IBMF017053157332788C73AD814F717D9FB4A892FEB46AE6E9FBB37A48B6886709CSecurity Bulletin: Vulnerabilities in Network Security Services (NSS) and Netscape Portable Runtime (NSPR) affect IBM SAN Volume Controller and Storwize Family (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-1544, CVE-2014-1545)
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.106 Low
EPSS
Percentile
95.0%
Summary
Security Bulletin: Vulnerabilities in Network Security Services (NSS) and Netscape Portable Runtime (NSPR) affect IBM SAN Volume Controller and Storwize Family (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-1544, CVE-2014-1545)
Vulnerability Details
Security Bulletin
Summary
Vulnerabilities in Network Security Services (NSS) and Netscape Portable Runtime (NSPR) could allow a remote attacker to obtain sensitive information or cause a denial of service.
Vulnerability Details
CVE-ID: CVE-2013-1740 DESCRIPTION: Mozilla Network Security Services could allow a remote attacker to obtain sensitive information, caused by an error in the ssl_Do1stHandshake() function. An attacker could exploit this vulnerability to return unencrypted, unauthenticated data from PR_Recv.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90394 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-1490
DESCRIPTION: Mozilla Firefox,Thunderbird and SeaMonkey, using the Mozilla Network Security Services (NSS) library, could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in libsslβs session ticket processing. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2014-1491
DESCRIPTION: An unspecified error in Mozilla Firefox,Thunderbird and SeaMonkey using the Mozilla Network Security Services (NSS) library has an unknown impact and attack vector.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-1492
DESCRIPTION: An unspecified error in Mozilla Network Security Services (NSS) related to the processing of wildcard characters embedded within the U-label of an internationalized domain name in a wildcard certificate has an unknown impact and remote attack vector.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-1544
DESCRIPTION: Mozilla Firefox and Thunderbird could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the PK11_ImportCert() function when adding NSSCertificate structures. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Affected Versions: NSS 3.x used in Firefox before 31.0, and Firefox ESR 24.x before 24.7
CVSS Base Score: 9.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/94776> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2014-1545
DESCRIPTION: Mozilla Netscape Portable Runtime (NSPR) could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write error in the sprintf and console functions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Affected Versions: Mozilla Netscape Portable Runtime (NSPR) before 4.10.6
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93715 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Affected Products and Versions
IBM SAN Volume Controller
Storwize V7000 for Lenovo
Storwize V5000 for Lenovo
Storwize V3700 for Lenovo
Storwize V3500 for Lenovo
All products are affected when running supported releases 1.1 to 7.3 except for versions 7.2.0.9 and 7.3.0.7 and above. Release 7.4 is not affected.
Remediation/Fixes
Lenovo recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, Storwize V7000, V5000, V3700 and V3500 for Lenovo and IBM Flex System V7000 to the following code level or higher:
7.2.0.9
7.3.0.7
7.4.0.0
Latest SAN Volume Controller Code
Latest Storwize V7000 Code
Latest Storwize V5000 Code
Latest Storwize V3700 Code
Latest Storwize V3500 Code
Lenovo recommends that you fix this vulnerability by upgrading affected versions of IBM Flex System V7000 to the following code level or higher:
7.2.0.9
Latest IBM Flex System V7000 Code
Workarounds and Mitigations
None known
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.106 Low
EPSS
Percentile
95.0%