{
  "threat_severity" : "Moderate",
  "public_date" : "2024-01-16T00:00:00Z",
  "bugzilla" : {
    "description" : "edk2: Use of a Weak PseudoRandom Number Generator",
    "id" : "2258706",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2258706"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-338",
  "details" : [ "EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This\nvulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality.", "A security flaw has been identified in the cryptographic system of EDK2, the open-source reference implementation of the UEFI specification. This vulnerability enables an unauthorized remote attacker to potentially expose sensitive information." ],
  "statement" : "The identified flaw in the NetworkPkg IP stack within the EDK2, an open-source UEFI implementation, poses a moderate security concern as the vulnerability allows an unauthenticated attacker within the same local network to exploit via a specifically crafted Destination Options IPv6 header.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5297",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "edk2-0:20220126gitbb1bba3d77-13.el8_10.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-07-23T00:00:00Z",
    "advisory" : "RHSA-2024:4749",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "edk2-0:20231122-6.el9_4.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-07-09T00:00:00Z",
    "advisory" : "RHSA-2024:4419",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "edk2-0:20221207gitfff6d81270b5-9.el9_2.3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-45237\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-45237\nhttps://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html\nhttps://github.com/advisories/GHSA-fxqf-p2p3-gxvr" ],
  "name" : "CVE-2023-45237",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}