16:36 UTC 
It was discovered that the TLS implementation in the Security component of OpenJDK was vulnerable to an RSA padding issue and timing side-channel attack. This could possibly lead to disclosure of some information meant to be protected by encryption.
Comment 8 errata-xmlrpc 2024-01-17 08:56:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0249 https://access.redhat.com/errata/RHSA-2024:0249
Comment 9 errata-xmlrpc 2024-01-17 09:01:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0225 https://access.redhat.com/errata/RHSA-2024:0225
Comment 10 errata-xmlrpc 2024-01-17 09:01:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0234 https://access.redhat.com/errata/RHSA-2024:0234
Comment 11 errata-xmlrpc 2024-01-17 09:01:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0241 https://access.redhat.com/errata/RHSA-2024:0241
Comment 12 errata-xmlrpc 2024-01-17 13:54:43 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u402

Via RHSA-2024:0222 https://access.redhat.com/errata/RHSA-2024:0222
Comment 13 errata-xmlrpc 2024-01-17 13:55:03 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u402

Via RHSA-2024:0230 https://access.redhat.com/errata/RHSA-2024:0230
Comment 14 errata-xmlrpc 2024-01-17 14:00:54 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.22

Via RHSA-2024:0231 https://access.redhat.com/errata/RHSA-2024:0231
Comment 15 errata-xmlrpc 2024-01-17 14:01:04 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.22

Via RHSA-2024:0239 https://access.redhat.com/errata/RHSA-2024:0239
Comment 16 errata-xmlrpc 2024-01-17 14:06:57 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.10

Via RHSA-2024:0246 https://access.redhat.com/errata/RHSA-2024:0246
Comment 17 errata-xmlrpc 2024-01-17 14:07:11 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.10

Via RHSA-2024:0240 https://access.redhat.com/errata/RHSA-2024:0240
Comment 18 errata-xmlrpc 2024-01-17 14:15:29 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 21.0.2

Via RHSA-2024:0247 https://access.redhat.com/errata/RHSA-2024:0247
Comment 19 errata-xmlrpc 2024-01-17 14:15:44 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 21.0.2

Via RHSA-2024:0250 https://access.redhat.com/errata/RHSA-2024:0250
Comment 20 errata-xmlrpc 2024-01-17 15:44:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0224 https://access.redhat.com/errata/RHSA-2024:0224
Comment 21 errata-xmlrpc 2024-01-17 15:56:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0223 https://access.redhat.com/errata/RHSA-2024:0223
Comment 22 errata-xmlrpc 2024-01-17 15:56:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0232 https://access.redhat.com/errata/RHSA-2024:0232
Comment 23 errata-xmlrpc 2024-01-17 15:57:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0226 https://access.redhat.com/errata/RHSA-2024:0226
Comment 24 errata-xmlrpc 2024-01-17 16:52:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0233 https://access.redhat.com/errata/RHSA-2024:0233
Comment 25 errata-xmlrpc 2024-01-17 17:51:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0235 https://access.redhat.com/errata/RHSA-2024:0235
Comment 26 errata-xmlrpc 2024-01-17 18:59:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support
  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 9.2 Extended Update Support
  Red Hat Enterprise Linux 9

Via RHSA-2024:0265 https://access.redhat.com/errata/RHSA-2024:0265
Comment 27 errata-xmlrpc 2024-01-17 19:01:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support
  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 9.2 Extended Update Support
  Red Hat Enterprise Linux 9

Via RHSA-2024:0267 https://access.redhat.com/errata/RHSA-2024:0267
Comment 28 errata-xmlrpc 2024-01-17 19:06:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0228 https://access.redhat.com/errata/RHSA-2024:0228
Comment 29 errata-xmlrpc 2024-01-17 19:14:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0242 https://access.redhat.com/errata/RHSA-2024:0242
Comment 30 errata-xmlrpc 2024-01-17 19:15:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0237 https://access.redhat.com/errata/RHSA-2024:0237
Comment 31 errata-xmlrpc 2024-01-17 19:15:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0244 https://access.redhat.com/errata/RHSA-2024:0244
Comment 32 errata-xmlrpc 2024-01-17 19:19:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0248 https://access.redhat.com/errata/RHSA-2024:0248
Comment 33 errata-xmlrpc 2024-01-18 18:06:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support
  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 9.2 Extended Update Support
  Red Hat Enterprise Linux 9

Via RHSA-2024:0266 https://access.redhat.com/errata/RHSA-2024:0266
Comment 37 Mauro Matteo Cascella 2024-02-14 20:16:41 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/d4b472ff937883b62f26a39c9ddf72f07f9dfff8

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/a9145c7a192568d82f766e43459ec813eabf0045

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/a0b9d41079bc7b0beb3852e2c3af3416f32dcb0a

OpenJDK-21 upstream commit:
https://github.com/openjdk/jdk21u/commit/e831175ecf54edab00820e9a10e134ca96b7b9df
Comment 38 Mauro Matteo Cascella 2024-02-15 09:20:49 UTC 
Oracle CPU January 2024:

https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA

Fixed in Oracle Java SE 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2.

Release notes:
https://www.oracle.com/java/technologies/javase/8u401-relnotes.html
https://www.oracle.com/java/technologies/javase/8u401-perf-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-22-relnotes.html
https://www.oracle.com/java/technologies/javase/17-0-10-relnotes.html
https://www.oracle.com/java/technologies/javase/21-0-2-relnotes.html
Comment 39 Dhananjay Arunesh 2024-02-22 11:51:10 UTC 
*** Bug 2243636 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.