CVE-2023-34363

Name of the Vulnerable Software and Affected Versions Progress DataDirect Connect for ODBC versions prior to 08.02.2770 for Oracle

Description An issue was discovered when using Oracle Advanced Security (OAS) encryption. If an error occurs while initializing the encryption object, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. This allows a well-placed attacker to potentially predict the output of the random number generator, leading to the decryption of traffic between the driver and the database server. The issue does not exist when SSL/TLS encryption is used.

Recommendations For versions prior to 08.02.2770, update to version 08.02.2770 or later to resolve the issue. As a temporary workaround, consider using SSL/TLS encryption instead of Oracle Advanced Security (OAS) encryption to minimize the risk of exploitation.