DPD200259352 Regarding Vulnerability Report of IPP Crypt
I am working in an environment that implements the IPP library, and we are required by compliance regulations to assess all vulnerabilities that affect the environment. Is this a fix that addresses a vulnerability, or is it just related to reporting? If it does address a vulnerability, I have the following questions:
Are the details of the vulnerability public? Is it being exploited?
What is the exploit vector (MITM? remotely exploitable?)
What level of privileges are requried (none required, valid user required)?
Actually, the DPD200259352 includes the fixs on:
ippsRSASign_XXX_PKCSv15 handles very long message (msgLen>0x7FFFFFFF bytes). IPP 7.0.6 fixed the bug on such long message.
ippsRSAOAEPEncrypt_XXX function add check on the input parameter check on pLabel=0. When pLabel==0 && labelLen!=0, it is considered as bad parameters.
If these specific cases are not used in the application, it is not effected by that fix.