DATABASE RESOURCES PRICING ABOUT US

{"id": "FEDORA:874E7309C597", "vendorId": null, "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 34 Update: mbedtls-2.16.11-1.fc34", "description": "Mbed TLS is a light-weight open source cryptographic and SSL/TLS library written in C. Mbed TLS makes it easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) applications with as little hassle as possible. FOSS License Exception: https://tls.mbed.org/foss-license-exception ", "published": "2021-08-02T01:05:39", "modified": "2021-08-02T01:05:39", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6}, "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW/", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2021-24119"], "immutableFields": [], "lastseen": "2021-08-02T22:41:47", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-202107-27"]}, {"type": "cve", "idList": ["CVE-2021-24119"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2826-1:14CB9"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-24119"]}, {"type": "fedora", "idList": ["FEDORA:7C9BF30A0F05"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2826.NASL", "OPENSUSE-2021-1344.NASL", "OPENSUSE-2021-1389.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1344-1", "OPENSUSE-SU-2021:1355-1", "OPENSUSE-SU-2021:1389-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-24119"]}], "rev": 4}, "score": {"value": 5.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-202107-27"]}, {"type": "cve", "idList": ["CVE-2021-24119"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2826-1:14CB9"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-24119"]}, {"type": "fedora", "idList": ["FEDORA:7C9BF30A0F05"]}, {"type": "nessus", "idList": ["OPENSUSE-2021-1344.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1344-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-24119"]}]}, "exploitation": null, "vulnersScore": 5.1}, "_state": {"dependencies": 0}, "_internal": {}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "34", "arch": "any", "packageVersion": "2.16.11", "packageFilename": "UNKNOWN", "operator": "lt", "packageName": "mbedtls"}]}

{"fedora": [{"lastseen": "2021-08-02T22:41:47", "description": "Mbed TLS is a light-weight open source cryptographic and SSL/TLS library written in C. Mbed TLS makes it easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) applications with as little hassle as possible. FOSS License Exception: https://tls.mbed.org/foss-license-exception ", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-02T01:07:16", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: mbedtls-2.16.11-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-08-02T01:07:16", "id": "FEDORA:7C9BF30A0F05", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6/", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:53", "description": "Arch Linux Security Advisory ASA-202107-27\n==========================================\n\nSeverity: Medium\nDate : 2021-07-14\nCVE-ID : CVE-2021-24119\nPackage : mbedtls\nType : information disclosure\nRemote : No\nLink : https://security.archlinux.org/AVG-2153\n\nSummary\n=======\n\nThe package mbedtls before version 2.26.0-1 is vulnerable to\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 2.26.0-1.\n\n# pacman -Syu \"mbedtls>=2.26.0-1\"\n\nThe problem has been fixed upstream in version 2.26.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIn Trusted Firmware Mbed TLS before version 2.26.0, a side-channel\nvulnerability in base64 PEM file decoding allows system-level\n(administrator) attackers to obtain information about secret RSA keys\nvia a controlled-channel and side-channel attack on software running in\nisolated environments that can be single stepped, especially Intel SGX.\n\nImpact\n======\n\nA local attacker could disclose secret RSA keys through a side-channel\nattack.\n\nReferences\n==========\n\nhttps://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md#vulnerability-information-for-cve-2021-24119\nhttps://github.com/ARMmbed/mbedtls/commit/0544d49330b9b12b244a54c9ff145d55c45f1aaf\nhttps://security.archlinux.org/CVE-2021-24119", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-07-14T00:00:00", "type": "archlinux", "title": "[ASA-202107-27] mbedtls: information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-07-14T00:00:00", "id": "ASA-202107-27", "href": "https://security.archlinux.org/ASA-202107-27", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2022-01-07T00:53:52", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1389-1 advisory.\n\n - In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled- channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. (CVE-2021-24119)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 4.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-10-21T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : mbedtls (openSUSE-SU-2021:1389-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-24119"], "modified": "2021-10-21T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libmbedcrypto3", "p-cpe:/a:novell:opensuse:libmbedcrypto3-32bit", "p-cpe:/a:novell:opensuse:libmbedcrypto3-64bit", "p-cpe:/a:novell:opensuse:libmbedtls12", "p-cpe:/a:novell:opensuse:libmbedtls12-32bit", "p-cpe:/a:novell:opensuse:libmbedtls12-64bit", "p-cpe:/a:novell:opensuse:libmbedx509-0", "p-cpe:/a:novell:opensuse:libmbedx509-0-32bit", "p-cpe:/a:novell:opensuse:libmbedx509-0-64bit", "p-cpe:/a:novell:opensuse:mbedtls-devel", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-1389.NASL", "href": "https://www.tenable.com/plugins/nessus/154282", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1389-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154282);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/21\");\n\n script_cve_id(\"CVE-2021-24119\");\n\n script_name(english:\"openSUSE 15 Security Update : mbedtls (openSUSE-SU-2021:1389-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1389-1 advisory.