Bug 2344005 (CVE-2025-23419)
| Summary: | CVE-2025-23419 nginx: TLS Session Resumption Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | brking, caswilli, davidn, haoli, hkataria, jajackso, jcammara, jmitchel, jneedle, kaycoth, kegrant, koliveir, kshier, mabashia, pbraun, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in nginx. When name-based virtual hosts are configured to share the same IP address and port combination with TLS 1.3 and OpenSSL, a previously authenticated attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS session tickets are used, the SSL session cache is used in the default virtual server, and the default virtual server performs client certificate authentication.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2344197, 2344198 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-02-05 18:01:21 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7331 https://access.redhat.com/errata/RHSA-2025:7331 |