Details of VAR-202010-0252

ID

VAR-202010-0252

CVE

CVE-2019-17007

TITLE

Network Security Services Vulnerability in Certificate Verification

Trust: 0.8

sources: JVNDB: JVNDB-2019-016069

DESCRIPTION

In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. ========================================================================= Ubuntu Security Notice USN-4215-1 December 09, 2019 nss vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 ESM - Ubuntu 12.04 ESM Summary: NSS could be made to crash if it received a specially crafted certificate. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: libnss3 2:3.42-1ubuntu2.4 Ubuntu 18.04 LTS: libnss3 2:3.35-2ubuntu2.6 Ubuntu 16.04 LTS: libnss3 2:3.28.4-0ubuntu0.16.04.9 Ubuntu 14.04 ESM: libnss3 2:3.28.4-0ubuntu0.14.04.5+esm3 Ubuntu 12.04 ESM: libnss3 2:3.28.4-0ubuntu0.12.04.6 After a standard system update you need to reboot your computer to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: nss and nss-softokn security update Advisory ID: RHSA-2021:0876-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0876 Issue date: 2021-03-16 CVE Names: CVE-2019-11756 CVE-2019-17006 CVE-2019-17007 CVE-2020-12403 ==================================================================== 1. Summary: An update for nss and nss-softokn is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux ComputeNode EUS (v. 7.6) - x86_64 Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 7.6) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 7.6) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, ppc64le, s390x 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS (CVE-2019-17007) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, applications using NSS (for example, Firefox) must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1703979 - CVE-2019-17007 nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS 1774835 - CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting 1775916 - CVE-2019-17006 nss: Check length of inputs for cryptographic primitives 1868931 - CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read 6. Package List: Red Hat Enterprise Linux ComputeNode EUS (v. 7.6): Source: nss-3.36.0-9.el7_6.src.rpm nss-softokn-3.36.0-7.el7_6.src.rpm x86_64: nss-3.36.0-9.el7_6.i686.rpm nss-3.36.0-9.el7_6.x86_64.rpm nss-debuginfo-3.36.0-9.el7_6.i686.rpm nss-debuginfo-3.36.0-9.el7_6.x86_64.rpm nss-softokn-3.36.0-7.el7_6.i686.rpm nss-softokn-3.36.0-7.el7_6.x86_64.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.i686.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.x86_64.rpm nss-softokn-freebl-3.36.0-7.el7_6.i686.rpm nss-softokn-freebl-3.36.0-7.el7_6.x86_64.rpm nss-sysinit-3.36.0-9.el7_6.x86_64.rpm nss-tools-3.36.0-9.el7_6.