Cisco Bug: CSCuq45937 - PCA: NSS/NSPR Vulnerabilities
Last Modified
Jan 30, 2020
Products (2)
- Cisco Prime Collaboration
- Cisco Prime Collaboration 10.6
Known Affected Releases
10.6
Description (partial)
Symptoms: Cisco Prime Collaboration Manager contains a version of Mozilla Netwok Security Services (NSS) that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-1620: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. This has been classified by the vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N) CVE-2013-1739: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. This has been classified by the vendor as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P) CVE-2013-1741: Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. This has been classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) CVE-2013-5605: Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets. This has been classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) CVE-2013-5606: The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. This has been classified by the vendor as having a CVSSv2 score of 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N) CVE-2013-5607: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. This has been classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) CVE-2014-1544: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain. This has been classified by the vendor as having a CVSSv2 score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) This bug was opened to address the potential impact on this product. Conditions: Running version of the software prior to the Known Fixed Releases
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases