Guest

Preview Tool

Cisco Bug: CSCuq45937 - PCA: NSS/NSPR Vulnerabilities

Last Modified

Aug 06, 2018

Products (2)

  • Cisco Prime Collaboration
  • Cisco Prime Collaboration 10.6

Known Affected Releases

10.6

Description (partial)

Symptoms:
Cisco Prime Collaboration Manager contains a version of Mozilla Netwok Security Services (NSS) that is
affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-1620: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider
timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC
padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via
statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. This has been
classified by the vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)

CVE-2013-1739: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are
initialized before read operations, which allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors that trigger a decryption failure. This has been classified by the
vendor as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)

CVE-2013-1741: Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote
attackers to cause a denial of service or possibly have unspecified other impact via a large size value. This
has been classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2013-5605: Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote
attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake
packets. This has been classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2013-5606: The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services
(NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when
the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions
via a crafted certificate. This has been classified by the vendor as having a CVSSv2 score of 5.8
(AV:N/AC:M/AU:N/C:P/I:P/A:N)

CVE-2013-5607: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR)
before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and
SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. This has been
classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-1544: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla
Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and
Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain
improper removal of an NSSCertificate structure from a trust domain. This has been classified by the vendor as
having a CVSSv2 score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

This bug was opened to address the potential impact on this product.

Conditions:
Running version of the software prior to the Known Fixed Releases
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.