CVE-2021-43398

Name of the Vulnerable Software and Affected Versions Crypto++ (aka Cryptopp) versions 8.6.0 and earlier

Description The issue concerns a timing leakage in the MakePublicKey() function, where there is a correlation between execution time and private key length. This could potentially allow attackers to conduct timing attacks and disclose the length information of the private key. However, it's noted that this report is disputed by the vendor and multiple third parties, stating that the execution-time differences are intentional and part of a tradeoff between strength and performance, with the leaked information being of minimal value.

Recommendations For Crypto++ (aka Cryptopp) versions 8.6.0 and earlier, consider updating to a version where this issue is addressed, although the dispute suggests the impact may be minimal. As a temporary workaround, users may need to weigh the tradeoffs between key strength and performance, potentially choosing stronger keys at the cost of performance. However, without a clear resolution or patch noted, the primary advice would be to await further guidance from the vendor or security community. At the moment, there is no information about a newer version that contains a fix for this vulnerability.