ALAS-2024-492

Amazon Linux 2023 Security Advisory: ALAS-2024-492
Advisory Release Date: 2024-01-19 01:31 Pacific
Advisory Updated Date: 2024-01-22 20:30 Pacific
Severity: Medium
Issue Overview:

It was discovered that the numerical library used in NSS for RSA cryptography leaks information whether high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger like attack against all RSA decryption operations. As the leak happens before any padding operations, it affects all padding modes: PKCS#1 v1.5, OAEP, and RSASVP. Both API level calls and TLS server operation are affected. (CVE-2023-5388)


Affected Packages:

nss


Issue Correction:
Run dnf update nss --releasever 2023.3.20240122 to update your system.

New Packages:
aarch64:
    nss-debuginfo-3.90.0-3.amzn2023.0.4.aarch64
    nss-util-devel-3.90.0-3.amzn2023.0.4.aarch64
    nss-sysinit-debuginfo-3.90.0-3.amzn2023.0.4.aarch64
    nss-util-debuginfo-3.90.0-3.amzn2023.0.4.aarch64
    nss-sysinit-3.90.0-3.amzn2023.0.4.aarch64
    nss-softokn-freebl-debuginfo-3.90.0-3.amzn2023.0.4.aarch64
    nss-softokn-debuginfo-3.90.0-3.amzn2023.0.4.aarch64
    nss-tools-debuginfo-3.90.0-3.amzn2023.0.4.aarch64
    nspr-devel-4.35.0-5.amzn2023.0.4.aarch64
    nss-softokn-devel-3.90.0-3.amzn2023.0.4.aarch64
    nss-softokn-freebl-devel-3.90.0-3.amzn2023.0.4.aarch64
    nspr-debuginfo-4.35.0-5.amzn2023.0.4.aarch64
    nss-softokn-3.90.0-3.amzn2023.0.4.aarch64
    nss-devel-3.90.0-3.amzn2023.0.4.aarch64
    nss-softokn-freebl-3.90.0-3.amzn2023.0.4.aarch64
    nspr-4.35.0-5.amzn2023.0.4.aarch64
    nss-pkcs11-devel-3.90.0-3.amzn2023.0.4.aarch64
    nss-util-3.90.0-3.amzn2023.0.4.aarch64
    nss-tools-3.90.0-3.amzn2023.0.4.aarch64
    nss-3.90.0-3.amzn2023.0.4.aarch64
    nss-debugsource-3.90.0-3.amzn2023.0.4.aarch64

src:
    nss-3.90.0-3.amzn2023.0.4.src

x86_64:
    nss-softokn-devel-3.90.0-3.amzn2023.0.4.x86_64
    nspr-devel-4.35.0-5.amzn2023.0.4.x86_64
    nss-softokn-debuginfo-3.90.0-3.amzn2023.0.4.x86_64
    nss-sysinit-3.90.0-3.amzn2023.0.4.x86_64
    nss-devel-3.90.0-3.amzn2023.0.4.x86_64
    nss-debuginfo-3.90.0-3.amzn2023.0.4.x86_64
    nss-util-3.90.0-3.amzn2023.0.4.x86_64
    nspr-debuginfo-4.35.0-5.amzn2023.0.4.x86_64
    nss-util-debuginfo-3.90.0-3.amzn2023.0.4.x86_64
    nss-debugsource-3.90.0-3.amzn2023.0.4.x86_64
    nss-pkcs11-devel-3.90.0-3.amzn2023.0.4.x86_64
    nss-tools-debuginfo-3.90.0-3.amzn2023.0.4.x86_64
    nss-sysinit-debuginfo-3.90.0-3.amzn2023.0.4.x86_64
    nss-tools-3.90.0-3.amzn2023.0.4.x86_64
    nspr-4.35.0-5.amzn2023.0.4.x86_64
    nss-softokn-freebl-devel-3.90.0-3.amzn2023.0.4.x86_64
    nss-3.90.0-3.amzn2023.0.4.x86_64
    nss-softokn-freebl-3.90.0-3.amzn2023.0.4.x86_64
    nss-softokn-freebl-debuginfo-3.90.0-3.amzn2023.0.4.x86_64
    nss-util-devel-3.90.0-3.amzn2023.0.4.x86_64
    nss-softokn-3.90.0-3.amzn2023.0.4.x86_64

Additional References

Red Hat: CVE-2023-5388

Mitre: CVE-2023-5388