Security Bulletin: Weaker Cryptographic Algorithm Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-38925)

Summary IBM Sterling B2B Integrator has addressed the security vulnerability. Vulnerability Details CVEID: CVE-2021-38925 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive...

[SECURITY] Fedora 34 Update: cryptopp-8.6.0-1.fc34

Crypto++ Library is a free C++ class library of cryptographic schemes. See http://www.cryptopp.com/ for a list of supported algorithms. One purpose of Crypto++ is to act as a repository of public domain not copyrighted source code. Although the library is copyrighted as a compilation, the...

CVE-2021-36298

Dell EMC InsightIQ, versions prior to 4.1.4, contain risky cryptographic algorithms in the SSH component. A remote unauthenticated attacker could potentially exploit this vulnerability leading to authentication bypass and remote takeover of the InsightIQ. This allows an attacker to take complete...

Authentication flaw

Dell EMC InsightIQ, versions prior to 4.1.4, contain risky cryptographic algorithms in the SSH component. A remote unauthenticated attacker could potentially exploit this vulnerability leading to authentication bypass and remote takeover of the InsightIQ. This allows an attacker to take complete...

CVE-2021-36298

Dell EMC InsightIQ, versions prior to 4.1.4, contain risky cryptographic algorithms in the SSH component. A remote unauthenticated attacker could potentially exploit this vulnerability leading to authentication bypass and remote takeover of the InsightIQ. This allows an attacker to take complete...

CVE-2021-36298

Dell EMC InsightIQ is affected (versions prior to 4.1.4). The issue is caused by risky cryptographic algorithms in the SSH component, enabling a remote unauthenticated attacker to bypass authentication and take remote control of InsightIQ, potentially impacting SSH services. Remediation: upgrade ...

Code injection

IBM Cloud Pak for Security CP4S 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 207320...

CVE-2021-29894

CVE-2021-29894 affects IBM Cloud Pak for Security (CP4S) versions 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0, where weaker-than-expected cryptographic algorithms could allow an attacker to decrypt highly sensitive information. A remediation is available: upgrade to CP4S 1.8.0.0 following IBM’s upgrad...

GHSA-7322-JRQ4-X5HF File reference keys leads to incorrect hashes on HMAC algorithms

Impact Users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users...

File reference keys leads to incorrect hashes on HMAC algorithms

Impact Users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users...

CVE-2021-41106

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as...

CVE-2021-41106

The CVE-2021-41106 issue affects the LCobucci JWT library. Before versions 3.4.6, 4.0.4, and 4.1.5, when using HMAC-based algorithms (HS256/384/512) with LocalFileReference as the key, tokens were issued/validated using the file path instead of the file contents. This effectively means the key ma...

CVE-2021-41106 File reference keys leads to incorrect hashes on HMAC algorithms

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as...

CVE-2021-41106: File reference keys leads to incorrect hashes on HMAC algorithms

Description Impact Users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and,...

CVE-2021-41106: File reference keys leads to incorrect hashes on HMAC algorithms

Impact Users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users...

[SECURITY] Fedora 35 Update: openssl-1.1.1l-1.fc35

The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols...

SSH SHA-1 HMAC Algorithms Enabled

The remote SSH server is configured to enable SHA-1 HMAC algorithms. Although NIST has formally deprecated use of SHA-1 for digital signatures, SHA-1 is still considered secure for HMAC as the security of HMAC does not rely on the underlying hash function being resistant to collisions. Note that...

Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console (CVE-2021-3449).

Summary OpenSSL is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID: CVE-2021-3449 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signaturealgorithms processing. By sending a...

Automatic Cipher Suite Ordering in crypto/tls

This is the first article I wrote for the Go blog !! about how TLS cipher suites configuration got so complicated, and how weve made it way easier in Go 1.17. The Go standard library provides crypto/tls, a robust implementation of Transport Layer Security TLS, the most important security protocol...

CVE-2021-29750

Summary: CVE-2021-29750 affects IBM QRadar SIEM 7.3 and 7.4, where the HTTPReceiver protocol uses weaker than expected cryptographic algorithms, potentially allowing an attacker to decrypt highly sensitive information. Affected components/versions: QRadar SIEM 7.3 and 7.4 with HTTPReceiver prior ...