Bug 2257028 (CVE-2023-52323) - CVE-2023-52323 pycryptodome: side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex
Summary: CVE-2023-52323 pycryptodome: side-channel leakage for OAEP decryption in PyCr...
Keywords:
Status: NEW
Alias: CVE-2023-52323
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2257029 2257030 2264203 2257031 2257032 2257033 2257034 2257035 2261628 2261630 2261631 2261632
Blocks: 2257027
TreeView+ depends on / blocked
 
Reported: 2024-01-06 06:13 UTC by Rohit Keshri
Modified: 2024-04-30 09:36 UTC (History)
46 users (show)

Fixed In Version: pycryptodome 3.19.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PyCryptodome/pycryptodomex which may allow for side-channel leakage when performing OAEP decryption, which could be exploited to carry out a Manger attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1057 0 None None None 2024-02-29 19:41:51 UTC
Red Hat Product Errata RHSA-2024:1155 0 None None None 2024-03-05 18:08:45 UTC
Red Hat Product Errata RHSA-2024:2010 0 None None None 2024-04-23 17:17:03 UTC
Red Hat Product Errata RHSA-2024:2132 0 None None None 2024-04-30 09:36:23 UTC

Internal Links: 2274166

Description Rohit Keshri 2024-01-06 06:13:32 UTC 
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.

https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst
https://pypi.org/project/pycryptodomex/#history
Comment 1 Rohit Keshri 2024-01-06 06:23:48 UTC 
Created 2ping tracking bugs for this issue:

Affects: fedora-all [bug 2257030]


Created pysnmp tracking bugs for this issue:

Affects: openstack-rdo [bug 2257034]
Comment 6 Daniel Alley 2024-02-14 19:24:34 UTC 
pulp_container, and the dependency pyjwkest, seem to be perfectly compatible with pycryptodome 3.19.1+.  Our upstream CI seems to currently use 3.20.0 with no issues

Therefore, we can resolve this issue by simply upgrading the pycrytpodome package without needing any other code changes.
Comment 7 Yadnyawalk Tale 2024-02-15 18:19:21 UTC 
Thank you for confirming Daniel. We have now revised the impact of Satellite to Low and updated the corresponding statement.
Comment 9 errata-xmlrpc 2024-02-29 19:41:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
Comment 10 errata-xmlrpc 2024-03-05 18:08:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1155 https://access.redhat.com/errata/RHSA-2024:1155
Comment 11 errata-xmlrpc 2024-04-23 17:16:59 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010
Comment 12 errata-xmlrpc 2024-04-30 09:36:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2132 https://access.redhat.com/errata/RHSA-2024:2132
Note You need to log in before you can comment on or make changes to this bug.