Community
cancel
Showing results for 
Search instead for 
Did you mean: 
jsethi
Beginner
50 Views

Information on DPD200259352 Regarding Vulnerability Report of IPP Crypt

IPP v7.0 update 6 contains thefollowing fix:

DPD200259352 Regarding Vulnerability Report of IPP Crypt

I am working in an environment that implements the IPP library, and we are required by compliance regulations to assess all vulnerabilities that affect the environment. Is this a fix that addresses a vulnerability, or is it just related to reporting? If it does address a vulnerability, I have the following questions:

Are the details of the vulnerability public? Is it being exploited?
What is the exploit vector (MITM? remotely exploitable?)
What level of privileges are requried (none required, valid user required)?
0 Kudos
1 Reply
Chao_Y_Intel
Employee
50 Views

Hello,

Actually, the DPD200259352 includes the fixs on:

ippsRSASign_XXX_PKCSv15 handles very long message (msgLen>0x7FFFFFFF bytes). IPP 7.0.6 fixed the bug on such long message.

ippsRSAOAEPEncrypt_XXX function add check on the input parameter check on pLabel=0. When pLabel==0 && labelLen!=0, it is considered as bad parameters.

If these specific cases are not used in the application, it is not effected by that fix.

Thanks,
Chao

Reply