Azure Storage SDK でのクライアントサイド暗号化におけるパディング オラクル の脆弱性を軽減

本ブログは、Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability の抄訳版です。最新の情報は原文を参照してください。...

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

Summary: Google informed Microsoft under Coordinated Vulnerability Disclosure CVD of a padding oracle vulnerability that may affect customers using Azure Storage SDK for Python, .NET, Java client-side encryption CVE-2022-30187. To mitigate this vulnerability, we released a new General Availabilit...

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

Summary Summary Google informed Microsoft under Coordinated Vulnerability Disclosure CVD of a padding oracle vulnerability that may affect customers using Azure Storage SDK for Python, .NET, Java client-side encryption CVE-2022-30187. To mitigate this vulnerability, we released a new General...

GHSA-64X4-9HC6-R2H6 Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library

Summary The Azure Storage Encryption library in Java and other languages is vulnerable to a CBC Padding Oracle attack, similar to CVE-2020-8911. The library is not vulnerable to the equivalent of CVE-2020-8912, but only because it currently only supports AES-CBC as encryption mode. Severity...

Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library

Summary The Azure Storage Encryption library in Java and other languages is vulnerable to a CBC Padding Oracle attack, similar to CVE-2020-8911. The library is not vulnerable to the equivalent of CVE-2020-8912, but only because it currently only supports AES-CBC as encryption mode. Severity...

BSA-2022-765

Security Advisory ID : BSA-2022-765 Component : OpenSSL Revision : 1.0 If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0-byte record is...

GHSA-4FV4-CQ5V-X45M Improper Authentication in Apache MyFaces

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code MAC, which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracl...

Nimbus JOSE+JWT vulnerable to padding oracle attack

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack...

GHSA-JFMQ-4G4M-99RH Nimbus JOSE+JWT vulnerable to padding oracle attack

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack...

Slackware: Security Advisory (SSA:2018-339-02)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Slackware: Security Advisory (SSA:2016-124-01)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Slackware: Security Advisory (SSA:2019-254-03)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Bulletin: OpenSSL vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center)

Summary Multiple OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL, used by IBM Spectrum Control formerly Tivoli Storage Productivity Center, has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2019-1552 DESCRIPTION: OpenSSL has internal defaults for a directo...

Security Bulletin: OpenSSL vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-1559)

Summary An OpenSSL vulnerability was disclosed on February 26, 2019 by the OpenSSL Project. OpenSSL, used by IBM Spectrum Control formerly Tivoli Storage Productivity Center, has addressed the applicable CVE. Vulnerability Details CVE-ID: CVE-2019-1559 Description: OpenSSL could allow a remote...

GHSA-F5PG-7WFW-84Q9 CBC padding oracle issue in AWS S3 Crypto SDK for golang

Summary The golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures without revealing the plaintext...

Mageia: Security Advisory (MGASA-2019-0103)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Rustpad - Multi-Threaded Padding Oracle Attacks Against Any Service

A multi-threaded what now? rustpad is a multi-threaded successor to the classic padbuster, written in Rust. It abuses a Padding Oracle vulnerability to decrypt any cypher text or encrypt arbitrary plain text without knowing the encryption key! Features Decryption of cypher texts Encryption of...

EulerOS Virtualization 2.9.0 : shim (EulerOS-SA-2021-2785)

According to the versions of the shim package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in a...

EulerOS Virtualization 2.9.1 : shim (EulerOS-SA-2021-2758)

According to the versions of the shim package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in a...

Apache HTTP Server mod_session_crypto Vulnerability (Dec 2016) - Linux

Apache HTTP Server is prone to a vulnerability in modsessioncrypto. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free...