darin-holloway
commented
3 months ago Likely related https://github.com/openpgpjs/openpgpjs/issues/1732
Closed black3279 closed 3 months ago
darin-holloway
commented
3 months ago Likely related https://github.com/openpgpjs/openpgpjs/issues/1732
black3279
commented
3 months ago I found that security patch in nodejs was executed. some library do not action about the update, will have same problem. Thanks for sharing. the below is from the patch update article.
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (CVE-2023-46809) - (Medium) A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling.
The vulnerability revealed significant timing differences in decryption for valid and invalid ciphertexts.
This poses a serious threat as attackers could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.
After nodejs18.x is commited a week ago, the node-rsa is not work properly. Error during decryption was occured, and we got a TypeError. we will ask the aws service center about it in detail. but some developer can have a same problem. I changed the base image version to 18.2024.02.07.17 and fix it. so If you find this problem, let me know why this error occurred, and I will search about it too.