Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM9541D6690CD297299C12730B62294D2C943298945F885C489C7D37CD7CD4A6D2
HistoryJun 16, 2018 - 9:44 p.m.

Security Bulletin: IBM Security Access Manager for Mobile is affected by vulnerabilities in nss, nss-util, and nspr (CVE-2016-1978, CVE-2016-1979)

2018-06-1621:44:35
www.ibm.com
40

0.077 Low

EPSS

Percentile

94.2%

JSON

Summary

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Netscape Portable Runtime (NSPR)
provides platform independence for non-GUI operating system facilities.

IBM Security Access Manager for Mobile uses NSS and is affected by two use-after-free flaws that have been identified in the NSS libraries.

Vulnerability Details

CVEID: CVE-2016-1978**
DESCRIPTION:** Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in ssl3_HandleECDHServerKeyExchange. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111321&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-1979**
DESCRIPTION:** Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when processing DER encoded keys in the Network Security Services (NSS) libraries. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111365&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Security Access Manager for Mobile 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.

Product VRMF APAR Remediation
IBM Security Access Manager for Mobile 8.0.0.0 -
8.0.1.4 IV86717 1. For releases prior to 8.0.1.4, upgrade to 8.0.1.4:
8.0.1-ISS-ISAM-FP0004
2. Apply 8.0.1.4 Interim Fix 1:
8.0.1.4-ISS-ISAM-IF0001
IBM Security Access Manager 9.0 IV86695 1. For 9.0 environments, upgrade to 9.0.1.0:
IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
2. Apply 9.0.1.0 Interim Fix 2:
9.0.1.0-ISS-ISAM-IF0002

Workarounds and Mitigations

None.

