Alicja Kario

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** The `CMS decrypt()` and `PKCS7 decrypt()` functions are susceptible to a Bleichenbacher-style attack, which is an adaptive-chosen-ciphertext side channel. This allows an attacker to use a vulnerable application to decrypt or sign messages using the victim's private RSA key. The issue occurs in two scenarios: first, when the decryption API is used without a recipient certificate, OpenSSL iterates through every `KeyTransRecipientInfo` (KTRI) without stopping at the first success; second, when a recipient certificate is provided but the recipient is not found, a random key is substituted. In both cases, if an attacker can observe error codes or decryption output, they can establish an oracle to decrypt RSA ciphertexts or forge PKCS#1 v1.5 signatures. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** PKCS#12 file processing fails to perform sufficient input validation for files using the Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism. This allows an attacker to create unencrypted PKCS#12 files that specify an HMAC key of only one byte. Consequently, a service reading these files may accept forged certificates and private keys with a 1 in 256 probability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openssl-3 (affected versions not specified) **Description** The issue concerns a timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture. Additionally, there is a missing null pointer check before accessing `handshake func` in `ssl lib.c`. This could potentially lead to security issues. There is also an issue with Disabling EMS in OpenSSL configuration, which prevents sshd from starting. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24 Oracle GraalVM for JDK versions 17.0.14, 21.0.6, 24 Oracle GraalVM Enterprise Edition versions 20.3.17, 21.3.13 **Description** The issue allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized access to critical data or complete access to all accessible data. This can be exploited by using APIs in the specified component, such as through a web service that supplies data to the APIs. The issue also applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. **Recommendations** For Oracle Java SE versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24, update to a version that includes the fix for this issue. For Oracle GraalVM for JDK versions 17.0.14, 21.0.6, 24, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.17, 21.3.13, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the JSSE component until a patch is available. Avoid using APIs in the JSSE component to supply data to web services until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is `inverted ECDSA nonce value` is zero. This can happen with significant probability only for some of the supported elliptic curves, in particular the NIST P-521 curve. The severity of this vulnerability is Low. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel QAT Engine for OpenSSL versions prior to v1.6.1 **Description** The issue is related to insufficient control flow management in the Intel QAT Engine for OpenSSL software, which may allow information disclosure via network access. This could enable a remote attacker to gain unauthorized access to protected information. **Recommendations** For versions prior to v1.6.1, update to version v1.6.1 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Intel QAT Engine for OpenSSL versions prior to v1.6.1 Description: The issue is related to an observable discrepancy in the Intel QAT Engine for OpenSSL software, which may allow information disclosure via network access. This could potentially enable an attacker to reveal protected information. Recommendations: For versions prior to v1.6.1, update to version v1.6.1 or later to resolve the issue. As a temporary workaround, consider restricting network access to the Intel QAT Engine for OpenSSL software until the update is applied.

Name of the Vulnerable Software and Affected Versions: Intel(R) QAT Engine for OpenSSL versions prior to v1.6.1 Description: The issue is related to an observable timing discrepancy in the Intel(R) QAT Engine for OpenSSL software, which may allow information disclosure via network access. This discrepancy can be exploited by manipulating an unknown input, leading to a timing discrepancy vulnerability. The exploitation of this issue can enable an attacker to disclose protected information. Recommendations: For versions prior to v1.6.1, update to version v1.6.1 or later to resolve the issue. As a temporary workaround, consider restricting network access to the Intel(R) QAT Engine for OpenSSL software until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Ruby (affected versions not specified) **Description** The Ruby interpreter is vulnerable to the Marvin Attack, which allows an attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ecdsa versions 0.18.0 and prior **Description** The ecdsa PyPI package, a pure Python implementation of ECC (Elliptic Curve Cryptography), is affected by a Minerva timing attack on the P-256 curve. This attack can leak the internal nonce when using the `ecdsa.SigningKey.sign digest()` API function, potentially allowing for private key discovery. The issue affects ECDSA signatures, key generation, and ECDH operations, but not ECDSA signature verification. **Recommendations** For versions 0.18.0 and prior, as a temporary workaround, consider restricting the use of the `ecdsa.SigningKey.sign digest()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GnuTLS (affected versions not specified) **Description** A flaw was found in GnuTLS, known as the Minerva attack, which is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the `GNUTLS PRIVKEY FLAG REPRODUCIBLE` flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.