Utimaco has been made aware of the so-called key extraction vulnerability CVE-2015-5464. The vulnerability CVE-2015-5464 is entirely based on functions and mechanisms specified in the PKCS#11 standard, in particular the
C_Derive function with mechanism
CKM_EXTRACT_KEY_FROM_KEY. Hence, all standard-compliant PKCS#11 implementations supporting these mechanisms are affected. Whether a given application is actually subject to this vulnerability depends on the specific environment and setting of key usage flags. We strongly encourage our customers to implement measures and follow guidelines as described in Utimaco Company Statement concerning key extraction vulnerability.