vulnerability

Oracle Linux: CVE-2019-11745: ELSA-2019-4190: nss, nss-softokn, nss-util security update (IMPORTANT) (Multiple Advisories)

Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
Nov 21, 2019
Added
Dec 12, 2019
Modified
Dec 24, 2024

Description

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well.

Solution(s)

oracle-linux-upgrade-nssoracle-linux-upgrade-nss-develoracle-linux-upgrade-nss-pkcs11-develoracle-linux-upgrade-nss-softoknoracle-linux-upgrade-nss-softokn-develoracle-linux-upgrade-nss-softokn-freebloracle-linux-upgrade-nss-softokn-freebl-develoracle-linux-upgrade-nss-sysinitoracle-linux-upgrade-nss-toolsoracle-linux-upgrade-nss-utiloracle-linux-upgrade-nss-util-devel
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.