Guest

Preview Tool

Cisco Bug: CSCul88594 - Nss and NSPR DoS and Arbitrary Code Execution Vulnerabilitiees

Last Modified

Jan 30, 2020

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

9.1(2.10000.9)

Description (partial)

Symptom:
Cisco Unified Communications Manager (CallManager) includes a version
of Mozilla Network Security Services (NSS) that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:

CVE-2013-5605: Mozilla Network Security Services (NSS) 3.14 before
3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
invalid handshake packets. This was classified by the vendor as having
a CVSS v2 Base Score of 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-1739: Mozilla Network Security Services (NSS) before 3.15.2
does not ensure that data structures are initialized before read
operations, which allows remote attackers to cause a denial of service
or possibly have unspecified other impact via vectors that trigger a
decryption failure. This was classified by the vendor as having a CVSS
v2 Base Score of 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2013-1741: Mozilla Network Security Services (NSS) 3.14 before
3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
invalid handshake packets.  This was classified by the vendor as
having a CVSS v2 Base Score of 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-5607: Integer overflow in the PL_ArenaAllocate function in
Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, allows remote
attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted X.509 certificate, a
related issue to CVE-2013-1741. This was classified by the vendor as
having a CVSS v2 Base Score of 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-5606: The CERT_VerifyCert function in lib/certhigh/certvfy.c
in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
an unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted
certificate. This was classified by the vendor as having CVSS v2 Base
Score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

This bug was opened to address the potential impact on this product.

Conditions:
Cisco Unified Communications Manager (CallManager) running affected
versions of NSS & NSPR
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.