Security Bulletin
Summary
NSS & NSPR vulnerabilities affect the IBM FlashSystem 840 and V840 products. These vulnerabilities could allow a remote attacker to execute arbitrary code, on the system, to obtain sensitive information, or cause Denial of Service.
Vulnerability Details
1. CVE-ID: CVE-2013-1740
DESCRIPTION: Mozilla Network Security Services could allow a remote attacker to obtain sensitive information, caused by an error in the ssl_Do1stHandshake() function. An attacker could exploit this vulnerability to return unencrypted, unauthenticated data from PR_Recv.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 5.8 / 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90394 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
--------------------------------------------------------------
2. CVE-ID: CVE-2014-1490
DESCRIPTION: Mozilla Firefox,Thunderbird and SeaMonkey, using the Mozilla Network Security Services (NSS) library, could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in libssl's session ticket processing. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 5 / 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
--------------------------------------------------------------
3. CVE-ID: CVE-2014-1491
DESCRIPTION: An unspecified error in Mozilla Firefox,Thunderbird and SeaMonkey using the Mozilla Network Security Services (NSS) library has an unknown impact and attack vector.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 5 / 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
--------------------------------------------------------------
4. CVE-ID: CVE-2014-1492
DESCRIPTION: An unspecified error in Mozilla Network Security Services (NSS) related to the processing of wildcard characters embedded within the U-label of an internationalized domain name in a wildcard certificate has an unknown impact and remote attack vector.
CVSS Base Score: 4.3 / 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
--------------------------------------------------------------
5. CVE-ID: CVE-2014-1544
DESCRIPTION: Mozilla Firefox and Thunderbird could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the PK11_ImportCert() function when adding NSSCertificate structures. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Affected Versions: NSS 3.x used in Firefox before 31.0, and Firefox ESR 24.x before 24.7
CVSS Base Score: 10.0 / 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
--------------------------------------------------------------
6. CVE-ID: CVE-2014-1545
DESCRIPTION: Mozilla Netscape Portable Runtime (NSPR) could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write error in the sprintf and console functions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Affected Versions: Mozilla Netscape Portable Runtime (NSPR) before 4.10.6
CVSS Base Score: 10.0 / 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93715 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
IBM FlashSystem 840:
Machine Type 9840, model -AE1 (all supported releases before 1.1.2.7)
Machine Type 9843, model -AE1 (all supported releases before 1.1.2.7)
IBM FlashSystem V840:
Machine Type 9846, model -AE1 (all supported releases before 1.1.2.7)
Machine Type 9848, model -AE1 (all supported releases before 1.1.2.7)
Machine Type 9846, models -AC0, & -AC1 (all supported releases before 7.3.0.7)
Machine Type 9848, models -AC0, & -AC1 (all supported releases before 7.3.0.7)
Remediation/Fixes
IBM recommends that you promptly fix this vulnerability by upgrading affected versions of IBM FlashSystem 840 and V840 systems to the following code level or higher:
for 840 & V840 machine types 9840, 9846, & 9848, –AE1 models: 1.1.2.7
for V840 machine types 9846 & 9848, –AC0 & -AC1 models: 7.3.0.7
In addition, IBM recommends that you review your entire environment to identify vulnerable releases of NSS & NSPR in other (e.g. non-IBM products and versions) including in your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.
Workarounds and Mitigations
None known
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
9 Oct 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 February 2023
UID
ssg1S1004930