First published: Fri Nov 30 2018(Updated: )
A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nspr | <0:4.21.0-1.el7 | 0:4.21.0-1.el7 |
redhat/nss | <0:3.44.0-4.el7 | 0:3.44.0-4.el7 |
redhat/nss-softokn | <0:3.44.0-5.el7 | 0:3.44.0-5.el7 |
redhat/nss-util | <0:3.44.0-3.el7 | 0:3.44.0-3.el7 |
Mozilla Network Security Services | <3.41 | |
redhat/nss | <3.36.6 | 3.36.6 |
redhat/nss | <3.40.1 | 3.40.1 |
Siemens RUGGEDCOM ROX MX5000 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1400 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1500 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1501 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1510 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1511 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX500 | <2.14.0 | 2.14.0 |
debian/nss | 2:3.61-1+deb11u3 2:3.61-1+deb11u4 2:3.87.1-1 2:3.87.1-1+deb12u1 2:3.106-1 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2018-12404 is a vulnerability that allows for the decryption of encrypted content through a cached side channel attack during handshakes using RSA encryption.
All versions of NSS prior to NSS 3.41 are affected by CVE-2018-12404.
CVE-2018-12404 has a severity rating of 5.9, considered medium severity.
To fix CVE-2018-12404, update to NSS version 3.41 or later.
You can find more information about CVE-2018-12404 at the following references: [Mozilla NSS 3.36.6 Release Notes](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.6_release_notes), [CAT (Cryptographic Attacks Tests) - Cached RSA side channel attack](http://cat.eyalro.net/), [Mozilla NSS 3.40.1 Release Notes](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.40.1_release_notes).