\n\n - In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows\n system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-\n channel and side-channel attack on software running in isolated environments that can be single stepped,\n especially Intel SGX. (CVE-2021-24119)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189589\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36R5MNRZX7IWOTML46RHIYNDAV7YDYQN/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3cedc412\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-24119\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24119\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedcrypto3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedcrypto3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedcrypto3-64bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedtls12\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedtls12-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedtls12-64bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedx509-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedx509-0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedx509-0-64bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mbedtls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'libmbedcrypto3-2.16.9-bp153.2.5.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedcrypto3-32bit-2.16.9-bp153.2.5.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedcrypto3-64bit-2.16.9-bp153.2.5.1', 'cpu':'aarch64_ilp32', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedtls12-2.16.9-bp153.2.5.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedtls12-32bit-2.16.9-bp153.2.5.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedtls12-64bit-2.16.9-bp153.2.5.1', 'cpu':'aarch64_ilp32', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedx509-0-2.16.9-bp153.2.5.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedx509-0-32bit-2.16.9-bp153.2.5.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedx509-0-64bit-2.16.9-bp153.2.5.1', 'cpu':'aarch64_ilp32', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mbedtls-devel-2.16.9-bp153.2.5.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libmbedcrypto3 / libmbedcrypto3-32bit / libmbedcrypto3-64bit / etc');\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-01-07T00:53:52", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1344-1 advisory.\n\n - In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled- channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. (CVE-2021-24119)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 4.9, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-10-12T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : mbedtls (openSUSE-SU-2021:1344-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-24119"], "modified": "2021-10-12T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libmbedcrypto3", "p-cpe:/a:novell:opensuse:libmbedcrypto3-32bit", "p-cpe:/a:novell:opensuse:libmbedtls12", "p-cpe:/a:novell:opensuse:libmbedtls12-32bit", "p-cpe:/a:novell:opensuse:libmbedx509-0", "p-cpe:/a:novell:opensuse:libmbedx509-0-32bit", "p-cpe:/a:novell:opensuse:mbedtls-devel", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1344.NASL", "href": "https://www.tenable.com/plugins/nessus/154012", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1344-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154012);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/12\");\n\n script_cve_id(\"CVE-2021-24119\");\n\n script_name(english:\"openSUSE 15 Security Update : mbedtls (openSUSE-SU-2021:1344-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1344-1 advisory.\n\n - In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows\n system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-\n channel and side-channel attack on software running in isolated environments that can be single stepped,\n especially Intel SGX. (CVE-2021-24119)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189589\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TUAORD5DVNESTJH3EH3OO36VCU4DKEPQ/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8a1d158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-24119\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24119\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedcrypto3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedcrypto3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedtls12\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedtls12-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedx509-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libmbedx509-0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mbedtls-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'libmbedcrypto3-2.16.9-lp152.2.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedcrypto3-32bit-2.16.9-lp152.2.6.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedtls12-2.16.9-lp152.2.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedtls12-32bit-2.16.9-lp152.2.6.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedx509-0-2.16.9-lp152.2.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libmbedx509-0-32bit-2.16.9-lp152.2.6.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mbedtls-devel-2.16.9-lp152.2.