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6): x86_64: nss-debuginfo-3.36.0-9.el7_6.i686.rpm nss-debuginfo-3.36.0-9.el7_6.x86_64.rpm nss-devel-3.36.0-9.el7_6.i686.rpm nss-devel-3.36.0-9.el7_6.x86_64.rpm nss-pkcs11-devel-3.36.0-9.el7_6.i686.rpm nss-pkcs11-devel-3.36.0-9.el7_6.x86_64.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.i686.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.x86_64.rpm nss-softokn-devel-3.36.0-7.el7_6.i686.rpm nss-softokn-devel-3.36.0-7.el7_6.x86_64.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.i686.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 7.6): Source: nss-3.36.0-9.el7_6.src.rpm nss-softokn-3.36.0-7.el7_6.src.rpm ppc64: nss-3.36.0-9.el7_6.ppc.rpm nss-3.36.0-9.el7_6.ppc64.rpm nss-debuginfo-3.36.0-9.el7_6.ppc.rpm nss-debuginfo-3.36.0-9.el7_6.ppc64.rpm nss-devel-3.36.0-9.el7_6.ppc.rpm nss-devel-3.36.0-9.el7_6.ppc64.rpm nss-softokn-3.36.0-7.el7_6.ppc.rpm nss-softokn-3.36.0-7.el7_6.ppc64.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.ppc.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.ppc64.rpm nss-softokn-devel-3.36.0-7.el7_6.ppc.rpm nss-softokn-devel-3.36.0-7.el7_6.ppc64.rpm nss-softokn-freebl-3.36.0-7.el7_6.ppc.rpm nss-softokn-freebl-3.36.0-7.el7_6.ppc64.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.ppc.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.ppc64.rpm nss-sysinit-3.36.0-9.el7_6.ppc64.rpm nss-tools-3.36.0-9.el7_6.ppc64.rpm ppc64le: nss-3.36.0-9.el7_6.ppc64le.rpm nss-debuginfo-3.36.0-9.el7_6.ppc64le.rpm nss-devel-3.36.0-9.el7_6.ppc64le.rpm nss-softokn-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-devel-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-freebl-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.ppc64le.rpm nss-sysinit-3.36.0-9.el7_6.ppc64le.rpm nss-tools-3.36.0-9.el7_6.ppc64le.rpm s390x: nss-3.36.0-9.el7_6.s390.rpm nss-3.36.0-9.el7_6.s390x.rpm nss-debuginfo-3.36.0-9.el7_6.s390.rpm nss-debuginfo-3.36.0-9.el7_6.s390x.rpm nss-devel-3.36.0-9.el7_6.s390.rpm nss-devel-3.36.0-9.el7_6.s390x.rpm nss-softokn-3.36.0-7.el7_6.s390.rpm nss-softokn-3.36.0-7.el7_6.s390x.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.s390.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.s390x.rpm nss-softokn-devel-3.36.0-7.el7_6.s390.rpm nss-softokn-devel-3.36.0-7.el7_6.s390x.rpm nss-softokn-freebl-3.36.0-7.el7_6.s390.rpm nss-softokn-freebl-3.36.0-7.el7_6.s390x.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.s390.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.s390x.rpm nss-sysinit-3.36.0-9.el7_6.s390x.rpm nss-tools-3.36.0-9.el7_6.s390x.rpm x86_64: nss-3.36.0-9.el7_6.i686.rpm nss-3.36.0-9.el7_6.x86_64.rpm nss-debuginfo-3.36.0-9.el7_6.i686.rpm nss-debuginfo-3.36.0-9.el7_6.x86_64.rpm nss-devel-3.36.0-9.el7_6.i686.rpm nss-devel-3.36.0-9.el7_6.x86_64.rpm nss-softokn-3.36.0-7.el7_6.i686.rpm nss-softokn-3.36.0-7.el7_6.x86_64.