CVSS: 5.9EPSS: 4%CPEs: 1EXPL: 0CVE-2018-12384 – nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello
https://notcve.org/view.php?id=CVE-2018-12384
When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3. Cuando se maneja una petición ClientHello compatible con SSLv2, el servidor no genera un nuevo valor aleatorio, sino que envía un valor All-Zero en su lugar. Esto conlleva a una maleabilidad completa del ClientHello para SSLv2 usado para TLS 1.2 en todas las versiones anteriores a NSS 3.39. • https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384 https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://access.redhat.com/security/cve/CVE-2018-12384 https://bugzilla.redhat.com/show_bug.cgi?id=1622089 • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) •
CVSS: 7.5EPSS: 4%CPEs: 18EXPL: 0CVE-2017-7502 – nss: Null pointer dereference when handling empty SSLv2 messages
https://notcve.org/view.php?id=CVE-2017-7502
Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker. Se ha encontrado una vulnerabilidad de desreferencia de puntero NULL en NSS desde la versión 3.24.0 en la que el servidor recibe mensajes SSLv2 vacíos, lo que da lugar a una denegación de servicio (DoS) por parte de atacantes remotos. A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. • http://www.debian.org/security/2017/dsa-3872 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.securityfocus.com/bid/98744 http://www.securitytracker.com/id/1038579 https://access.redhat.com/errata/RHSA-2017:1364 https://access.redhat.com/errata/RHSA-2017:1365 https://access.redhat.com/errata/RHSA-2017:1567 https://access.redhat.com/errata/RHSA-2017:1712 https://hg.mozilla.org/projects/nss/rev/55ea60effd0d https://access.redhat.com/security • CWE-476: NULL Pointer Dereference •