IBM GSKit-Crypto information disclosure
CVE-2023-33850

7.5HIGH

Key Information:

Vendor
IBM
Status
Txseries For Multiplatforms
Cics Tx Standard
Cics Tx Advanced
Vendor
CVE Published:
22 August 2023

Summary

A vulnerability exists in IBM GSKit-Crypto due to a timing-based side channel in its RSA decryption implementation. An attacker could exploit this flaw by sending numerous trial messages, allowing for the potential extraction of sensitive information. This exploit highlights the importance of secure coding practices and the need for robust cryptographic implementations to prevent such information leakage.

Affected Version(s)

CICS TX Advanced 10.1, 11.1

CICS TX Standard 11.1

TXSeries for Multiplatforms 8.1, 8.2, 9.1

References

https://www.ibm.com/support/pages/node/7010369
vendor-advisory
https://www.ibm.com/support/pages/node/7022413
vendor-advisory
https://www.ibm.com/support/pages/node/7022414
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.