Description
ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign.
Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.
Recommendation
Update the jsrsasign package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, < 8.0.13
- Patched version(s): 8.0.13
References
Related Issues
- ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign - CVE-2020-14966
- RSA-PSS signature validation vulnerability by prepending zeros in jsrsasign - CVE-2020-14968
- express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison - Vulnerability
- RSA signature validation vulnerability on maleable encoded message in jsrsasign - CVE-2021-30246
- Tags:
- npm
- jsrsasign
Anything's wrong? Let us know Last updated on January 09, 2023