CVE-2023-46809: High severity ibm cognos analytics vulnerability

Published Feb 16, 2024
·
Updated

A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.

This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.

Other sources

Node.js could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the privateDecrypt() API of the crypto library. An attacker could exploit this vulnerability to conduct a covert timing side-channel during PKCS#1 v1.5 padding error handling and obtain significant timing differences in decryption for valid and invalid ciphertexts.

IBM

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.

NVD

Affected Software

3 affected componentsFixes available
redhat/node<18.19.1
18.19.1
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP3

Event History

Sep 7, 2024
CVE Published
via MITRE·04:03 PM
Data Sourced
via MITRE·04:03 PM
Description
Data Sourced
via NVD·04:15 PM
DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2023-46809?

CVE-2023-46809 is considered a serious vulnerability that can lead to timing side-channel attacks during PKCS#1 v1.5 padding error handling.

2

How do I fix CVE-2023-46809?

To fix CVE-2023-46809, update the affected software to the latest patched versions provided by the vendor.

3

Which software does CVE-2023-46809 affect?

CVE-2023-46809 affects Node.js and different versions of IBM Cognos Analytics.

4

What type of attack can be performed using CVE-2023-46809?

CVE-2023-46809 allows attackers to exploit timing differences in decryption processes, potentially revealing sensitive data.

5

Is there a patch available for CVE-2023-46809?

Yes, patches are available for the affected versions of both Node.js and IBM Cognos Analytics.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203