CVE-2021-33560
Last modified
CVE-2021-33560 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.. EPSS estimates a 2.34% chance of exploitation in the next 30 days.
Description
Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gnupg | Libgcrypt | < 1.8.8 |
| Gnupg | Libgcrypt | >= 1.9.0, < 1.9.3 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 34 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 1.9.0 |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 1.10.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.14.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.1 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.15.0 |
References
- https://dev.gnupg.org/T5305Release Notes, Vendor Advisory
- https://dev.gnupg.org/T5328Vendor Advisory
- https://dev.gnupg.org/T5466Release Notes, Vendor Advisory
- https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61Patch, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/06/msg00021.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202210-13Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://dev.gnupg.org/T5305Release Notes, Vendor Advisory
- https://dev.gnupg.org/T5328Vendor Advisory
- https://dev.gnupg.org/T5466Release Notes, Vendor Advisory
- https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61Patch, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/06/msg00021.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202210-13Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-33560?
How severe is CVE-2021-33560?
How do I fix CVE-2021-33560?
Are you affected by CVE-2021-33560?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST