CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
40.6%
Vulnerability in openCryptoki could allow a remote attacker to obtain sensitive information (CVE-2024-0914).
CVEID:CVE-2024-0914
**DESCRIPTION:**openCryptoki could allow a remote attacker to obtain sensitive information, caused by a flaw when processing RSA PKCS#1 v1.5 padded ciphertexts. By utilize timing side-channel attack techniques, an attacker could exploit this vulnerability to obtain RSA ciphertext information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
AIX | 7.2 |
AIX | 7.3 |
The vulnerabilities in the following filesets are being addressed:
Fileset | Lower Level | Upper Level |
---|---|---|
opencki.base | 3.21.0.0 | 3.21.0.1000 |
To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.
Example: lslpp -L | grep -i opencki.base
FIXES
IBM strongly recommends addressing the vulnerability now.
A fix is available, and it can be downloaded from:
https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=opencryptoki
To extract the fixes from the tar file:
zcat opencki-3.23.0.tar.Z | tar xvf -
IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.
Note that all the previously reported security vulnerability fixes are also included in above mentioned fileset level.
To preview the fix installation:
installp -apYd . opencki
To install the fix package:
installp -aXYd . opencki
openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]
openssl dgst -sha256 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]
Published advisory OpenSSL signature file location:
<https://aix.software.ibm.com/aix/efixes/security/opencryptoki_advisory.asc.sig>
None
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
40.6%