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libmbedcrypto3 / libmbedcrypto3-32bit / libmbedtls12 / etc');\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-01-07T00:51:38", "description": "The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2826 advisory.\n\n - ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input. (CVE-2018-9988)\n\n - ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input. (CVE-2018-9989)\n\n - An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs. (CVE-2020-36475)\n\n - An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.\n (CVE-2020-36476)\n\n - An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid. (CVE-2020-36478)\n\n - In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled- channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. (CVE-2021-24119)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2021-11-23T00:00:00", "type": "nessus", "title": "Debian DLA-2826-1 : mbedtls - LTS security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-9988", "CVE-2018-9989", "CVE-2020-36475", "CVE-2020-36476", "CVE-2020-36478", "CVE-2021-24119"], "modified": "2021-11-23T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libmbedcrypto0", "p-cpe:/a:debian:debian_linux:libmbedtls-dev", "p-cpe:/a:debian:debian_linux:libmbedtls10", "p-cpe:/a:debian:debian_linux:libmbedx509-0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2826.NASL", "href": "https://www.tenable.com/plugins/nessus/155683", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dla-2826. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155683);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/23\");\n\n script_cve_id(\n \"CVE-2018-9988\",\n \"CVE-2018-9989\",\n \"CVE-2020-36475\",\n \"CVE-2020-36476\",\n \"CVE-2020-36478\",\n \"CVE-2021-24119\"\n );\n\n script_name(english:\"Debian DLA-2826-1 : mbedtls - LTS security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndla-2826 advisory.\n\n - ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in\n ssl_parse_server_key_exchange() that could cause a crash on invalid input. (CVE-2018-9988)\n\n - ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in\n ssl_parse_server_psk_hint() that could cause a crash on invalid input. (CVE-2018-9989)\n\n - An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The\n calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters\n could lead to denial of service when generating Diffie-Hellman key pairs. (CVE-2020-36475)\n\n - An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is\n missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.\n (CVE-2020-36476)\n\n - An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL\n algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is\n considered valid. However, if the parameters do not match in any way, then the certificate should be\n considered invalid. (CVE-2020-36478)\n\n - In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows\n system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-\n channel and side-channel attack on software running in isolated environments that can be single stepped,\n especially Intel SGX. (CVE-2021-24119)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/mbedtls\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/lts/security/2021/dla-2826\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2018-9988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2018-9989\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-36475\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-36476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-36478\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-24119\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/stretch/mbedtls\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the mbedtls packages.\n\nFor Debian 9 stretch, these problems have been fixed in version 2.4.2-1+deb9u4.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-36478\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmbedcrypto0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmbedtls-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmbedtls10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmbedx509-0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(9)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 9.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '9.0', 'prefix': 'libmbedcrypto0', 'reference': '2.4.2-1+deb9u4'},\n {'release': '9.0', 'prefix': 'libmbedtls-dev', 'reference': '2.4.2-1+deb9u4'},\n {'release': '9.0', 'prefix': 'libmbedtls10', 'reference': '2.4.2-1+deb9u4'},\n {'release': '9.0', 'prefix': 'libmbedx509-0', 'reference': '2.4.2-1+deb9u4'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libmbedcrypto0 / libmbedtls-dev / libmbedtls10 / libmbedx509-0');\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:47:11", "description": "In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-14T13:15:00", "type": "cve", "title": "CVE-2021-24119", "cwe": ["CWE-203"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-11-28T23:31:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2021-24119", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24119", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2022-01-21T20:19:30", "description": "In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64\nPEM file decoding allows system-level (administrator) attackers to obtain\ninformation about secret RSA keys via a controlled-channel and side-channel\nattack on software running in isolated environments that can be single\nstepped, especially Intel SGX.