CVE-2017-14737
medium
CVSS v3
5.5
CVSS v4 NEW
โ
VIR risk
5.5
Description
A cryptographic cache-based side channel in the RSA implementation in Botan before 1.10.17, and 1.11.x and 2.x before 2.3.0, allows a local attacker to recover information about RSA secret keys, as demonstrated by CacheD. This occurs because an array is indexed with bits derived from a secret key.
Predictions
Exploit likelihood
55%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| arch | fixed | 2.3.0-1 | |
| debian | 9.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| botan_project | botan | {"endIncluding":"1.10.16"} | |
| botan_project | botan | 1.11.0 | |
| botan_project | botan | 1.11.1 | |
| botan_project | botan | 1.11.2 | |
| botan_project | botan | 1.11.3 | |
| botan_project | botan | 1.11.4 | |
| botan_project | botan | 1.11.5 | |
| botan_project | botan | 1.11.6 | |
| botan_project | botan | 1.11.7 | |
| botan_project | botan | 1.11.8 | |
| botan_project | botan | 1.11.9 | |
| botan_project | botan | 1.11.10 | |
| botan_project | botan | 1.11.11 | |
| botan_project | botan | 1.11.12 | |
| botan_project | botan | 1.11.13 | |
| botan_project | botan | 1.11.14 | |
| botan_project | botan | 1.11.15 | |
| botan_project | botan | 1.11.16 | |
| botan_project | botan | 1.11.17 | |
| botan_project | botan | 1.11.18 | |
| botan_project | botan | 1.11.19 | |
| botan_project | botan | 1.11.20 | |
| botan_project | botan | 1.11.21 | |
| botan_project | botan | 1.11.22 | |
| botan_project | botan | 1.11.23 | |
| botan_project | botan | 1.11.24 | |
| botan_project | botan | 1.11.25 | |
| botan_project | botan | 1.11.26 | |
| botan_project | botan | 1.11.27 | |
| botan_project | botan | 1.11.28 | |
| botan_project | botan | 1.11.33 | |
| botan_project | botan | 1.11.34 | |
| botan_project | botan | 2.0.0 | |
| botan_project | botan | 2.0.1 | |
| botan_project | botan | 2.1.0 | |
| botan_project | botan | 2.2.0 | |
References
- https://security.archlinux.org/ASA-201710-17
- https://github.com/randombit/botan/issues/1222
- https://lists.debian.org/debian-lts-announce/2021/11/msg00006.html
- https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai
- https://www.suse.com/security/cve/CVE-2017-14737.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.