Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zend Framework < 2.4.9 Encryption Weakness

Medium

Synopsis

The remote host is using a version of Zend Framework that is vulnerable to a chosen-ciphertext attack vector.

Description

Versions of Zend Framework earlier than 2.4.9 are exposed to a flaw in 'zend-crypt' that is triggered when 'Zend\Crypt\PublicKey\Rsa\PublicKey' contains a call to 'openssl_public_encrypt()' that ultimately uses PKCS1v1.5 padding. This padding has a known vulnerability, known as Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This may potentially allow a remote attacker to decrypt ciphertext.

Solution

Upgrade Zend Framework to version 2.4.9 or later.