Описание
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
A flaw was found in python-ecdsa, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Отчет
Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time. Red Hat CloudForms 5.9, 5.10 and 5.11 is not affected as these versions no longer ship the python-ecdsa library. Only CloudForms 5.8, which is now EOL, delivered the python-ecdsa library. Current releases of Red Hat Virtualization Manager no longer include python-ecdsa as a dependency. While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended. Current releases of Red Hat Satellite no longer include python-ecdsa as a dependency. While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | python-ecdsa | Not affected | ||
| Red Hat Ceph Storage 2 | python-ecdsa | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-ecdsa | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | python-ecdsa | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | python-ecdsa | Will not fix | ||
| Red Hat OpenStack Platform 15 (Stein) | python-ecdsa | Will not fix | ||
| Red Hat Storage 3 | python-ecdsa | Affected | ||
| Red Hat Virtualization 4 | python-ecdsa | Will not fix | ||
| Red Hat Satellite 6.10 for RHEL 7 | python-ecdsa | Fixed | RHSA-2021:4702 | 16.11.2021 |
| Red Hat Satellite 6.10 for RHEL 7 | python-ecdsa | Fixed | RHSA-2021:4702 | 16.11.2021 |
Показывать по
Дополнительная информация
Статус:
7.4 High
CVSS3
Связанные уязвимости
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
A flaw was found in all python-ecdsa versions before 0.13.3, where it ...
Improper Verification of Cryptographic Signature in Pure-Python ECDSA
Уязвимость криптографической библиотеки Python ECDSA, связанная с некорректной проверкой криптографической подписи, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
7.4 High
CVSS3