CVE-2020-25648
First published: Mon Oct 12 2020(Updated: )
Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a denial of service, caused by improper handling of CCS (ChangeCipherSpec) messages in TLS. By sending specially-crafted CCS messages, a remote attacker could exploit this vulnerability to cause the system to crash.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| Mozilla Network Security Services | <3.58 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Oracle Communications Offline Mediation Controller | =12.0.0.3.0 | |
| Oracle Communications Pricing Design Center | =12.0.0.3.0 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
| redhat/nss | <3.58 | 3.58 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
- https://bugzilla.mozilla.org/show_bug.cgi?id=1641480
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
- https://access.redhat.com/security/cve/cve-2020-25648
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1889579
- https://access.redhat.com/errata/RHSA-2021:1384
- https://access.redhat.com/errata/RHSA-2021:3572
- https://bugzilla.redhat.com/show_bug.cgi?id=1887319
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERA5SVJQXQMDGES7RIT4F4NQVLD35RXN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HRM53IQCPZT2US3M7JXTP6I6IBA5RGOD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RPOLN6DJUYQ3QBQEGLZGV73SNIPK7GHV/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/190416
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPOLN6DJUYQ3QBQEGLZGV73SNIPK7GHV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRM53IQCPZT2US3M7JXTP6I6IBA5RGOD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERA5SVJQXQMDGES7RIT4F4NQVLD35RXN/
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2023/10/msg00039.html
Frequently Asked Questions
What is CVE-2020-25648?
CVE-2020-25648 is a vulnerability in Mozilla Network Security Services (NSS) as used in Mozilla Firefox that allows a remote attacker to cause a denial of service (DoS) for servers compiled with the NSS library.
What is the severity of CVE-2020-25648?
The severity of CVE-2020-25648 is high, with a CVSS score of 7.5.
Which systems or software are affected by CVE-2020-25648?
Systems or software compiled with the NSS library versions up to and excluding 3.58 are affected, including Redhat Enterprise Linux 7.0 and 8.0, Fedora 31, 32, and 33, Oracle Communications Offline Mediation Controller 12.0.0.3.0, Oracle Communications Pricing Design Center 12.0.0.3.0, and IBM Cloud Pak for Security (CP4S) versions up to and including 1.7.2.0, 1.7.1.0, and 1.7.0.0.
How does CVE-2020-25648 impact system availability?
CVE-2020-25648 can cause a denial of service (DoS) for servers compiled with the vulnerable NSS library versions.
Where can I find more information about CVE-2020-25648?
More information about CVE-2020-25648 can be found at the following references: [link1](https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361), [link2](https://bugzilla.mozilla.org/show_bug.cgi?id=1641480), [link3](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes).
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/references
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/severity
- agent/weakness
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25648
- agent/software-canonical-lookup
- collector/ibm-support
- source/IBM
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/mozilla
- canonical/mozilla network security services
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/oracle
- canonical/oracle communications offline mediation controller
- version/oracle communications offline mediation controller/12.0.0.3.0
- canonical/oracle communications pricing design center
- version/oracle communications pricing design center/12.0.0.3.0
- canonical/oracle jd edwards enterpriseone tools
- package-manager/redhat
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0