A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages. This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2264570] Created nodejs18 tracking bugs for this issue: Affects: fedora-all [bug 2264571] Created nodejs20 tracking bugs for this issue: Affects: fedora-all [bug 2264572]
Created nodejs16 tracking bugs for this issue: Affects: fedora-all [bug 2264802] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2264800] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2264801] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2264803]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1510 https://access.redhat.com/errata/RHSA-2024:1510
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1880 https://access.redhat.com/errata/RHSA-2024:1880
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1932 https://access.redhat.com/errata/RHSA-2024:1932