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.i686.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.x86_64.rpm nss-softokn-devel-3.36.0-7.el7_6.i686.rpm nss-softokn-devel-3.36.0-7.el7_6.x86_64.rpm nss-softokn-freebl-3.36.0-7.el7_6.i686.rpm nss-softokn-freebl-3.36.0-7.el7_6.x86_64.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.i686.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.x86_64.rpm nss-sysinit-3.36.0-9.el7_6.x86_64.rpm nss-tools-3.36.0-9.el7_6.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: nss-3.36.0-9.el7_6.src.rpm nss-softokn-3.36.0-7.el7_6.src.rpm aarch64: nss-3.36.0-9.el7_6.aarch64.rpm nss-debuginfo-3.36.0-9.el7_6.aarch64.rpm nss-devel-3.36.0-9.el7_6.aarch64.rpm nss-softokn-3.36.0-7.el7_6.aarch64.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.aarch64.rpm nss-softokn-devel-3.36.0-7.el7_6.aarch64.rpm nss-softokn-freebl-3.36.0-7.el7_6.aarch64.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.aarch64.rpm nss-sysinit-3.36.0-9.el7_6.aarch64.rpm nss-tools-3.36.0-9.el7_6.aarch64.rpm ppc64le: nss-3.36.0-9.el7_6.ppc64le.rpm nss-debuginfo-3.36.0-9.el7_6.ppc64le.rpm nss-devel-3.36.0-9.el7_6.ppc64le.rpm nss-softokn-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-devel-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-freebl-3.36.0-7.el7_6.ppc64le.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.ppc64le.rpm nss-sysinit-3.36.0-9.el7_6.ppc64le.rpm nss-tools-3.36.0-9.el7_6.ppc64le.rpm s390x: nss-3.36.0-9.el7_6.s390.rpm nss-3.36.0-9.el7_6.s390x.rpm nss-debuginfo-3.36.0-9.el7_6.s390.rpm nss-debuginfo-3.36.0-9.el7_6.s390x.rpm nss-devel-3.36.0-9.el7_6.s390.rpm nss-devel-3.36.0-9.el7_6.s390x.rpm nss-softokn-3.36.0-7.el7_6.s390.rpm nss-softokn-3.36.0-7.el7_6.s390x.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.s390.rpm nss-softokn-debuginfo-3.36.0-7.el7_6.s390x.rpm nss-softokn-devel-3.36.0-7.el7_6.s390.rpm nss-softokn-devel-3.36.0-7.el7_6.s390x.rpm nss-softokn-freebl-3.36.0-7.el7_6.s390.rpm nss-softokn-freebl-3.36.0-7.el7_6.s390x.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.s390.rpm nss-softokn-freebl-devel-3.36.0-7.el7_6.s390x.rpm nss-sysinit-3.36.0-9.el7_6.s390x.rpm nss-tools-3.36.0-9.el7_6.s390x.rpm Red Hat Enterprise Linux Server Optional EUS (v. 7.6): ppc64: nss-debuginfo-3.36.0-9.el7_6.ppc.rpm nss-debuginfo-3.36.0-9.el7_6.ppc64.rpm nss-pkcs11-devel-3.36.0-9.el7_6.ppc.rpm nss-pkcs11-devel-3.36.0-9.el7_6.ppc64.rpm ppc64le: nss-debuginfo-3.36.0-9.el7_6.ppc64le.rpm nss-pkcs11-devel-3.36.0-9.el7_6.ppc64le.rpm s390x: nss-debuginfo-3.36.0-9.el7_6.s390.rpm nss-debuginfo-3.36.0-9.el7_6.s390x.rpm nss-pkcs11-devel-3.36.0-9.el7_6.s390.rpm nss-pkcs11-devel-3.36.0-9.el7_6.s390x.rpm x86_64: nss-debuginfo-3.36.0-9.el7_6.i686.rpm nss-debuginfo-3.36.0-9.el7_6.x86_64.rpm nss-pkcs11-devel-3.36.0-9.el7_6.i686.rpm nss-pkcs11-devel-3.36.0-9.el7_6.