Ubuntu update for NSS



| Updated: 2017-06-29
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2016-5285
CVE-2016-8635
CVE-2016-9074
CWE-ID CWE-20
CWE-310
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Ubuntu
Operating systems & Components / Operating system

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU4083

Risk: Low

CVSSv4.0: N/A

CVE-ID: CVE-2016-5285

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

It was discovered that NSS incorrectly handled certain invalid Diffie-Hellman keys. A remote attacker could possibly use this flaw to cause NSS to crash, resulting in a denial of service.

Mitigation

Update the affected packages.

Ubuntu 16.10:
libnss3 2:3.26.2-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libnss3 2:3.26.2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
libnss3 2:3.26.2-0ubuntu0.14.04.3
Ubuntu 12.04 LTS:
libnss3 2:3.26.2-0ubuntu0.12.04.1

Vulnerable software versions

Ubuntu: 12.04 - 16.10

CPE2.3 External links

https://www.ubuntu.com/usn/usn-3163-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU4084

Risk: Low

CVSSv4.0: N/A

CVE-ID: CVE-2016-8635

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

Hubert Kario discovered that NSS incorrectly handled Diffie Hellman client key exchanges. A remote attacker could possibly use this flaw to perform a small subgroup confinement attack and recover private keys.

Mitigation

Update the affected packages.

Ubuntu 16.10:
libnss3 2:3.26.2-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libnss3 2:3.26.2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
libnss3 2:3.26.2-0ubuntu0.14.04.3
Ubuntu 12.04 LTS:
libnss3 2:3.26.2-0ubuntu0.12.04.1

Vulnerable software versions

Ubuntu: 12.04 - 16.10

CPE2.3
External links

https://www.ubuntu.com/usn/usn-3163-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU2243

Risk: Low

CVSSv4.0: N/A

CVE-ID: CVE-2016-9074

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

Franziskus Kiefer discovered that NSS incorrectly mitigated certain timing side-channel attacks. A remote attacker could possibly use this flaw to recover private keys.

Mitigation

Update the affected packages.

Ubuntu 16.10:
libnss3 2:3.26.2-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libnss3 2:3.26.2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
libnss3 2:3.26.2-0ubuntu0.14.04.3
Ubuntu 12.04 LTS:
libnss3 2:3.26.2-0ubuntu0.12.04.1

Vulnerable software versions

Ubuntu: 12.04 - 16.10

CPE2.3
External links

https://www.ubuntu.com/usn/usn-3163-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###