Timing-Based Attack on IBM CCA Could Lead to Sensitive Information Disclosure
CVE-2023-33855

3.7LOW

Key Information:

Vendor: IBM
Status: Common Cryptographic Architecture
Vendor: CVE Published:; 26 March 2024

Summary

IBM Common Cryptographic Architecture versions 7.0.0 through 7.5.36 exhibit a vulnerability that may allow remote attackers to execute timing-based attacks, leading to potential exposure of sensitive information. The issue arises from non-constant-time behavior during RSA operations, which could be exploited under specific conditions. This vulnerability emphasizes the need for heightened security measures and constant-time implementation practices to mitigate exposure to such timing attacks.

Affected Version(s)

Common Cryptographic Architecture 7.0.0 <= 7.5.36

References

https://www.ibm.com/support/pages/node/7145168

vendor-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/257676

vdb-entry

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 26, 2024
Vulnerability Reserved
May 23, 2023