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): aarch64: nss-debuginfo-3.36.0-9.el7_6.aarch64.rpm nss-pkcs11-devel-3.36.0-9.el7_6.aarch64.rpm ppc64le: nss-debuginfo-3.36.0-9.el7_6.ppc64le.rpm nss-pkcs11-devel-3.36.0-9.el7_6.ppc64le.rpm s390x: nss-debuginfo-3.36.0-9.el7_6.s390.rpm nss-debuginfo-3.36.0-9.el7_6.s390x.rpm nss-pkcs11-devel-3.36.0-9.el7_6.s390.rpm nss-pkcs11-devel-3.36.0-9.el7_6.s390x.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11756 https://access.redhat.com/security/cve/CVE-2019-17006 https://access.redhat.com/security/cve/CVE-2019-17007 https://access.redhat.com/security/cve/CVE-2020-12403 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFDHndzjgjWX9erEAQhc7BAAkp67Ydt2JQVRfRhv2NUd0sjnWReLTvdP jCz5vIgKz8JIgmz/bc5I1MR8ZCSObdbsUEiv0exapuYneLNru//0dMGL2dv7Fkn5 Em5+ZuvLuDUq9id8TOOd5igNjBeJGKy4dJV46AXtgUHARHbiU5jcmOcCetkBY09J o0bK4wDc6YjvUBANaAQH/sWznAT+BNmtOeF00seAbIgic0m76HidFSQzcq8I+vtm mttqgZvz3+xYitS/63Z4AQofI3VFGX46CHZxekI7N1hIpML7QjiZw4gk8QgdpRWn wLtr661MIse/iS0l+4ZvQoWx5diuVwXudfGmisEXhsWtx79m8JSFNavmxSK9dvJ5 5F6K275OTX2W1GSUgU4IrKxWaLoBPQlC4yT36c4827qosGBjgufGyExgmqnTyQyR iobqDMUHq5RgjNsHNCzrm7CKAgwTUgyuN5QLoXwOsqxPfMt1uL8TI1Q5ULyuPJ+b 8IxbIPGgCZM/haNchD9Xoo1rDieT1JOtQNTfknss91AIQZH30n7i6F6/l8K7GJ16 1sFPnNI7aISjvhu/+jfgNpkoFi6Qyda5a8jSceWpY1yf83/jsxVpKMqgcoTf416z IFzoYxQqa0AM1efVfgtL1vnoAXw8yPt0PjXfcMUYWltIGbgO15L/hJZ6bCUu8FT6 BbaFUBBSJpw=m1vv -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . For the stable distribution (buster), these problems have been fixed in version 2:3.42.1-1+deb10u2. We recommend that you upgrade your nss packages. For the detailed security status of nss please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nss Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3qzaYACgkQEMKTtsN8 TjZ7yg//SABSzXoip0pAHIT9lNxDFNL44E27iqRWeurCyfxnQNvNaeShakiTj1Yj sSb2pqo0+gGLsUgtQdKKc8yeOERvuihWRoVDroW7onYG93vpsZ1H8Z7HSEJOGMQl Bt/HcjayCfXrA313/B5SBTiKE/Ks4CvYQvk+BrFwjFEUoYhXzxXwfUIxym1L8+gq jG3Qsh38iOFhrXfXBe2PGaUGU6AVcS/BGTam31s1g54mta4a+obIbvvQu3MGHJLH UTTcVPy7PhK5dofufbJXo1QGqfgdLxsvZAqhcyU1cXBZa7k18Ykts9jKukwoDZV0 hR2jISnOddovQWdPWLqz/ENOTIkY8Ue5/cPIaQ+I9tAL2JOBHBmddP+WeqBxpO8o DpP+4EILROZQ5g+WjLT1Twsje3NJQYx6z7YmXo/0N0ELM+81Sono1wKTgegVBa0F 8eET2FDW45sKFOGV1QTTI5F1mSmgSHiTdtVl/riuzdWrdig8316dByz994dZD+Co TgMiALJWwiVDY6XHHrPwzmvqNoqlcUvNgh4v7tRkTL/YjlHxD+x8R08sRaVo5gqz Z4CyLaP1ByO0X/i4dkuVtD5kIX9GlqLRYkUSnOBhwaoPr7ZgZBCnJfyQixsME1L5 yOg6+j//ncYos+KWeb1upZdUHHB340UmTxbEtECa7jfanMcrtpw= =QZmZ -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2019-17007 // JVNDB: JVNDB-2019-016069 // VULMON: CVE-2019-17007 // PACKETSTORM: 155590 // PACKETSTORM: 161842 // PACKETSTORM: 155601

