#VU33810 Input validation error in Mozilla NSS - CVE-2016-2834

Cybersecurity Help s.r.o.

Published: 2016-06-13 | Updated: 2020-08-04

Vulnerability identifier: #VU33810

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-2834

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla NSS
Universal components / Libraries / Libraries used by multiple products

Vendor: Mozilla

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Mozilla NSS: 3.13.4 - 3.19.2.3

External links
https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00014.html
https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.html
https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00055.html
https://rhn.redhat.com/errata/RHSA-2016-2779.html
https://www.debian.org/security/2016/dsa-3688
https://www.mozilla.org/security/announce/2016/mfsa2016-61.html
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://www.securityfocus.com/bid/91072
https://www.securitytracker.com/id/1036057
https://www.ubuntu.com/usn/USN-2993-1
https://www.ubuntu.com/usn/USN-3029-1
https://bugzilla.mozilla.org/show_bug.cgi?id=1206283
https://bugzilla.mozilla.org/show_bug.cgi?id=1221620
https://bugzilla.mozilla.org/show_bug.cgi?id=1241034
https://bugzilla.mozilla.org/show_bug.cgi?id=1241037
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM FlashSystem models 840 and 900

Multiple vulnerabilities in SAN Volume Controller, Storwize family and FlashSystem V9000 products

Input validation error in nss (Alpine package)

Input validation error in developer.mozilla nss