opencryptoki-3.22.0-3.el8_10.2

エラータID: AXSA:2026-365:03

Release date: 
Tuesday, March 31, 2026 - 11:02
Subject: 
opencryptoki-3.22.0-3.el8_10.2
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.

Security Fix(es):

* openCryptoki: openCryptoki: Privilege Escalation or Data Exposure via Symlink Following (CVE-2026-23893)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-23893
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.

Solution: 

Update packages.

CVEs: 
CVE-2026-23893
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.
Additional Info: 

N/A

Download: 

SRPMS
  1. opencryptoki-3.22.0-3.el8_10.2.src.rpm
    MD5: 133e0318aaa1875dd00563e7c808c069
    SHA-256: d90d512f650ebcc0294f1232203e4ad23f39163b06d2fba9cb921140d1cb6ad2
    Size: 1.79 MB

Asianux Server 8 for x86_64
  1. opencryptoki-3.22.0-3.el8_10.2.x86_64.rpm
    MD5: cc676dff2b72328d025f439f30a6fda1
    SHA-256: 4524d292de838b00f2016956cddfce04a29a71e73b0b64e3bbfb586c7eb9bbfb
    Size: 233.68 kB
  2. opencryptoki-devel-3.22.0-3.el8_10.2.i686.rpm
    MD5: a2ae21611338f595cda716ee7adca99a
    SHA-256: 71b98a32f2c4bb46225531591ca6d0be759126ade37dfbbf2921a3ec52885f9f
    Size: 38.70 kB
  3. opencryptoki-devel-3.22.0-3.el8_10.2.x86_64.rpm
    MD5: 535bfe7559d5288a7e2d94b6fa2dbfd0
    SHA-256: 04102a5c69dafeac56457151bef858c4c3cfa794bb0c16f9d0dd8f27ca443f5e
    Size: 38.66 kB
  4. opencryptoki-icsftok-3.22.0-3.el8_10.2.x86_64.rpm
    MD5: 6013b6dbba201a54dc8900c4107ea0de
    SHA-256: c0919e0e2c6418cd5839efdf1b8934d61bbda6df1f7070004ea19c57a45ef37c
    Size: 345.86 kB
  5. opencryptoki-libs-3.22.0-3.el8_10.2.i686.rpm
    MD5: d21477667b3d2ea1a889b437aaa09fe5
    SHA-256: e954e671ca9abe9bdd5ad57102ccea5f0b16937fff1ce66c420cc2dac4c0ba7e
    Size: 98.12 kB
  6. opencryptoki-libs-3.22.0-3.el8_10.2.x86_64.rpm
    MD5: c798ab7d2370fbefa5626c1325e46717
    SHA-256: c75c3860e95a9b2570601e9d5a2bfffc3c272861d0b25aef76305632cd2b389b
    Size: 101.02 kB
  7. opencryptoki-swtok-3.22.0-3.el8_10.2.x86_64.rpm
    MD5: 09754fe8ccd0b69b61785666f4e21dae
    SHA-256: 79020d45a21c097ce41d70e48016b0ee66a37ab8b95eca7cbacda0ea7acac50d
    Size: 265.60 kB
  8. opencryptoki-tpmtok-3.22.0-3.el8_10.2.x86_64.rpm
    MD5: 30e16880fc72744393347ce9959bc6a8
    SHA-256: 94d7cd17ae8d5d7739e4c452c1560346a7d86a2509f88725aaf41480ab37d3ad
    Size: 281.44 kB