CVE-2020-12403: Critical severity ibm cognos analytics vulnerability

Q: What is CVE-2020-12403?

CVE-2020-12403 is a vulnerability in Mozilla Network Security Services (NSS) that can allow a remote attacker to obtain sensitive information.

Q: How severe is CVE-2020-12403?

CVE-2020-12403 has a severity rating of 9.1 (Critical).

Q: What is the affected software by CVE-2020-12403?

The affected software by CVE-2020-12403 includes Mozilla Firefox, IBM Cloud Pak for Security (CP4S), and Red Hat packages: nss, nspr, nss-softokn, and nss-util with specific versions.

Q: How can a remote attacker exploit CVE-2020-12403?

A remote attacker can exploit CVE-2020-12403 by persuading a victim to visit a specially-crafted website.

Q: Where can I find more information about CVE-2020-12403?

You can find more information about CVE-2020-12403 at the following references: [Link 1](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1636771), [Link 2](https://access.redhat.com/security/cve/CVE-2020-12403), [Link 3](https://bugzilla.mozilla.org/show_bug.cgi?id=1636771).

Published Jul 27, 2020

Updated

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.

Other sources

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.

As per upstream:

Bug 1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. This was fixed in nss-3.55

Upstream bug: (currently private) https://bugzilla.mozilla.org/showbug.cgi?id=1636771

Upstream patchset: https://hg.mozilla.org/projects/nss/rev/f282556e6cc7715f5754aeaadda6f902590e7e38 https://hg.mozilla.org/projects/nss/rev/c25adfdfab34ddb08d3262aac3242e3399de1095

— Red Hat

Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the implementation of CHACHA20-POLY1305 decryption with undersized tag. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using multi-part Chacha20 to trigger an out-of-bounds read and obtain sensitive information.

— IBM

Affected Software

13 affected componentsFixes available

redhat/nspr<0:4.25.0-2.el7_9

0:4.25.0-2.el7_9

redhat/nss<0:3.53.1-3.el7_9

0:3.53.1-3.el7_9

redhat/nss-softokn<0:3.53.1-6.el7_9

0:3.53.1-6.el7_9

redhat/nss-util<0:3.53.1-1.el7_9

0:3.53.1-1.el7_9

redhat/nss-softokn<0:3.28.3-10.el7_4

0:3.28.3-10.el7_4

redhat/nss<0:3.36.0-9.el7_6

0:3.36.0-9.el7_6

redhat/nss-softokn<0:3.36.0-7.el7_6

0:3.36.0-7.el7_6

redhat/nss-softokn<0:3.44.0-9.el7_7

0:3.44.0-9.el7_7

redhat/nss<0:3.53.1-17.el8_3

0:3.53.1-17.el8_3

redhat/nss<3.55

3.55

IBM Cognos Analytics<=12.0.0-12.0.3

IBM Cognos Analytics<=11.2.0-11.2.4 FP4

Mozilla nSS<3.55

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=1868931

Event History

Jul 27, 2020

CVE Published

12:00 AM

May 27, 2021

CVE Published

via MITRE·12:00 AM

Data Sourced

via MITRE·12:00 AM

DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2020-12403?

CVE-2020-12403 is a vulnerability in Mozilla Network Security Services (NSS) that can allow a remote attacker to obtain sensitive information.

How severe is CVE-2020-12403?