Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6753-1

Ubuntu Security Notice 6753-1 - Thomas Neil James Shadwell discovered that CryptoJS was using an insecure cryptographic default configuration. A remote attacker could possibly use this issue to expose sensitive information.

Packet Storm
#vulnerability#ubuntu#js#java

==========================================================================
Ubuntu Security Notice USN-6753-1
April 25, 2024

cryptojs vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.04 LTS (Available with Ubuntu Pro)
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS (Available with Ubuntu Pro)
  • Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

CryptoJS could be made to expose sensitive information.

Software Description:

  • cryptojs: collection of cryptographic algorithms implemented in JavaScript

Details:

Thomas Neil James Shadwell discovered that CryptoJS was using an insecure
cryptographic default configuration. A remote attacker could possibly use
this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-3ubuntu0.22.04.1~esm1

Ubuntu 20.04 LTS:
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.16.04.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6753-1
CVE-2023-46233

Package Information:
https://launchpad.net/ubuntu/+source/cryptojs/3.1.2+dfsg-2ubuntu0.20.04.1

Related news

GHSA-xwcq-pm8m-c4vf: crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

Maintainer: please click 'request CVE' when accepting this report so that upstream fixes of this vulnerability can be tracked. **Thank you for your hard work maintaining this package.** ### Impact #### Summary Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks. Potential Impact: 1. If used to protect passwords, the impact is high. 2. If used to generate signatures, the impact is high. Probability / risk analysis / attack enumeration: 1. [For at most ...

CVE-2023-46233: crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution