python-cryptography is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Upstream commit: https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b
Acknowledgments: Name: Hubert Kario (Red Hat)
The upstream patch in python-cryptography >= 3.2 is only a partial mitigation against Bleichenbacher attacks. Quote from upstream changelog: **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability and a future release will contain a new API which is designed to be resilient to these for contexts where it is required. Credit to **Hubert Kario** for reporting the issue. *CVE-2020-25659* RHEL 8.4 and newer have a recent version of python-cryptography with partial mitigation. RHBZ #1873581 is the rebase ticket for update to 3.2.1.
CloudForms stopped shipping python-cryptography 5.11 (5.0) onward. Support for 5.10 (4.7) is EOL from February 7, 2021. Please refer CloudForms Lifecycle page for more information: https://access.redhat.com/support/policy/updates/cloudforms
External References: https://cryptography.io/en/latest/changelog.html#v3-2
Created python-cryptography tracking bugs for this issue: Affects: openstack-rdo [bug 1929462]
Statement: In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-cryptography package.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1608 https://access.redhat.com/errata/RHSA-2021:1608
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25659
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:2239 https://access.redhat.com/errata/RHSA-2021:2239
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254