Security vulnerabilities

This page lists publicly disclosed security vulnerabilities that affect DigiCert® TrustCore SDK. Each entry includes the CVE identifier (if one exists), the affected component or module, the CVSS v3.1 base score and severity, the first TrustCore SDK release that contains the fix, and recommended mitigation steps.

Note

Reporting a vulnerability

We welcome and appreciate responsible disclosure of security vulnerabilities. If you discover a potential issue, please submit your report using the Report a vulnerability form on the project's repository in GitHub. This creates a private channel between you and DigiCert®, ensuring the information reaches us quickly and securely.

If you are unable to use GitHub's workflow (or have a compelling reason not to) email the details to support@digicert.com. We value your help in keeping our software secure.

Vulnerabilities

Table 1. TrustCore SDK CVE details and fixed versions

CVE / Advisory	Affected component(s)	Severity (CVSS v3.1)	Fixed in	Mitigation / work-around
CVE-2023-48795 – “Terrapin” SSH prefix-truncation	NanoSSH 7.0	5.9 Medium	U4	Upgrade to U4 or later AND keep the default build options that disable `chacha20-poly1305` and CBC with Encrypt-then-MAC.
CVE-2023-46445 – Rogue Extension Negotiation	NanoSSH 7.0	5.9 Medium	U4	Upgrade to U4 or later.
CVE-2023-46446 – Rogue Session Attack	NanoSSH 7.0	6.8 Medium	U4	Upgrade to U4 or later.
CVE-2023-3817 – OpenSSL DH parameter validation	OpenSSL Connector 1.1	5.3 Medium	U6	Upgrade to U6 or later.
CVE-2022-4304 – RSA decryption timing side-channel	NanoCrypto 7.0	5.9 Medium	U4 (build with `--enable-vlong-const`)	Re-build with the `enable-vlong-const` flag or upgrade to U4+.
CVE-2016-2183 – SWEET32 (3DES)	OpenSSL Connector 7.0 / NanoSSL 7.0	7.5 High	U4 (3DES disabled by default)	Upgrade to U4+ or disable 3DES cipher suites manually.

Other advisories

Table 2. Additional security advisory details

Ticket #	Details	Component(s)	Severity	Fixed in	Notes
#3658904	RSA signature computation glitch	NanoSSH / NanoSSL / NanoSec	High	U4	Update to U4+ to ensure constant-time RSA operations.
#3834648 #3706260	`SIGALRM` blocked when linking libcrypto.	OpenSSL Connector	Medium	U4	Build with `--disable-tcp-init` flag or upgrade to U4+.
#04187099	Memory leak in TLS server	NanoSSL 7.0	Low	U6	Upgrade to U6+.

Ticket #

Details

Component(s)

Severity

Fixed in

Notes

#3658904

RSA signature computation glitch

NanoSSH / NanoSSL / NanoSec

High

Update to U4+ to ensure constant-time RSA operations.

#3834648

#3706260

SIGALRM blocked when linking libcrypto.

OpenSSL Connector

Medium

Build with --disable-tcp-init flag or upgrade to U4+.

#04187099

Memory leak in TLS server

NanoSSL 7.0

Low

Upgrade to U6+.

Mitigation best practices

Always build the latest TrustCore SDK release.
Follow NIST SP 800-131A Rev. 2 recommendations (disable legacy ciphers such as 3DES and RSA keys <2048 bits) and be aware of upcoming guidance like NIST SP 800-131A Rev. 3.
Enable compiler flags that enforce constant-time crypto (enable-vlong-const, --fips-700-compat, etc.).

In this section: