CVE-2019-9815Observable Discrepancy in Mozilla Firefox

CWE-203Observable DiscrepancyCWE-385Covert Timing Channel6 documents6 sources
Severity
8.1HIGHNVD
EPSS
1.0%
top 22.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+3 more
Timeline
PublishedJul 23
Latest updateMay 24

Description

If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified67
NVDmozilla/firefox< 67.0
CVEListV5mozilla/firefox_esrunspecified60.7

🔴Vulnerability Details

2
GHSA
GHSA-crxf-6fx4-jr2j: If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks2022-05-24
OSV
CVE-2019-9815: If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks2019-07-23

📋Vendor Advisories

2
Red Hat
Mozilla: Disable hyperthreading on content JavaScript threads on macOS2019-05-22
Debian
CVE-2019-9815: firefox - If hyperthreading is not disabled, a timing attack vulnerability exists, similar...2019

💬Community

1
Bugzilla
CVE-2019-9815 Mozilla: Disable hyperthreading on content JavaScript threads on macOS2019-05-22