CVE-2024-21484 – This vulnerability allows attackers to decrypt ... (How to Fix)

Q: What is the severity of CVE-2024-21484?

CVE-2024-21484 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to decrypt RSA-encrypted data by exploiting timing discrepancies in the jsrsasign library's PKCS1.5 and RSAOAEP decryption implementations. Systems using jsrsasign versions before 11.0.0 for RSA decryption operations are affected, particularly those where attackers can observe many ciphertexts encrypted with the same key.

📋 TL;DR

This vulnerability allows attackers to decrypt RSA-encrypted data by exploiting timing discrepancies in the jsrsasign library's PKCS1.5 and RSAOAEP decryption implementations. Systems using jsrsasign versions before 11.0.0 for RSA decryption operations are affected, particularly those where attackers can observe many ciphertexts encrypted with the same key.

💻 Affected Systems

Products:

jsrsasign library

Versions: All versions before 11.0.0

Operating Systems: All platforms using jsrsasign

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using RSA PKCS1.5 or RSAOAEP decryption functions from jsrsasign library.

📦 What is this software?

Jsrsasign by Jsrsasign Project

View all CVEs affecting Jsrsasign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of encrypted data confidentiality, allowing attackers to decrypt sensitive information protected by RSA encryption.

🟠

Likely Case

Targeted decryption of specific encrypted messages or data after observing sufficient ciphertexts, potentially exposing sensitive information.

🟢

If Mitigated

Limited impact with proper key rotation, rate limiting, and monitoring for unusual decryption patterns.

🌐 Internet-Facing: MEDIUM - Requires attacker to have access to many ciphertexts encrypted with same key, which may be possible on public APIs or services.

🏢 Internal Only: LOW - Internal systems typically have more controlled access, making large-scale ciphertext collection harder.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires collecting many ciphertexts encrypted with same key and performing timing analysis (Marvin attack).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.0

Vendor Advisory: https://github.com/kjur/jsrsasign/releases/tag/11.0.0

Restart Required: No

Instructions:

1. Update jsrsasign dependency to version 11.0.0 or later. 2. Update package.json to specify 'jsrsasign': '^11.0.0'. 3. Run npm update or equivalent package manager command. 4. Test RSA decryption functionality.

🔧 Temporary Workarounds

Replace RSA decryption with alternative library

all

Replace jsrsasign RSA PKCS1.5 and RSAOAEP decryption calls with equivalent functions from a different cryptographic library that is not vulnerable.

🧯 If You Can't Patch

Implement strict rate limiting on decryption operations to prevent collection of sufficient ciphertexts for timing analysis
Rotate RSA keys frequently to limit window for ciphertext collection and analysis

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for jsrsasign version. If version is below 11.0.0 and RSA decryption is used, system is vulnerable.

Check Version:

npm list jsrsasign or check package.json for version

Verify Fix Applied:

Verify jsrsasign version is 11.0.0 or higher in package.json and confirm RSA decryption functions work correctly after update.

📡 Detection & Monitoring

Log Indicators:

Unusually high volume of RSA decryption requests
Multiple failed decryption attempts with timing patterns

Network Indicators:

High volume of encrypted traffic to decryption endpoints
Repeated similar-sized encrypted payloads

SIEM Query:

source=application_logs 'RSA.*decrypt' | stats count by src_ip, user | where count > threshold

📊 Metadata

CVE ID: CVE-2024-21484

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-203

Published: January 22, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/kjur/jsrsasign/issues/598 Exploit,Issue Tracking,Vendor Advisory
https://github.com/kjur/jsrsasign/releases/tag/11.0.0 Patch,Release Notes
https://people.redhat.com/~hkario/marvin/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 Patch,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 Patch,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 Patch,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 Patch,Third Party Advisory
https://github.com/kjur/jsrsasign/issues/598 Exploit,Issue Tracking,Vendor Advisory
https://github.com/kjur/jsrsasign/releases/tag/11.0.0 Patch,Release Notes
https://people.redhat.com/~hkario/marvin/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 Patch,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 Patch,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 Patch,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21484, you might also want to check these: