Security vulnerabilities
2 minute read
This page lists publicly disclosed security vulnerabilities that affect DigiCert® TrustCore SDK. Each entry includes the CVE identifier (if one exists), the affected component or module, the CVSS v3.1 base score and severity, the first TrustCore SDK release that contains the fix, and recommended mitigation steps.
Note
Reporting a vulnerability
We welcome and appreciate responsible disclosure of security vulnerabilities. If you discover a potential issue, please submit your report using the Report a vulnerability form on the project’s repository in GitHub. This creates a private channel between you and DigiCert®, ensuring the information reaches us quickly and securely.
If you are unable to use GitHub’s workflow (or have a compelling reason not to) email the details to support@digicert.com. We value your help in keeping our software secure.
Vulnerabilities
| CVE / Advisory | Affected component(s) | Severity (CVSS v3.1) | Fixed in | Mitigation / work-around |
|---|---|---|---|---|
| CVE-2023-48795 – “Terrapin” SSH prefix-truncation | NanoSSH 7.0 | 5.9 Medium | U4 | Upgrade to U4 or later AND keep the default build options that disable chacha20-poly1305 and CBC with Encrypt-then-MAC. |
| CVE-2023-46445 – Rogue Extension Negotiation | NanoSSH 7.0 | 5.9 Medium | U4 | Upgrade to U4 or later. |
| CVE-2023-46446 – Rogue Session Attack | NanoSSH 7.0 | 6.8 Medium | U4 | Upgrade to U4 or later. |
| CVE-2023-3817 – OpenSSL DH parameter validation | OpenSSL Connector 1.1 | 5.3 Medium | U6 | Upgrade to U6 or later. |
| CVE-2022-4304 – RSA decryption timing side-channel | NanoCrypto 7.0 | 5.9 Medium | U4 (build with --enable-vlong-const) | Re-build with the enable-vlong-const flag or upgrade to U4+. |
| CVE-2016-2183 – SWEET32 (3DES) | OpenSSL Connector 7.0 / NanoSSL 7.0 | 7.5 High | U4 (3DES disabled by default) | Upgrade to U4+ or disable 3DES cipher suites manually. |
Other advisories
| Ticket # | Details | Component(s) | Severity | Fixed in | Notes |
|---|---|---|---|---|---|
| #3658904 | RSA signature computation glitch | NanoSSH / NanoSSL / NanoSec | High | U4 | Update to U4+ to ensure constant-time RSA operations. |
| #3834648 #3706260 | SIGALRM blocked when linking libcrypto. | OpenSSL Connector | Medium | U4 | Build with --disable-tcp-init flag or upgrade to U4+. |
| #04187099 | Memory leak in TLS server | NanoSSL 7.0 | Low | U6 | Upgrade to U6+. |
Mitigation best practices
- Always build the latest TrustCore SDK release.
- Follow NIST SP 800-131A Rev. 2 recommendations (disable legacy ciphers such as 3DES and RSA keys <2048 bits) and be aware of upcoming guidance like NIST SP 800-131A Rev. 3.
- Enable compiler flags that enforce constant-time crypto (
enable-vlong-const,--fips-700-compat).