Reusing a Nonce Affecting librbd1 package, versions <2:14.2.8-111.el7cp


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.16% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL7-LIBRBD1-4433140
  • published1 Nov 2021
  • disclosed6 Apr 2020

Introduced: 6 Apr 2020

CVE-2020-1759  (opens in a new tab)
CWE-323  (opens in a new tab)

How to fix?

Upgrade RHEL:7 librbd1 to version 2:14.2.8-111.el7cp or higher.
This issue was patched in RHBA-2020:4144.

NVD Description

Note: Versions mentioned in the description apply only to the upstream librbd1 package and not the librbd1 package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can allow an attacker to forge auth tags and potentially manipulate the data by leveraging the reuse of a nonce in a session. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks.

CVSS Scores

version 3.1