CVE-2024-21484

Vulnerability

Details

CVE-2024-21484 is an observable discrepancy vulnerability in the jsrsasign library versions prior to 11.0.0. The flaw resides in the RSA PKCS1.5 and RSAOAEP decryption processes, which leak timing information due to insufficient constant-time implementation. This is a manifestation of the Marvin Attack, a timing-based variant of the Bleichenbacher attack that exploits side-channel leakage in RSA operations [1][2].

Exploitation

An attacker can exploit this vulnerability by observing the time taken for RSA decryption operations performed with the same private key. The attack requires access to a large number of ciphertexts encrypted with the same key. Statistical analysis of timing measurements enables the attacker to distinguish differences in the decryption process, gradually recovering the plaintext [2][4]. The attack is practical even with a relatively small number of measurements; tests on isolated hardware showed statistically significant timing differences with as few as 100 measurements per sample [4].

Impact

Successful exploitation allows an attacker to decrypt RSA ciphertexts and forge RSA signatures. In TLS contexts, if a server defaults to RSA encryption key exchanges, an attacker can record and later decrypt sessions. For forward-secure cipher suites, forging a server signature within the connection timeout is challenging but not impossible [1].

Mitigation

The vulnerability is fixed in jsrsasign version 11.0.0, which no longer supports RSA PKCS#1.5 and RSAOAEP encryption/decryption due to this issue [3]. Users unable to upgrade immediately should replace RSA and RSAOAEP decryption with another crypto library as a workaround [2]. Note that jsrsasign reached end of support on June 3, 2026, and users are encouraged to migrate to alternative libraries [3].