Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-2408

Published: 9 June 2024

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

Notes

AuthorNote
mdeslaur
The OpenSSL commit was backported to Ubuntu packages in the
following USN: https://ubuntu.com/security/notices/USN-6663-1
As such, I am marking this CVE as not-affected for the releases
that have the updated OpenSSL package.
iconstantin
Fix additionally backported via USNs 6663-2 and 6663-3,
updating respective releases as not-affected.

Priority

Medium

Cvss 3 Severity Score

5.9

Score breakdown

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
focal Does not exist

jammy Does not exist

mantic Does not exist

noble Does not exist

trusty Needs triage

upstream Needs triage

php7.0
Launchpad, Ubuntu, Debian
focal Does not exist

jammy Does not exist

mantic Does not exist

noble Does not exist

upstream Needs triage

xenial Not vulnerable

php7.2
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Does not exist

jammy Does not exist

mantic Does not exist

noble Does not exist

upstream Needs triage

php7.4
Launchpad, Ubuntu, Debian
focal Not vulnerable

jammy Does not exist

mantic Does not exist

noble Does not exist

upstream Needs triage

php8.1
Launchpad, Ubuntu, Debian
focal Does not exist

jammy Not vulnerable

mantic Does not exist

noble Does not exist

upstream Needs triage

php8.2
Launchpad, Ubuntu, Debian
focal Does not exist

jammy Does not exist

mantic Not vulnerable

noble Does not exist

upstream Needs triage

php8.3
Launchpad, Ubuntu, Debian
focal Does not exist

jammy Does not exist

mantic Does not exist

noble Not vulnerable

upstream Needs triage

Severity score breakdown

Parameter Value
Base score 5.9
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N