|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-45237: edk2, ovmf: Use of a Weak PseudoRandom Number Generator | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Joey Lee <jlee> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | camila.matos, jlee, meissner, stoyan.manolov |
| Version: | unspecified | Flags: | stoyan.manolov:
needinfo?
(jlee) |
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/391385/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-45237:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-01-17 04:49:31 UTC
EDk2 doesn't have patch yet: https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h 9. CVE-2023-45237 CVSS 5.3 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) ... Mitigation release plan Patch files for vulnerabilities 1-7 are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4518. These patches will be integrated for the Feb 2024 EDK2 release. For vulnerabilities 8 and 9, patches do not exist at this time. We are not aware of any exploits for vulnerabilities 8 and 9, either in the wild or in the lab. Exposure is limited to PXE boot or HTTP boot on an untrusted network, which is not a recommended usage for the UEFI network stack. This GHSA will be updated when fixes become available. |