CVE-2021-43527

Опубликовано: 08 дек. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

Ссылки

https://bugzilla.mozilla.org/show_bug.cgi?id=1737470
Issue Tracking
Permissions Required
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf
Third Party Advisory
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/
Vendor Advisory
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/
Vendor Advisory
https://security.gentoo.org/glsa/202212-05
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211229-0002/
Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-51/
Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220802-0001/
Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1737470
Issue Tracking
Permissions Required
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf
Third Party Advisory
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/
Vendor Advisory
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/
Vendor Advisory
https://security.gentoo.org/glsa/202212-05
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211229-0002/
Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-51/
Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220802-0001/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:mozilla:nss:*:*:*:*:*:*:*:*

Версия до 3.73 (исключая)

cpe:2.3:a:mozilla:nss_esr:*:*:*:*:*:*:*:*

Версия до 3.68.1 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*

Версия от 11.0 (включая) до 11.70.1 (включая)

Конфигурация 3

Одно из

cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:starwindsoftware:starwind_san_\&_nas:v8r13:*:*:*:*:*:*:*

cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8r13:14398:*:*:*:*:*:*

EPSS

Процентиль: 90%

0.0538

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-787

Связанные уязвимости

CVE-2021-43527

CVSS3: 9.8

ubuntu

около 4 лет назад

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

CVE-2021-43527

CVSS3: 9.8

redhat

около 4 лет назад

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

CVE-2021-43527

CVSS3: 9.8

msrc

около 4 лет назад

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS S/MIME PKCS \#7 or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS X.509 OCSP or CRL functionality may be impacted depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However email clients and PDF viewers that use NSS for signature verification such as Thunderbird LibreOffice Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

CVE-2021-43527

CVSS3: 9.8

debian

около 4 лет назад

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR a ...

openSUSE-SU-2021:3934-1

suse-cvrf

около 4 лет назад

Security update for mozilla-nss

EPSS

Процентиль: 90%

0.0538

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-787