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sarnold](<https://launchpad.net/~sarnold>) | It looks like an entire new class of side-channel-free functions was introduced in newer versions of mbedtls; backporting all of them probably doesn't make sense, this fix only makes sense in context of trying to provide constant-time execution that limits side-channel bandwidth to adversaries on the same machine.\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-07-14T00:00:00", "type": "ubuntucve", "title": "CVE-2021-24119", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-07-14T00:00:00", "id": "UB:CVE-2021-24119", "href": "https://ubuntu.com/security/CVE-2021-24119", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "suse": [{"lastseen": "2022-06-30T18:24:38", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for mbedtls fixes the following issues:\n\n * CVE-2021-24119: Fixed side-channel vulnerability in base64 PEM\n [boo#1189589]\n\n Guard against strong local side channel attack against base64 tables by\n making access aceess to them use constant flow code.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP3:\n\n zypper in -t patch openSUSE-2021-1389=1", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-20T00:00:00", "type": "suse", "title": "Security update for mbedtls (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-10-20T00:00:00", "id": "OPENSUSE-SU-2021:1389-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36R5MNRZX7IWOTML46RHIYNDAV7YDYQN/", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-04-18T12:39:59", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for mbedtls fixes the following issues:\n\n * CVE-2021-24119: Fixed side-channel vulnerability in base64 PEM\n [boo#1189589]\n\n Guard against strong local side channel attack against base64 tables by\n making access aceess to them use constant flow code.\n\n This update was imported from the openSUSE:Leap:15.2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-1355=1", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-15T00:00:00", "type": "suse", "title": "Security update for mbedtls (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-10-15T00:00:00", "id": "OPENSUSE-SU-2021:1355-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C77WUNAX6B5WKSXJWBNNJZZKI6OORZNP/", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-06-14T11:59:03", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for mbedtls fixes the following issues:\n\n * CVE-2021-24119: Fixed side-channel vulnerability in base64 PEM\n [boo#1189589]\n\n Guard against strong local side channel attack against base64 tables by\n making access aceess to them use constant flow code.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-1344=1", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-11T00:00:00", "type": "suse", "title": "Security update for mbedtls (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-10-11T00:00:00", "id": "OPENSUSE-SU-2021:1344-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TUAORD5DVNESTJH3EH3OO36VCU4DKEPQ/", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2022-07-04T06:00:49", "description": "In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-14T13:15:00", "type": "debiancve", "title": "CVE-2021-24119", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24119"], "modified": "2021-07-14T13:15:00", "id": "DEBIANCVE:CVE-2021-24119", "href": "https://security-tracker.debian.org/tracker/CVE-2021-24119", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2022-01-07T02:59:31", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2826-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Emilio Pozuelo Monfort\nNovember 23, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : mbedtls\nVersion : 2.4.2-1+deb9u4\nCVE ID : CVE-2018-9988 CVE-2018-9989 CVE-2020-36475 CVE-2020-36476\n CVE-2020-36478 CVE-2021-24119\n\nSeveral vulnerabilities were discovered in mbed TLS, a lightweight crypto\nand SSL/TLS library, which could result in denial of service, information\ndisclosure or side-channel attacks.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.4.2-1+deb9u4.\n\nWe recommend that you upgrade your mbedtls packages.\n\nFor the detailed security status of mbedtls please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/mbedtls\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-11-23T13:36:24", "type": "debian", "title": "[SECURITY] [DLA 2826-1] mbedtls security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9988", "CVE-2018-9989", "CVE-2020-36475", "CVE-2020-36476", "CVE-2020-36478", "CVE-2021-24119"], "modified": "2021-11-23T13:36:24", "id": "DEBIAN:DLA-2826-1:14CB9", "href": "https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osv": [{"lastseen": "2022-07-06T05:17:52", "description": "\nSeveral vulnerabilities were discovered in mbed TLS, a lightweight crypto\nand SSL/TLS library, which could result in denial of service, information\ndisclosure or side-channel attacks.\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.4.2-1+deb9u4.\n\n\nWe recommend that you upgrade your mbedtls packages.\n\n\nFor the detailed security status of mbedtls please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/mbedtls>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-23T00:00:00", "type": "osv", "title": "mbedtls - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9988", "CVE-2018-9989", "CVE-2020-36475", "CVE-2020-36476", "CVE-2020-36478", "CVE-2021-24119"], "modified": "2022-07-06T01:46:08", "id": "OSV:DLA-2826-1", "href": "https://osv.dev/vulnerability/DLA-2826-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}