CVE-2023-5388
First published: Thu Oct 12 2023(Updated: )
It was discovered that the numerical library used in NSS for RSA cryptography leaks information whether high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger like attack against all RSA decryption operations. As the leak happens before any padding operations, it affects all padding modes: PKCS#1 v1.5, OAEP, and RSASVP. Both API level calls and TLS server operation are affected. References: <a href="https://people.redhat.com/~hkario/marvin/">https://people.redhat.com/~hkario/marvin/</a>
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <124 | 124 |
| Mozilla Firefox ESR | <115.9 | 115.9 |
| Mozilla Thunderbird | <115.9 | 115.9 |
| redhat/firefox | <115.9 | 115.9 |
| redhat/thunderbird | <115.9 | 115.9 |
| F5 F5OS-A | =1.7.0 | |
| F5 Traffix SDC | =5.2.0=5.1.0 | |
| debian/firefox | 132.0.2-1 | |
| debian/firefox-esr | 115.14.0esr-1~deb11u1 128.4.0esr-1~deb11u1 128.3.1esr-1~deb12u1 128.4.0esr-1~deb12u1 128.3.1esr-2 128.4.0esr-1 | |
| debian/nss | <=2:3.61-1+deb11u3<=2:3.61-1+deb11u4<=2:3.87.1-1<=2:3.87.1-1+deb12u1 | 2:3.105-2 |
| debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.4.3esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.4.0esr-1~deb12u1 1:128.4.2esr-1 1:128.4.3esr-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1780432
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-12/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
- https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html
- https://www.mozilla.org/security/advisories/mfsa2024-12/
- https://www.mozilla.org/security/advisories/mfsa2024-13/
- https://www.mozilla.org/security/advisories/mfsa2024-14/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-14/
- https://launchpad.net/bugs/cve/CVE-2023-5388
- https://people.redhat.com/~hkario/marvin/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2243660
- https://access.redhat.com/errata/RHSA-2024:0093
- https://access.redhat.com/errata/RHSA-2024:0107
- https://access.redhat.com/errata/RHSA-2024:0105
- https://access.redhat.com/errata/RHSA-2024:0106
- https://access.redhat.com/errata/RHSA-2024:0108
- https://access.redhat.com/errata/RHSA-2024:1483
- https://access.redhat.com/errata/RHSA-2024:1485
- https://access.redhat.com/errata/RHSA-2024:1484
- https://access.redhat.com/errata/RHSA-2024:1491
- https://access.redhat.com/errata/RHSA-2024:1490
- https://access.redhat.com/errata/RHSA-2024:1488
- https://access.redhat.com/errata/RHSA-2024:1487
- https://access.redhat.com/errata/RHSA-2024:1489
- https://access.redhat.com/errata/RHSA-2024:1499
- https://access.redhat.com/errata/RHSA-2024:1493
- https://access.redhat.com/errata/RHSA-2024:1495
- https://access.redhat.com/errata/RHSA-2024:1498
- https://access.redhat.com/errata/RHSA-2024:1494
- https://access.redhat.com/errata/RHSA-2024:1492
- https://access.redhat.com/errata/RHSA-2024:1486
- https://access.redhat.com/errata/RHSA-2024:1496
- https://access.redhat.com/errata/RHSA-2024:1497
- https://access.redhat.com/errata/RHSA-2024:1500
- https://bugzilla.redhat.com/show_bug.cgi?id=2243644
- https://my.f5.com/manage/s/article/K000139794
- https://git.rockylinux.org/staging/rpms/nss/-/commit/1f7f7523b61a2ada2f461548c4160fbbf979c5dd
- https://hg.mozilla.org/projects/nss/rev/196716d8377ab427e326f20bff2d026e90ac69e2
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-12/#CVE-2023-5388
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/#CVE-2023-5388
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-14/#CVE-2023-5388
- https://security-tracker.debian.org/tracker/CVE-2023-5388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388
- https://nvd.nist.gov/vuln/detail/CVE-2023-5388
- https://ubuntu.com/security/CVE-2023-5388
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- agent/first-publish-date
- agent/type
- agent/author
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/remedy
- agent/description
- collector/nvd-api
- source/NVD
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-5388
- collector/f5-advisory
- source/F5
- agent/severity
- agent/references
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/mozilla
- canonical/mozilla firefox
- canonical/mozilla firefox esr
- canonical/mozilla thunderbird
- package-manager/redhat
- vendor/f5
- canonical/f5 f5os-a
- version/f5 f5os-a/1.7.0
- canonical/f5 traffix sdc
- version/f5 traffix sdc/5.2.0
- version/f5 traffix sdc/5.1.0
- package-manager/debian