{ "threat_severity" : "Moderate", "public_date" : "2024-02-16T00:00:00Z", "bugzilla" : { "description" : "nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)", "id" : "2264569", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2264569" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-385->CWE-208", "details" : [ "Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.", "A flaw was found in Node.js. The privateDecrypt() API of the crypto library may allow a covert timing side-channel during PKCS#1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing JSON Web Encryption messages." ], "statement" : "This Node.js vulnerability poses a notable risk as it allows for covert timing side-channel attacks during RSA ciphertext decryption, potentially enabling attackers to decrypt captured data or forge signatures.\nIt's classified as \"Medium\" severity rather than important due to its dependency on specific conditions for exploitation, such as the use of the privateDecrypt() API with PKCS#1 v1.5 padding.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-03-26T00:00:00Z", "advisory" : "RHSA-2024:1510", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:18-8090020240301110609.a75119d5" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-04-08T00:00:00Z", "advisory" : "RHSA-2024:1687", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:20-8090020240228165436.a75119d5" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1880", "cpe" : "cpe:/a:redhat:rhel_eus:8.8", "package" : "nodejs:18-8080020240322102042.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-03-25T00:00:00Z", "advisory" : "RHSA-2024:1503", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:18-9030020240301111035.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-08T00:00:00Z", "advisory" : "RHSA-2024:1688", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:20-9030020240229115828.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-04-22T00:00:00Z", "advisory" : "RHSA-2024:1932", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "nodejs:18-9020020240322155241.rhel9" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "nodejs:16/nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-nodejs14-nodejs", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-46809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46809" ], "name" : "CVE-2023-46809", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }