Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB001EA0C352C914F5BD75B1A7ED4DC332EFEAF82BBB300155C1592CB17C0172A
HistoryJun 15, 2018 - 7:06 a.m.

Security Bulletin: Vulnerabilities in Mozilla Network Security Services (NSS) affect IBM MQ Appliance (CVE-2016-2834, CVE-2016-5285, CVE-2016-8635)

2018-06-1507:06:54
www.ibm.com
38

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

JSON

Summary

Security vulnerabilities in Mozilla Network Security Services (NSS) affect IBM MQ Appliance. IBM MQ Appliance has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-2834**
DESCRIPTION:** Mozilla Network Security Services (NSS), as used in Mozilla Firefox, could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113870&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-5285**
DESCRIPTION:** Mozilla Network Security Services (NSS), as used in Mozilla Firefox, is vulnerable to a denial of service, caused by a NULL pointer dereference in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime when handling invalid Diffie-Hellman keys. A remote attacker could exploit this vulnerability to crash a TLS/SSL server.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119189&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-8635**
DESCRIPTION:** Mozilla Network Security Services (NSS), as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by a small subgroup confinement attack in Diffie Hellman Client key exchange handling. By confining the client DH key to a small subgroup of the desired group, a remote attacker could exploit this vulnerability to recover private keys.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119190&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

The following versions are affected:

  • IBM MQ Appliance 8.0
    • Maintenance levels between 8.0.0.0 and 8.0.0.5
  • IBM MQ Appliance 9.0.x Continuous Delivery (CD) release
    • Continuous delivery update 9.0.1 only

Remediation/Fixes

IBM MQ Appliance 8.0

Apply fixpack 8.0.0.6 or later maintenance.

IBM MQ Appliance 9.0.x Continuous Delivery (CD) release

Apply continuous delivery update 9.0.2 or later.

Workarounds and Mitigations

None.

Related

nessus 29
redhat 1
openvas 26
ibm 12
symantec 1
amazon 1
centos 1
oraclelinux 1
ubuntu 3
veracode 3
redhatcve 3
ubuntucve 3
prion 3
cve 3
debiancve 3
osv 2
freebsd 1
f5 2
mozilla 1
debian 2
gentoo 1
suse 10
kaspersky 1
oracle 2
nessus
nessus
Oracle Linux 5 / 6 / 7 : nss / nss-util (ELSA-2016-2779)
2016-11-17 00:00:00
CentOS 5 / 6 / 7 : nss / nss-util (CESA-2016:2779)
2016-11-21 00:00:00
Amazon Linux AMI : nss-util / nss,nss-softokn (ALAS-2016-774)
2016-12-16 00:00:00
redhat
redhat
(RHSA-2016:2779) Moderate: nss and nss-util security update
2016-11-16 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for nss, nss-util (EulerOS-SA-2016-1084)
2020-01-23 00:00:00
CentOS Update for nss-util CESA-2016:2779 centos6
2016-11-20 00:00:00
CentOS Update for nss CESA-2016:2779 centos5
2016-11-20 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in Mozilla Network Security Services (NSS) affect PowerKVM
2018-06-18 01:34:46
Security Bulletin: Vulnerabilities in Mozilla NSS affect the IBM FlashSystem model V840
2018-06-18 00:32:47
Security Bulletin: IBM Security Access Manager appliances are affected by vulnerabilities in Network Security Services (NSS) (CVE-2016-2834, CVE-2016-5285, CVE-2016-8635)
2018-06-16 21:50:26
symantec
symantec
SA137 : NSS Vulnerabilities
2016-12-20 08:00:00
amazon
amazon
Medium: nss-util, nss, nss-softokn
2016-12-15 00:32:00
centos
centos
nss security update
2016-11-19 11:17:02
oraclelinux
oraclelinux
nss and nss-util security update
2016-11-16 00:00:00
ubuntu
ubuntu
NSS vulnerabilities
2017-01-04 00:00:00
NSS vulnerability
2016-07-11 00:00:00
Firefox vulnerabilities
2016-06-09 00:00:00
veracode
veracode
Null Pointer Dereference
2019-05-02 06:02:29
Information Disclosure
2019-05-02 06:02:29
Denial Of Service
2019-01-15 09:14:44
redhatcve
redhatcve
CVE-2016-5285
2016-11-16 03:47:19
CVE-2016-8635
2016-11-16 03:47:31
CVE-2016-2834
2016-06-18 08:48:29
ubuntucve
ubuntucve
CVE-2016-5285
2016-11-16 00:00:00
CVE-2016-8635
2016-11-17 00:00:00
CVE-2016-2834
2016-06-08 00:00:00
prion
prion
Null pointer dereference
2019-11-15 16:15:00
Design/Logic Flaw
2018-08-01 13:29:00
Memory corruption
2016-06-13 10:59:00
cve
cve
CVE-2016-5285
2019-11-15 16:15:00
CVE-2016-8635
2018-08-01 13:29:00
CVE-2016-2834
2016-06-13 10:59:00
debiancve
debiancve
CVE-2016-5285
2019-11-15 16:15:00
CVE-2016-8635
2018-08-01 13:29:00
CVE-2016-2834
2016-06-13 10:59:00
osv
osv
nss - security update
2016-06-25 00:00:00
nss - security update
2016-10-05 00:00:00
freebsd
freebsd
NSS -- multiple vulnerabilities
2016-06-07 00:00:00
f5
f5
SOL15479471 - Mozilla NSS vulnerability CVE-2016-2834
2016-09-01 00:00:00
K15479471 : Mozilla NSS vulnerability CVE-2016-2834
2016-09-01 00:00:00
mozilla
mozilla
Network Security Services (NSS) vulnerabilities โ€” Mozilla
2016-06-07 00:00:00
debian
debian
[SECURITY] [DLA 527-1] nss security update
2016-06-25 18:05:55
[SECURITY] [DSA 3688-1] nss security update
2016-10-05 20:20:43
gentoo
gentoo
Mozilla Network Security Service (NSS): Multiple vulnerabilities
2017-01-19 00:00:00
suse
suse
Security update for MozillaFirefox, mozilla-nss (important)
2016-12-05 21:07:10
Security update for MozillaFirefox, mozilla-nss (important)
2016-12-10 23:09:49
Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr, mozilla-nss (important)
2016-06-27 20:08:30
kaspersky
kaspersky
KLA10822 Multiple vulnerabilities in Mozilla Firefox and Firefox ESR
2016-06-07 00:00:00
oracle
oracle
Oracle Critical Patch Update - October 2017
2017-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2017
2018-03-20 00:00:00

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

JSON
Related for B001EA0C352C914F5BD75B1A7ED4DC332EFEAF82BBB300155C1592CB17C0172A
nessus29redhat1openvas26ibm12symantec1amazon1centos1oraclelinux1ubuntu3veracode3redhatcve3ubuntucve3prion3cve3debiancve3osv2freebsd1f52mozilla1debian2gentoo1suse10kaspersky1oracle2