Comment # 3 on bug 1218887 from Joey Lee
EDk2 doesn't have patch yet:

https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h

9. CVE-2023-45237
    CVSS 5.3 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
...
Mitigation release plan

Patch files for vulnerabilities 1-7 are available now via
https://bugzilla.tianocore.org/show_bug.cgi?id=4518. These patches will be
integrated for the Feb 2024 EDK2 release.

For vulnerabilities 8 and 9, patches do not exist at this time. We are not
aware of any exploits for vulnerabilities 8 and 9, either in the wild or in the
lab. Exposure is limited to PXE boot or HTTP boot on an untrusted network,
which is not a recommended usage for the UEFI network stack.
This GHSA will be updated when fixes become available.


You are receiving this mail because: