Bug 2212841 (CVE-2023-34414)
| Summary: | CVE-2023-34414 Mozilla: Click-jacking certificate exceptions through rendering lag | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abobrov, elima, erack, jhorak, nobody, stransky, tpopela |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | firefox 102.12, thunderbird 102.12 | Doc Type: | --- |
| Doc Text: |
The Mozilla Foundation Security Advisory describes this flaw as:
The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-14 23:37:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2210994, 2210995, 2210996, 2210997, 2210998, 2210999, 2211000, 2211001, 2211002, 2211003, 2211007, 2211008, 2211009, 2211010, 2211012, 2211013, 2211014, 2211015, 2211016, 2211017, 2211627, 2211630 | ||
| Bug Blocks: | 2210992 | ||
|
Description
Dhananjay Arunesh
2023-06-06 14:06:20 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3560 https://access.redhat.com/errata/RHSA-2023:3560 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3561 https://access.redhat.com/errata/RHSA-2023:3561 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3564 https://access.redhat.com/errata/RHSA-2023:3564 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:3562 https://access.redhat.com/errata/RHSA-2023:3562 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:3567 https://access.redhat.com/errata/RHSA-2023:3567 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:3565 https://access.redhat.com/errata/RHSA-2023:3565 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:3563 https://access.redhat.com/errata/RHSA-2023:3563 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3566 https://access.redhat.com/errata/RHSA-2023:3566 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:3578 https://access.redhat.com/errata/RHSA-2023:3578 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:3579 https://access.redhat.com/errata/RHSA-2023:3579 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3587 https://access.redhat.com/errata/RHSA-2023:3587 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3589 https://access.redhat.com/errata/RHSA-2023:3589 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3588 https://access.redhat.com/errata/RHSA-2023:3588 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3590 https://access.redhat.com/errata/RHSA-2023:3590 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:3596 https://access.redhat.com/errata/RHSA-2023:3596 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:3597 https://access.redhat.com/errata/RHSA-2023:3597 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-34414 |