{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos7els/vex/2024/cve-2024-2236-els_os-centos7els.json" } ], "tracking": { "current_release_date": "2026-06-06T02:09:46Z", "generator": { "date": "2026-06-06T02:09:46Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2024-2236-ELS_OS-CENTOS7ELS", "initial_release_date": "2024-03-06T00:00:00Z", "revision_history": [ { "date": "2024-03-06T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-04T20:41:25Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-06-06T02:09:46Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2024-2236" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 7", "product": { "name": "Community Enterprise Operating System 7", "product_id": "CentOS-7", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "libgcrypt-devel-0:1.5.3-14.el7.x86_64", "product": { "name": "libgcrypt-devel-0:1.5.3-14.el7.x86_64", "product_id": "libgcrypt-devel-0:1.5.3-14.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/libgcrypt-devel@1.5.3-14.el7?arch=x86_64" } } }, { "category": "product_version", "name": "libgcrypt-0:1.5.3-14.el7.x86_64", "product": { "name": "libgcrypt-0:1.5.3-14.el7.x86_64", "product_id": "libgcrypt-0:1.5.3-14.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/libgcrypt@1.5.3-14.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libgcrypt-devel-0:1.5.3-14.el7.i686", "product": { "name": "libgcrypt-devel-0:1.5.3-14.el7.i686", "product_id": "libgcrypt-devel-0:1.5.3-14.el7.i686", "product_identification_helper": { "purl": "pkg:rpm/centos/libgcrypt-devel@1.5.3-14.el7?arch=i686" } } }, { "category": "product_version", "name": "libgcrypt-0:1.5.3-14.el7.i686", "product": { "name": "libgcrypt-0:1.5.3-14.el7.i686", "product_id": "libgcrypt-0:1.5.3-14.el7.i686", "product_identification_helper": { "purl": "pkg:rpm/centos/libgcrypt@1.5.3-14.el7?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64", "product": { "name": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64", "product_id": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libgcrypt-devel@1.5.3-14.el7.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64", "product": { "name": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64", "product_id": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libgcrypt@1.5.3-14.el7.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686", "product": { "name": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686", "product_id": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libgcrypt-devel@1.5.3-14.el7.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686", "product": { "name": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686", "product_id": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libgcrypt@1.5.3-14.el7.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64" }, "product_reference": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686" }, "product_reference": "libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64" }, "product_reference": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686" }, "product_reference": "libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-devel-0:1.5.3-14.el7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.x86_64" }, "product_reference": "libgcrypt-devel-0:1.5.3-14.el7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-devel-0:1.5.3-14.el7.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.i686" }, "product_reference": "libgcrypt-devel-0:1.5.3-14.el7.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-0:1.5.3-14.el7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-0:1.5.3-14.el7.x86_64" }, "product_reference": "libgcrypt-0:1.5.3-14.el7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libgcrypt-0:1.5.3-14.el7.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libgcrypt-0:1.5.3-14.el7.i686" }, "product_reference": "libgcrypt-0:1.5.3-14.el7.i686", "relates_to_product_reference": "CentOS-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-2236", "cwe": { "id": "CWE-385", "name": "Covert Timing Channel" }, "notes": [ { "category": "description", "text": "A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-7:libgcrypt-0:1.5.3-14.el7.i686", "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686", "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64", "CentOS-7:libgcrypt-0:1.5.3-14.el7.x86_64", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.i686", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-2236" } ], "release_date": "2024-03-06T00:00:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-05T20:40:28.996101Z", "details": "This flaw is only exploitable when a network-exposed application actually performs RSA decryption with libgcrypt (e.g., PKCS#1 v1.5 or OAEP), since Bleichenbacher-style attacks require a decryption oracle; typical TLS configurations that use ECDHE with RSA signatures or TLS 1.3 do not invoke server-side RSA decryption. Even where RSA decryption is present, a practical attack demands a very large volume of precisely timed requests to distinguish sub‑microsecond variations across real networks and virtualized/cloud hosts, aligning with the “High” attack complexity. Because the issue does not enable code execution or privilege escalation and only threatens confidentiality under narrow cryptographic usage, it can be safely deprioritized for centrally managed enterprise VM/server environments.", "product_ids": [ "CentOS-7:libgcrypt-0:1.5.3-14.el7.i686", "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686", "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64", "CentOS-7:libgcrypt-0:1.5.3-14.el7.x86_64", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.i686", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "CentOS-7:libgcrypt-0:1.5.3-14.el7.i686", "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.i686", "CentOS-7:libgcrypt-0:1.5.3-14.el7.tuxcare.els1.x86_64", "CentOS-7:libgcrypt-0:1.5.3-14.el7.x86_64", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.i686", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.i686", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.tuxcare.els1.x86_64", "CentOS-7:libgcrypt-devel-0:1.5.3-14.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }