First published: Tue Jan 07 2020(Updated: )
A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nspr | <0:4.25.0-2.el7_9 | 0:4.25.0-2.el7_9 |
redhat/nss | <0:3.53.1-3.el7_9 | 0:3.53.1-3.el7_9 |
redhat/nss-softokn | <0:3.53.1-6.el7_9 | 0:3.53.1-6.el7_9 |
redhat/nss-util | <0:3.53.1-1.el7_9 | 0:3.53.1-1.el7_9 |
redhat/nspr | <0:4.25.0-2.el8_2 | 0:4.25.0-2.el8_2 |
redhat/nss | <0:3.53.1-11.el8_2 | 0:3.53.1-11.el8_2 |
redhat/nss | <3.49 | 3.49 |
Mozilla Firefox | <72 | 72 |
Mozilla Firefox | <72.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
Canonical Ubuntu Linux | =19.10 | |
Canonical Ubuntu Linux | =20.04 | |
Debian Debian Linux | =10.0 | |
debian/firefox | 133.0.3-1 | |
debian/nss | 2:3.61-1+deb11u3 2:3.61-1+deb11u4 2:3.87.1-1 2:3.87.1-1+deb12u1 2:3.106-1 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2019-17023 is a protocol downgrade vulnerability in Network Security Services (NSS) that allows for an invalid state transition in the TLS State Machine.
Mozilla Firefox versions up to 72 and Red Hat packages nss, nspr, nss-softokn, and nss-util versions up to 3.49, 4.25.0-2.el7_9, 3.53.1-3.el7_9, 3.53.1-6.el7_9, 3.53.1-1.el7_9, 4.25.0-2.el8_2, and 3.53.1-11.el8_2 are affected.
CVE-2019-17023 has a severity rating of 5.3 (medium).
To fix CVE-2019-17023, update Mozilla Firefox to version 72 or later, and update the affected Red Hat packages (nss, nspr, nss-softokn, nss-util) to versions 3.49, 4.25.0-2.el7_9, 3.53.1-3.el7_9, 3.53.1-6.el7_9, 3.53.1-1.el7_9, 4.25.0-2.el8_2, or 3.53.1-11.el8_2 or later.
You can find more information about CVE-2019-17023 on the Mozilla Bugzilla page at https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-17023.