Related

oraclelinux 3
openvas 42
centos 3
nessus 36
amazon 1
redhat 3
ibm 7
symantec 1
ubuntu 1
veracode 2
mozilla 2
f5 4
ubuntucve 2
prion 2
cve 2
cvelist 2
debiancve 2
nvd 2
osv 4
debian 5
freebsd 2
suse 6
mageia 1
kaspersky 1
gentoo 1
oracle 3
oraclelinux
oraclelinux
nss and nspr security, bug fix, and enhancement update
2016-04-25 00:00:00
nss, nspr, nss-softokn, and nss-util security, bug fix, and enhancement update
2016-04-25 00:00:00
nss, nss-util, and nspr security, bug fix, and enhancement update
2016-04-05 00:00:00
openvas
openvas
CentOS Update for nss-softokn CESA-2016:0685 centos7
2016-04-26 00:00:00
Oracle: Security Advisory (ELSA-2016-0684)
2016-05-09 00:00:00
Huawei EulerOS: Security Advisory for nss, nspr, nss-softokn, nss-util (EulerOS-SA-2016-1017)
2020-01-23 00:00:00
centos
centos
nspr, nss security update
2016-04-25 13:19:01
nspr, nss security update
2016-04-05 12:27:24
nspr, nss security update
2016-04-25 17:49:11
nessus
nessus
Oracle Linux 6 : nspr / nss / nss-util (ELSA-2016-0591)
2016-04-07 00:00:00
Amazon Linux AMI : nspr / nss-util,nss,nss-softokn (ALAS-2016-702)
2016-05-19 00:00:00
RHEL 5 : nss and nspr (RHSA-2016:0684)
2016-04-27 00:00:00
amazon
amazon
Medium: nspr, nss-util, nss, nss-softokn
2016-05-18 14:00:00
redhat
redhat
(RHSA-2016:0684) Moderate: nss and nspr security, bug fix, and enhancement update
2016-04-25 00:00:00
(RHSA-2016:0685) Moderate: nss, nspr, nss-softokn, and nss-util security, bug fix, and enhancement update
2016-04-25 11:11:50
(RHSA-2016:0591) Moderate: nss, nss-util, and nspr security, bug fix, and enhancement update
2016-04-05 00:00:00
ibm
ibm
Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in nss, nss-util, and nspr (CVE-2016-1978, CVE-2016-1979)
2018-06-16 21:44:35
Security Bulletin: Vulnerabilities in Mozilla Firefox Network Security Services affect PowerKVM (CVE-2016-1978,CVE-2016-1979)
2018-06-18 01:32:18
Security Bulletin: Nss,Nss-util and Nspr vulnerabilities affect IBM SmartCloud Entry (CVE-2016-1978, CVE-2016-1979 )
2020-07-19 00:49:12
symantec
symantec
SA124 : NSS Vulnerabilities March 2016
2016-06-07 08:00:00
ubuntu
ubuntu
Thunderbird vulnerabilities
2016-05-19 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:11:20
Use-After-Free
2019-05-02 05:28:59
mozilla
mozilla
Use-after-free in NSS during SSL connections in low memory — Mozilla
2016-01-26 00:00:00
Use-after-free during processing of DER encoded keys in NSS — Mozilla
2016-03-08 00:00:00
f5
f5
K37540306 : Mozilla Network Security Services use-after-free vulnerability CVE-2016-1978
2016-11-15 00:00:00
SOL37540306 - Mozilla Network Security Services use-after-free vulnerability CVE-2016-1978
2016-11-15 00:00:00
SOL20145801 - Mozilla NSS vulnerability CVE-2016-1979
2016-04-18 00:00:00
ubuntucve
ubuntucve
CVE-2016-1978
2016-03-13 00:00:00
CVE-2016-1979
2016-03-13 00:00:00
prion
prion
Design/Logic Flaw
2016-03-13 18:59:00
Design/Logic Flaw
2016-03-13 18:59:00
cve
cve
CVE-2016-1978
2016-03-13 18:59:27
CVE-2016-1979
2016-03-13 18:59:28
cvelist
cvelist
CVE-2016-1978
2016-03-13 18:00:00
CVE-2016-1979
2016-03-13 18:00:00
debiancve
debiancve
CVE-2016-1978
2016-03-13 18:59:27
CVE-2016-1979
2016-03-13 18:59:28
nvd
nvd
CVE-2016-1978
2016-03-13 18:59:27
CVE-2016-1979
2016-03-13 18:59:28
osv
osv
nss - security update
2016-05-18 00:00:00
nss - security update
2016-10-05 00:00:00
icedove - security update
2016-05-14 00:00:00
debian
debian
[SECURITY] [DLA 480-1] nss security update
2016-05-18 18:34:37
[SECURITY] [DSA 3688-1] nss security update
2016-10-05 20:20:43
[SECURITY] [DSA 3576-1] icedove security update
2016-05-13 17:58:29
freebsd
freebsd
NSS -- multiple vulnerabilities
2016-01-26 00:00:00
NSS -- multiple vulnerabilities
2016-03-08 00:00:00
suse
suse
Security update for MozillaFirefox (important)
2016-03-18 18:12:42
Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (important)
2016-03-30 15:07:52
Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (important)
2016-03-11 20:11:56
mageia
mageia
Updated firefox packages fix security vulnerabilities
2016-03-10 01:57:53
kaspersky
kaspersky
KLA10765 Multiple vulnerabilities in Mozilla Firefox and Firefox ESR
2016-03-08 00:00:00
gentoo
gentoo
Mozilla Products: Multiple vulnerabilities
2016-05-31 00:00:00
oracle
oracle
Oracle Critical Patch Update - July 2016
2016-07-19 00:00:00
Oracle Critical Patch Update - October 2017
2017-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2017
2018-03-20 00:00:00

0.077 Low

EPSS

Percentile

94.2%

JSON
Related for 9541D6690CD297299C12730B62294D2C943298945F885C489C7D37CD7CD4A6D2
oraclelinux3openvas42centos3nessus36amazon1redhat3ibm7symantec1ubuntu1veracode2mozilla2f54ubuntucve2prion2cve2cvelist2debiancve2nvd2osv4debian5freebsd2suse6mageia1kaspersky1gentoo1oracle3