阿里云漏洞库

漏洞描述

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://bugzilla.redhat.com/show_bug.cgi?id=1942533
https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202105-31
https://security.netapp.com/advisory/ntap-20211022-0002/
https://www.debian.org/security/2021/dsa-4933

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	nettle_project	nettle	*		Up to (excluding) 3.7.2
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	nettle	*		Up to (excluding) 2.7.1-9.1.al7
	运行在以下环境
	系统	alibaba_cloud_linux_3	gnutls	*		Up to (excluding) 3.6.14-8.1.al8
	运行在以下环境
	系统	alpine_3.13	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.14	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.15	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.16	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.17	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.18	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.19	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	amazon_2	nettle	*		Up to (excluding) 2.7.1-9.amzn2
	运行在以下环境
	系统	anolis_os_8	gnutls	*		Up to (excluding) 3.4.1-2
	运行在以下环境
	系统	centos_7	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	debian_10	nettle	*		Up to (excluding) 3.4.1-1+deb10u1
	运行在以下环境
	系统	debian_11	nettle	*		Up to (excluding) 3.7.2-1
	运行在以下环境
	系统	debian_12	nettle	*		Up to (excluding) 3.7.2-1
	运行在以下环境
	系统	debian_9	nettle	*		Up to (excluding) 3.3-1+deb9u1
	运行在以下环境
	系统	fedora_33	gnutls	*		Up to (excluding) 3.6.16-1.fc33
	运行在以下环境
	系统	kylinos_aarch64_V10	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	nettle	*		Up to (excluding) 3.6-5.p02.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	nettle	*		Up to (excluding) 3.6-5.p02.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	nettle	*		Up to (excluding) 3.6-5.p02.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	nettle	*		Up to (excluding) 3.6-5.p02.ky10
	运行在以下环境
	系统	opensuse_Leap_15.2	nettle	*		Up to (excluding) 3.4.1-lp152.4.3.1
	运行在以下环境
	系统	oracle_7	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	oracle_8	nettle	*		Up to (excluding) 3.6.14-8.el8_3
	运行在以下环境
	系统	redhat_7	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	redhat_8	gnutls	*		Up to (excluding) 3.6.14-8.el8_3
	运行在以下环境
	系统	rocky_linux_8	nettle	*		Up to (excluding) 3.6.14-8.el8_3
	运行在以下环境
	系统	suse_12_SP5	libnettle4	*		Up to (excluding) 2.7.1-13.3.1
	运行在以下环境
系统	ubuntu_16.04	nettle	*		Up to (excluding) 3.2-1ubuntu0.16.04.2
运行在以下环境
系统	ubuntu_18.04	nettle	*		Up to (excluding) 3.4-1ubuntu0.1
运行在以下环境
系统	ubuntu_20.04	nettle	*		Up to (excluding) 3.5.1+really3.5.1-2ubuntu0.1
运行在以下环境
系统	ubuntu_21.04	nettle	*		Up to (excluding) 3.7-2.1ubuntu1
运行在以下环境
系统	ubuntu_21.10	nettle	*		Up to (excluding) 3.7-2.1ubuntu1
运行在以下环境
系统	ubuntu_22.04	nettle	*		Up to (excluding) 3.7-2.1ubuntu1
运行在以下环境
系统	ubuntu_22.10	nettle	*		Up to (excluding) 3.7-2.1ubuntu1

攻击路径

远程
攻击复杂度

困难
权限要求

普通权限
影响范围

有限影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

数据泄露
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-327	使用已被攻破或存在风险的密码学算法
CWE-787	跨界内存写

低危 nettle_project nettle 使用已被攻破或存在风险的密码学算法

漏洞描述

解决建议

参考链接

受影响软件情况