Security Advisories RSS

Security Advisories and Updates

CVE-2015-5464 - Key extraction vulnerability

Utimaco has been made aware of the so-called key extraction vulnerability CVE-2015-5464. The vulnerability CVE-2015-5464 is entirely based on functions and mechanisms specified in the PKCS#11 standard, in particular the C_Derive function with mechanism CKM_EXTRACT_KEY_FROM_KEY. Hence, all standard-compliant PKCS#11 implementations supporting these mechanisms are affected. Whether a given application is actually subject to this vulnerability depends on the specific environment and setting of key usage flags. We strongly encourage our customers to implement measures and follow guidelines as described in  Utimaco Company Statement concerning key extraction vulnerability.