CVE-2020-7069

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

Weakness

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/112.html
• https://cwe.mitre.org/data/definitions/192.html
• https://cwe.mitre.org/data/definitions/20.html

References

• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html
• https://bugs.php.net/bug.php?id=79601
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66/
• https://security.gentoo.org/glsa/202012-16
• https://security.netapp.com/advisory/ntap-20201016-0001/
• https://usn.ubuntu.com/4583-1/
• https://www.debian.org/security/2021/dsa-4856
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.tenable.com/security/tns-2021-14