AFFECTED PRODUCTS

vendor:	siemens	model:	ruggedcom rox rx1400	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1512	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1510	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx5000	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1501	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1511	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox mx5000	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1500	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	mozilla	model:	network security services	scope:	lt	version:	3.44	Trust: 1.0
vendor:	mozilla	model:	network security services	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox mx5000	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox rx1400	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox rx1500	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox rx1501	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox rx1510	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox rx1511	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox rx1512	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rox rx5000	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-016069 // NVD: CVE-2019-17007

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-17007
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-17007
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201912-023
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-17007
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-17007
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2019-17007
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-17007
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2019-17007 // JVNDB: JVNDB-2019-016069 // CNNVD: CNNVD-201912-023 // NVD: CVE-2019-17007

PROBLEMTYPE DATA

problemtype:	CWE-295	Trust: 1.0
problemtype:	Bad certificate verification (CWE-295) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-016069 // NVD: CVE-2019-17007

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-023

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201912-023

PATCH

title:	SSA-379803	url:	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44_release_notes	Trust: 0.8
title:	Mozilla Network Security Services Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=104251	Trust: 0.6
title:	Ubuntu Security Notice: nss vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4215-1	Trust: 0.1
title:	Debian Security Advisories: DSA-4579-1 nss -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=0af759a984821af0886871e7a26a298e	Trust: 0.1

sources: VULMON: CVE-2019-17007 // JVNDB: JVNDB-2019-016069 // CNNVD: CNNVD-201912-023

EXTERNAL IDS

db:	NVD	id:	CVE-2019-17007	Trust: 2.8
db:	ICS CERT	id:	ICSA-21-040-04	Trust: 2.4
db:	SIEMENS	id:	SSA-379803	Trust: 1.6
db:	JVNDB	id:	JVNDB-2019-016069	Trust: 0.8
db:	PACKETSTORM	id:	155590	Trust: 0.7
db:	PACKETSTORM	id:	161842	Trust: 0.7
db:	PACKETSTORM	id:	155601	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0491	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3355	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4579	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0933	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4524	Trust: 0.6
db:	CNNVD	id:	CNNVD-201912-023	Trust: 0.6
db:	VULMON	id:	CVE-2019-17007	Trust: 0.1

sources: VULMON: CVE-2019-17007 // JVNDB: JVNDB-2019-016069 // PACKETSTORM: 155590 // PACKETSTORM: 161842 // PACKETSTORM: 155601 // CNNVD: CNNVD-201912-023 // NVD: CVE-2019-17007

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04	Trust: 3.0
url:	https://bugzilla.mozilla.org/show_bug.cgi?id=1533216	Trust: 1.7
url:	https://developer.mozilla.org/en-us/docs/mozilla/projects/nss/nss_3.44_release_notes	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17007	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf	Trust: 1.6
url:	https://lists.debian.org/debian-lts-announce/2019/11/msg00034.html	Trust: 0.6
url:	https://www.debian.org/security/2019/dsa-4579	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0491	Trust: 0.6
url:	https://packetstormsecurity.com/files/155601/debian-security-advisory-4579-1.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4524/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4579/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3355/	Trust: 0.6
url:	https://packetstormsecurity.com/files/155590/ubuntu-security-notice-usn-4215-1.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/161842/red-hat-security-advisory-2021-0876-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0933	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/295.html	Trust: 0.1
url:	https://usn.ubuntu.com/4215-1/	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://usn.ubuntu.com/4215-1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/nss/2:3.42-1ubuntu2.4	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.6	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.9	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-12403	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17006	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:0876	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-17007	Trust: 0.1
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-17006	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11756	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-11756	Trust: 0.1
url:	https://bugzilla.redhat.com/):	Trust: 0.1
url:	https://access.redhat.com/security/team/key/	Trust: 0.1
url:	https://access.redhat.com/articles/11258	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12403	Trust: 0.1
url:	https://access.redhat.com/security/team/contact/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11745	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/nss	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1

CREDITS

Ubuntu,Debian,Red Hat

Trust: 0.6

sources: CNNVD: CNNVD-201912-023

SOURCES

db:	VULMON	id:	CVE-2019-17007
db:	JVNDB	id:	JVNDB-2019-016069
db:	PACKETSTORM	id:	155590
db:	PACKETSTORM	id:	161842
db:	PACKETSTORM	id:	155601
db:	CNNVD	id:	CNNVD-201912-023
db:	NVD	id:	CVE-2019-17007

LAST UPDATE DATE

2024-08-14T13:14:01.747000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2019-17007	date:	2021-02-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-016069	date:	2021-05-12T08:27:00
db:	CNNVD	id:	CNNVD-201912-023	date:	2021-03-18T00:00:00
db:	NVD	id:	CVE-2019-17007	date:	2021-02-19T16:58:55.290

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2019-17007	date:	2020-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-016069	date:	2021-05-12T00:00:00
db:	PACKETSTORM	id:	155590	date:	2019-12-09T15:53:27
db:	PACKETSTORM	id:	161842	date:	2021-03-17T14:35:53
db:	PACKETSTORM	id:	155601	date:	2019-12-09T22:22:22
db:	CNNVD	id:	CNNVD-201912-023	date:	2019-12-02T00:00:00
db:	NVD	id:	CVE-2019-17007	date:	2020-10-22T21:15:12.637