CVE-2017-14737
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/09/2017
Last modified:
20/04/2025
Description
A cryptographic cache-based side channel in the RSA implementation in Botan before 1.10.17, and 1.11.x and 2.x before 2.3.0, allows a local attacker to recover information about RSA secret keys, as demonstrated by CacheD. This occurs because an array is indexed with bits derived from a secret key.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Base Score 2.0
2.10
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:* | 1.10.16 (including) | |
| cpe:2.3:a:botan_project:botan:1.11.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:botan_project:botan:1.11.13:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/randombit/botan/issues/1222
- https://lists.debian.org/debian-lts-announce/2021/11/msg00006.html
- https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai
- https://github.com/randombit/botan/issues/1222
- https://lists.debian.org/debian-lts-announce/2021/11/msg00006.html
- https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai