Lucene search

K
amazonAmazonALAS-2015-569
HistoryJul 22, 2015 - 10:00 a.m.

Medium: nss, nss-util

2015-07-2210:00:00
alas.aws.amazon.com
26

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.975 High

EPSS

Percentile

100.0%

Issue Overview:

A flaw was found in the way the TLS protocol composes the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000)

Please note that this update forces the TLS/SSL client implementation in NSS to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Future updates may raise this limit to 1024 bits.

Affected Packages:

nss, nss-util

Issue Correction:
Run yum update nss nss-util to update your system.

New Packages:

i686:  
    nss-util-3.19.1-1.41.amzn1.i686  
    nss-util-devel-3.19.1-1.41.amzn1.i686  
    nss-util-debuginfo-3.19.1-1.41.amzn1.i686  
    nss-sysinit-3.19.1-3.71.amzn1.i686  
    nss-tools-3.19.1-3.71.amzn1.i686  
    nss-devel-3.19.1-3.71.amzn1.i686  
    nss-pkcs11-devel-3.19.1-3.71.amzn1.i686  
    nss-3.19.1-3.71.amzn1.i686  
    nss-debuginfo-3.19.1-3.71.amzn1.i686  
  
src:  
    nss-util-3.19.1-1.41.amzn1.src  
    nss-3.19.1-3.71.amzn1.src  
  
x86_64:  
    nss-util-debuginfo-3.19.1-1.41.amzn1.x86_64  
    nss-util-3.19.1-1.41.amzn1.x86_64  
    nss-util-devel-3.19.1-1.41.amzn1.x86_64  
    nss-pkcs11-devel-3.19.1-3.71.amzn1.x86_64  
    nss-tools-3.19.1-3.71.amzn1.x86_64  
    nss-devel-3.19.1-3.71.amzn1.x86_64  
    nss-sysinit-3.19.1-3.71.amzn1.x86_64  
    nss-3.19.1-3.71.amzn1.x86_64  
    nss-debuginfo-3.19.1-3.71.amzn1.x86_64  

Additional References

Red Hat: CVE-2015-4000

Mitre: CVE-2015-4000

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.975 High

EPSS

Percentile

100.0%

Related for ALAS-2015-569