Описание
Marvin Attack of RSA and RSAOAEP decryption in jsrsasign
Impact
RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability.
Patches
update to jsrsasign 11.0.0.
Workarounds
Find and replace RSA and RSAOAEP decryption with other crypto library.
References
https://people.redhat.com/~hkario/marvin/ https://github.com/kjur/jsrsasign/issues/598 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21484
Ссылки
- https://github.com/kjur/jsrsasign/security/advisories/GHSA-rh63-9qcf-83gf
- https://nvd.nist.gov/vuln/detail/CVE-2024-21484
- https://github.com/kjur/jsrsasign/issues/598
- https://github.com/kjur/jsrsasign/releases/tag/11.0.0
- https://people.redhat.com/~hkario/marvin
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
- https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731
Пакеты
jsrsasign
< 11.0.0
11.0.0
Связанные уязвимости
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Уязвимость реализации стандарта PKCS#1 v1.5 криптографической библиотеки jsrsasign, позволяющая нарушителю реализовать атаку Блейхенбахера (Bleichenbacher) или атаку Марвина (Marvin)