#VU33644 Buffer overflow - CVE-2015-7183
Vulnerability identifier: #VU33644
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.
Mitigation
Install update from vendor's website.
External links
https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html
https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html
https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html
https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html
https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
https://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html
https://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html
https://packetstormsecurity.com/files/134268/Slackware-Security-Advisory-mozilla-nss-Updates.html
https://rhn.redhat.com/errata/RHSA-2015-1980.html
https://rhn.redhat.com/errata/RHSA-2015-1981.html
https://www.debian.org/security/2015/dsa-3393
https://www.debian.org/security/2015/dsa-3406
https://www.mozilla.org/security/announce/2015/mfsa2015-133.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.securityfocus.com/bid/77415
https://www.securityfocus.com/bid/91787
https://www.securitytracker.com/id/1034069
https://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.399753
https://www.ubuntu.com/usn/USN-2785-1
https://www.ubuntu.com/usn/USN-2790-1
https://www.ubuntu.com/usn/USN-2819-1
https://bto.bluecoat.com/security-advisory/sa119
https://bugzilla.mozilla.org/show_bug.cgi?id=1205157
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.4_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.1_release_notes
https://security.gentoo.org/glsa/201512-10
https://security.gentoo.org/glsa/201605-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
