Homepage
About Snyk

Information Exposure Affecting gnutls package, versions <0:3.6.16-6.el8_7

Severity

 Recommended
medium

Based on Oracle Linux security rating

    Threat Intelligence

    EPSS
    0.17% (54th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-ORACLE8-GNUTLS-5408181
  • published 9 Mar 2023
  • disclosed 15 Feb 2023
Report a new vulnerability Found a mistake?

Introduced: 15 Feb 2023

CVE-2023-0361 Open this link in a new tab
CWE-203 Open this link in a new tab

How to fix?

Upgrade Oracle:8 gnutls to version 0:3.6.16-6.el8_7 or higher.
This issue was patched in ELSA-2023-1569.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls package and not the gnutls package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

References

CVSS Scores

version 3.1
Expand this section

NVD

7.4 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

SUSE

5.9 medium
Expand this section

Red Hat

7.4 high