Published: 29/04/2019 Updated: 24/08/2020

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla network security services

Debian Bug report logs - #908332 nss: CVE-2018-12384: ServerHellorandom is all zero when handling a v2-compatible ClientHello Package: src:nss; Maintainer for src:nss is Maintainers of Mozilla-related packages <team+pkg-mozilla@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 8 S ...

Several security issues were fixed in NSS ...

Synopsis Moderate: nss security update Type/Severity Security Advisory: Moderate Topic An update for nss is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which give ...

Synopsis Moderate: nss security update Type/Severity Security Advisory: Moderate Topic An update for nss is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which give ...

Synopsis Critical: Red Hat Ansible Tower 331-2 Release - Container Image Type/Severity Security Advisory: Critical Topic Security Advisory Description Red Hat Ansible Tower 331 is now available and contains the following bug fixes: Fixed event callback error when in-line vaulted variabl ...

A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random A man-in-the-middle attacker could use this flaw in a passive replay attack(CVE-2018-12384) ...

Impact: Moderate Public Date: 2018-09-03 Bugzilla: 1622089: CVE-2018-12384 nss: ServerHellorandom is al ...

script to manage ca-certificates.

Updating the CA trust list in RHEL Author: Kai Engert Date: August/September/October 2018 Updating the CA trust list in RHEL Introduction Distribution mechanics Related background information Script certdata-upstream-to-certdata-rhelpy RHEL 5 App A Script doitsh App B Script sort-bundlepy App C 2019 Update with new scripts Introduction In RHEL we ship Mozill

CWE-335 https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384 https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908332 https://nvd.nist.gov https://usn.ubuntu.com/3850-2/

CVE-2018-12384

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect