CVE-2024-2467 | Ubuntu

A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libcrypt-openssl-rsa-perl	24.04 LTS noble	Vulnerable, fix deferred
	23.10 mantic	Ignored
	22.04 LTS jammy	Vulnerable, fix deferred
	20.04 LTS focal	Vulnerable, fix deferred
	18.04 LTS bionic	Vulnerable, fix deferred
	16.04 LTS xenial	Vulnerable, fix deferred
	14.04 LTS trusty	Vulnerable, fix deferred

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

as of 2024-09-09, there is no fix available from the upstream libcrypt-openssl-rsa-perl developers

References

MITRE
NVD
Launchpad
Debian

Other references

https://people.redhat.com/~hkario/marvin/
https://www.cve.org/CVERecord?id=CVE-2024-2467