{
  "threat_severity" : "Moderate",
  "public_date" : "2023-03-30T00:00:00Z",
  "bugzilla" : {
    "description" : "hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations",
    "id" : "2182972",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2182972"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-208",
  "details" : [ "HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.", "A flaw was found in the Hashicorp vault. This flaw allows an attacker with access to and the ability to observe a large number of unseal operations on the host through a side channel to reduce the search space of a brute-force effort to recover the Shamir shares." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.13",
    "release_date" : "2023-05-17T00:00:00Z",
    "advisory" : "RHSA-2023:1326",
    "cpe" : "cpe:/a:redhat:openshift:4.13::el8",
    "package" : "openshift4/ose-installer:v4.13.0-202305091542.p0.g44db7b2.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5006",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "openshift4/ose-installer:v4.14.0-202310201027.p0.g03546e5.assembly.stream"
  }, {
    "product_name" : "RHODF-4.13-RHEL-9",
    "release_date" : "2023-06-21T00:00:00Z",
    "advisory" : "RHSA-2023:3742",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.13::el9",
    "package" : "odf4/odf-rhel9-operator:v4.13.0-24"
  }, {
    "product_name" : "RHODF-4.13-RHEL-9",
    "release_date" : "2023-06-21T00:00:00Z",
    "advisory" : "RHSA-2023:3742",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.13::el9",
    "package" : "odf4/rook-ceph-rhel9-operator:v4.13.0-70"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/logging-loki-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/topology-aware-lifecycle-manager-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/cephcsi-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/mcg-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/ocs-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/rook-ceph-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/cephcsi-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Affected",
    "package_name" : "odf4/mcg-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/ocs-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Will not fix",
    "package_name" : "odf4/odf-multicluster-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odr-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-25000\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-25000\nhttps://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078" ],
  "name" : "CVE-2023-25000",
  "csaw" : false
}