Vulnerability CVE-2021-33560

Vulnerability Name:

CVE-2021-33560 (CCN-203266)

Assigned:

2020-04-13

Published:

2020-04-13

Updated:

2022-12-07

Summary:

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-327

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-33560

Source: CCN
Type: GnuPG Web site
cipher: Hardening ElGamal by introducing exponent blinding too

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Release Notes, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Release Notes, Vendor Advisory
cve@mitre.org

Source: XF
Type: UNKNOWN
gnupg-cve202133560-info-disc(203266)

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6560126 (Sterling Connect:Direct for UNIX Certified Container)
IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93

Source: CCN
Type: IBM Security Bulletin 6574787 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnupg:libgcrypt:1.9.0:*:*:*:*:*:*:*

OR cpe:/a:gnupg:libgcrypt:1.8.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7592	P	libgcrypt-devel-1.9.4-150500.10.19 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:733	P	Security update for openvswitch (Moderate)	2022-09-06
oval:org.opensuse.security:def:3634	P	Security update for logrotate (Important)	2022-07-14
oval:org.opensuse.security:def:3007	P	apache-commons-beanutils-1.9.2-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3449	P	bzip2-1.0.6-30.8.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94561	P	giflib-devel-5.2.1-150000.4.8.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94637	P	libgcrypt-devel-1.9.4-150400.4.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6073	P	Security update for apache2 (Important)	2022-06-16
oval:org.opensuse.security:def:95303	P	Security update for MozillaFirefox (Important)	2022-05-24
oval:org.opensuse.security:def:99491	P	(Moderate)	2022-03-04
oval:org.opensuse.security:def:102016	P	Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP3) (Important)	2022-03-01
oval:org.opensuse.security:def:112636	P	libgcrypt-cavs-1.9.4-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:com.redhat.rhsa:def:20214409	P	RHSA-2021:4409: libgcrypt security and bug fix update (Moderate)	2021-11-09
oval:org.opensuse.security:def:99690	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:99998	P	(Moderate)	2021-10-06
oval:org.opensuse.security:def:101274	P	jcl-over-slf4j-1.7.30-1.34 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:111603	P	Security update for libgcrypt (Important)	2021-07-11
oval:org.opensuse.security:def:111461	P	Security update for libgcrypt (Important)	2021-06-25
oval:org.opensuse.security:def:32133	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:58778	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:88149	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:23931	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:51919	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:83426	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:126733	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:107940	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:73845	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:92939	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:97137	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:8989	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:70250	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:34475	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:64538	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:98905	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:30219	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:57037	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:86111	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:5068	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:10110	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:92342	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:100304	P	(Important)	2021-06-24
oval:org.opensuse.security:def:69496	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:32955	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:59502	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:88463	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:26081	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:55214	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:84170	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:127130	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:108682	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:75912	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:93092	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:97138	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:9356	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:70432	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:99391	P	(Important)	2021-06-24
oval:org.opensuse.security:def:64723	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:99100	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:31214	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:57470	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:86597	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:82598	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:117455	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:10292	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:92541	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:100632	P	(Important)	2021-06-24
oval:org.opensuse.security:def:8612	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:69682	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:33679	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:59760	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:89157	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:29391	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:55922	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:84629	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:76230	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:93245	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:42095	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:9542	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:91955	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:99654	P	(Important)	2021-06-24
oval:org.opensuse.security:def:66844	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:99292	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:31647	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:57956	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:87419	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:23614	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:51602	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:83306	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:125564	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:73660	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:92740	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:101464	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:8794	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:69881	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:33937	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:60298	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:89415	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:30099	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:56042	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:85678	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:9741	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:92150	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:99968	P	(Important)	2021-06-24
oval:org.opensuse.security:def:5755	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:67162	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:40452	P	Security update for libgcrypt (Important)	2021-06-18
oval:org.opensuse.security:def:44882	P	Security update for libgcrypt (Important)	2021-06-18
oval:org.opensuse.security:def:41484	P	Security update for libgcrypt (Important)	2021-06-18
oval:org.opensuse.security:def:45914	P	Security update for libgcrypt (Important)	2021-06-18
oval:org.opensuse.security:def:38205	P	Security update for libgcrypt (Important)	2021-06-18
oval:org.opensuse.security:def:39091	P	Security update for libgcrypt (Important)	2021-06-18
oval:org.opensuse.security:def:43521	P	Security update for libgcrypt (Important)	2021-06-18

BACK