REDHAT-BUG-1242456
First published: Mon Jul 13 2015(Updated: )
It was discovered that the Elliptic Curve (EC) cryptography code as used in Mozilla NSS (Network Security Services) library and OpenJDK JCE (Java Cryptography Extension) component failed to properly validate EC parameters as used in ECDH_Derive() function, which performs ECDH (Elliptic Curve Diffie-Hellman) key derivation. A remote attacker could use this flaw to disclose sensitive information. The OpenJDK packages as shipped with Red Hat Enterprise Linux 5, 6 and 7 do not build the affected EC code and are therefore not directly affected. Future versions may provide EC support via NSS, see e.g. <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - ECC decode refactoring needed to build OpenJDK SunEC provider for ECC support" href="show_bug.cgi?id=1075702">bug 1075702</a>.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Network Security Services (NSS) | ||
| OpenJDK 17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1075702
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1051378&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1051378&action=edit
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
- https://bugzilla.mozilla.org/show_bug.cgi?id=380351
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dcc75a75d3a3
- https://rhn.redhat.com/errata/RHSA-2015-1242.html
- https://rhn.redhat.com/errata/RHSA-2015-1241.html
- https://rhn.redhat.com/errata/RHSA-2015-1485.html
- https://rhn.redhat.com/errata/RHSA-2015-1488.html
- https://hg.mozilla.org/projects/nss/rev/a3a37589ba7d
- https://bugzilla.redhat.com/show_bug.cgi?id=1242456
Frequently Asked Questions
What is the severity of REDHAT-BUG-1242456?
The severity of REDHAT-BUG-1242456 is considered high due to improper validation in the cryptography code.
How do I fix REDHAT-BUG-1242456?
Fix REDHAT-BUG-1242456 by updating the affected versions of Mozilla NSS and Oracle OpenJDK to the latest secure releases.
What impact does REDHAT-BUG-1242456 have on my system?
REDHAT-BUG-1242456 may allow attackers to exploit the improper validation of EC parameters, potentially compromising secure communications.
Which software is affected by REDHAT-BUG-1242456?
The affected software for REDHAT-BUG-1242456 includes Mozilla Network Security Services (NSS) and Oracle OpenJDK.
Is there a workaround for REDHAT-BUG-1242456?
There is no specific workaround for REDHAT-BUG-1242456; the recommended action is to apply the available patch or update.
- collector/redhat-bugzilla
- alias/CVE-2015-2613
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/mozilla
- canonical/mozilla network security services (nss)
- vendor/oracle
- canonical/openjdk 17