IBM Common Cryptographic Architecture ECDSA Timing Attack Vulnerability

A vulnerability in IBM Common Cryptographic Architecture (CCA) versions 7.0.0 through 7.5.51 could allow remote attackers to obtain sensitive information by exploiting a timing-based attack during the creation of ECDSA signatures. This vulnerability is present in CCA 7.x MTM for 4769, as well as the IBM 4769 Developers Toolkit.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive information.

Remediation

Users are advised to upgrade to version 7.5.52 or later. For IBM CCA 7.x MTM for 4769, version 7.5.52 can be downloaded from the CCA Software Download Page. For IBM i, the CY3 PTF updates CCA 7.x MTM for 4769 to version 7.5.52. The PTF numbers for this update are SJ02618 for IBM i 7.5, SJ02616 for IBM i 7.4, and SJ02617 for IBM i 7.3. Customers using the IBM 4769 Developers Toolkit should contact their toolkit provider for the latest version.