Recently, Mozilla issued a risk notice for Mozilla Network Security Services (NSS) buffer heap overflow. A remote code execution flaw was found in the way NSS verifies certificates. This flaw allows an attacker posing as an SSL/TLS server to trigger a heap overflow vulnerability in a client application compiled with NSS when it attempts to initiate an SSL/TLS connection. Similarly, when a server application compiled with NSS processes client certificates, a heap overflow vulnerability can also be triggered.
Detected vulnerability
- Vulnerability ID: CVE-2021-43527
- Vulnerability severity: high
- Affected versions: NSS versions earlier than 3.73 or 3.68.1 ESR
Details
NSS is a set of libraries that support cross-platform development of security client and server applications. It provides optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side.
- Applications that use NSS to handle signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 may be impacted.
- Applications that use NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted.
Security suggestions
yum clean all && yum install -y nss
References
Bug 1737470 - Ensure DER encoded signatures are within size limits.
Announcing party
Alibaba Cloud Computing Co., Ltd.