Fluid Attacks Database

Description

Crypto++ through 8.4 contains a timing side channel in ECDSA signature generation. Function FixedSizeAllocatorWithCleanup could write to memory outside of the allocation if the allocated memory was not 16-byte aligned. NOTE: this issue exists because the CVE-2019-14318 fix was intentionally removed for functionality reasons.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	libcrypto++	=8.4.0-1 \|\| =8.5.0-1 \|\| =8.6.0-1 \|\| =8.6.0-2 \|\| =8.6.0-3 \|\| =8.7.0+git220824-1 \|\| =8.7.0-1 \|\| =8.8.0-1 \|\| =8.8.0-2 \|\| =8.9.0-1 \|\| =8.9.0-1.1 \|\| =8.9.0-1.1~exp1 \|\| =8.9.0-2
debian 12	libcrypto++	=8.7.0+git220824-1 \|\| =8.8.0-1 \|\| =8.8.0-2 \|\| =8.9.0-1 \|\| =8.9.0-1.1 \|\| =8.9.0-1.1~exp1 \|\| =8.9.0-2
debian 13	libcrypto++	=8.9.0-2
debian 14	libcrypto++	=8.9.0-2

Aliases

1. CVE-2022-485702. NVD-2022-485703. OSV-DEBIAN-2022-485704. OSV-2022-485705. SECURITY-TRACKER-CVE-2022-48570

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.