2270358 – (CVE-2024-2408) CVE-2024-2408 php: potential exposure to Marvin attack via unsafe implementation of RSA decryption API

Bug 2270358 (CVE-2024-2408) - CVE-2024-2408 php: potential exposure to Marvin attack via unsafe implementation of RSA decryption API

Summary: CVE-2024-2408 php: potential exposure to Marvin attack via unsafe implementat...

Keywords:
Status:	NEW
Alias:	CVE-2024-2408
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2291133
Blocks:	2270357
TreeView+	depends on / blocked

Reported:	2024-03-19 22:21 UTC by Robb Gatica
Modified:	2024-06-13 14:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:	php 8.2.12
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-03-19 22:21:31 UTC

As with other users of OpenSSL vulnerable to the Marvin Attack, the issue is caused by improper use of the RSA decryption APIs provided
by OpenSSL. Upstream doesn't plan to introduce any code changes, but instead document that the API is unsafe to use unless it's used with OpenSSL that implements implicit rejection (we have already shipped those fixes in RHEL 8, 9, and in Fedora).

References:
https://people.redhat.com/~hkario/marvin/
https://github.com/openssl/openssl/pull/13817
https://www.php.net/manual/en/function.openssl-private-decrypt.php

Comment 2 Alicja Kario 2024-06-07 09:24:57 UTC

This issue is now public: https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864

Comment 3 Sandipan Roy 2024-06-10 08:02:43 UTC

Created php tracking bugs for this issue:

Affects: fedora-all [bug 2291133]

Note You need to log in before you can comment on or make changes to this bug.