Описание
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.
A flaw was discovered in python-cryptography. A NULL pointer dereference can be triggered when a PKCS#12 key and certificate do not match. Specifically, if the pkcs12.serialize_key_and_certificates function is called with a non-matching certificate and private key and an encryption algorithm with hmac_hash set, the Python process may crash, leading to a denial of service.
Отчет
The vulnerability in python-cryptography that leads to a NULL pointer dereference during the pkcs12.serialize_key_and_certificates function execution is classified as a moderate severity issue. While the vulnerability can result in a denial-of-service (DoS) by crashing the Python process, it requires specific conditions to trigger: a mismatch between the provided certificate's public key and private key, coupled with the use of an encryption algorithm with hmac_hash set. The exploitation of this vulnerability does not directly lead to arbitrary code execution or data leakage. Instead, it causes a controlled termination of the Python process, which, although disruptive, is not as critical as other vulnerabilities that can lead to unauthorized access, data corruption, or code injection. However, it's important to note that denial-of-service conditions can still have operational impacts, disrupting services or causing system instability. This issue does not affect Red Hat Enterprise Linux 6, 7, 8 and 9 as we dont ship the vulnerable code and package version.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | python-cryptography | Not affected | ||
| Red Hat Enterprise Linux 8 | python39:3.9/python-cryptography | Not affected | ||
| Red Hat Enterprise Linux 8 | python-cryptography | Not affected | ||
| Red Hat Enterprise Linux 9 | python-cryptography | Not affected | ||
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | python3x-cryptography | Fixed | RHSA-2024:3781 | 10.06.2024 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 9 | python-cryptography | Fixed | RHSA-2024:3781 | 10.06.2024 |
| Red Hat Satellite 6.15 for RHEL 8 | python-cryptography | Fixed | RHSA-2024:7987 | 10.10.2024 |
| Red Hat Satellite 6.15 for RHEL 8 | rubygem-foreman_theme_satellite | Fixed | RHSA-2024:7987 | 10.10.2024 |
| Red Hat Satellite 6.15 for RHEL 8 | python-cryptography | Fixed | RHSA-2024:7987 | 10.10.2024 |
| Red Hat Satellite 6.15 for RHEL 8 | rubygem-foreman_theme_satellite | Fixed | RHSA-2024:7987 | 10.10.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
cryptography is a package designed to expose cryptographic primitives ...
EPSS
7.5 High
CVSS3