vulnerability

Oracle Linux: CVE-2019-11745: ELSA-2019-4190: nss, nss-softokn, nss-util security update (IMPORTANT) (Multiple Advisories)

Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
2019-11-21
Added
2019-12-12
Modified
2024-12-24

Description

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well.

Solution(s)

oracle-linux-upgrade-nssoracle-linux-upgrade-nss-develoracle-linux-upgrade-nss-pkcs11-develoracle-linux-upgrade-nss-softoknoracle-linux-upgrade-nss-softokn-develoracle-linux-upgrade-nss-softokn-freebloracle-linux-upgrade-nss-softokn-freebl-develoracle-linux-upgrade-nss-sysinitoracle-linux-upgrade-nss-toolsoracle-linux-upgrade-nss-utiloracle-linux-upgrade-nss-util-devel
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.