Описание
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of...
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | uses system openssl1.0 |
| cosmic | not-affected | uses system openssl1.0 |
| devel | not-affected | uses system openssl1.1 |
| disco | not-affected | uses system openssl1.1 |
| eoan | not-affected | uses system openssl1.1 |
| esm-apps/bionic | not-affected | uses system openssl1.0 |
| esm-apps/xenial | not-affected | uses system openssl |
| esm-infra-legacy/trusty | not-affected | uses system openssl |
| precise/esm | DNE | |
| trusty | not-affected | uses system openssl |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 1.1.1-1ubuntu2.1~18.04.2 |
| cosmic | ignored | end of life |
| devel | not-affected | 1.1.1c-1ubuntu4 |
| disco | released | 1.1.1b-1ubuntu2.2 |
| eoan | not-affected | 1.1.1c-1ubuntu4 |
| esm-infra-legacy/trusty | not-affected | 1.0.1f-1ubuntu2.27 |
| esm-infra/bionic | released | 1.1.1-1ubuntu2.1~18.04.2 |
| esm-infra/xenial | not-affected | 1.0.2g-1ubuntu4.15 |
| precise/esm | not-affected | |
| trusty | not-affected | 1.0.1f-1ubuntu2.27 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| cosmic | DNE | |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was not-affected] |
| precise/esm | DNE | |
| trusty | not-affected | |
| trusty/esm | DNE | trusty was not-affected |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | 1.0.2n-1ubuntu5.3 |
| cosmic | not-affected | 1.0.2n-1ubuntu6.2 |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/bionic | not-affected | 1.0.2n-1ubuntu5.3 |
| precise/esm | DNE | |
| trusty | DNE | |
| trusty/esm | DNE |
Показывать по
5.8 Medium
CVSS2
7.4 High
CVSS3
Связанные уязвимости
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of...
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of th
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input ...
5.8 Medium
CVSS2
7.4 High
CVSS3