Main Vulnerability Database SB2016112801

SB2016112801 - Denial of service in Mozilla NSS

Published: November 28, 2016

Security Bulletin ID SB2016112801

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper input validation (CVE-ID: CVE-2016-9574)

The vulnerability allows a remote attacker to cause DoS condition on the target system..

The vulnerability exists in the Mozilla Network Security Services (NSS) library due to improper handling of session handshake packets when the affected software uses a SessionTicket extension and Elliptic Curve Diffie-Hellman Exchange-Elliptic Curve Digital Signature Algorithm (ECDHE-ECDSA) certificates. A remote attacker can send specially crafted packets that submit malicious input to an application on a targeted system that has been compiled with the vulnerable library and cause the server application to crash.

Remediation

Install update from vendor's website.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1320695