CVE-2016-5285

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote malicious user cause a Denial of Service.

References

http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00037.html

http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00049.html

http://rhn.redhat.com/errata/RHSA-2016-2779.html

http://www.securityfocus.com/bid/94349

http://www.ubuntu.com/usn/USN-3163-1

https://bto.bluecoat.com/security-advisory/sa137

https://bugzilla.mozilla.org/show_bug.cgi?id=1306103

https://security.gentoo.org/glsa/201701-46

Details

Source: MITRE

Published: 2019-11-15

Updated: 2020-01-09

Type: CWE-476

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:nss:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:*

Configuration 5

OR

cpe:2.3:a:avaya:aura_application_enablement_services:*:*:*:*:*:*:*:* versions from 6.1 to 6.3.3 (inclusive)

cpe:2.3:a:avaya:aura_application_enablement_services:7.0:*:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:-:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp1:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp10:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp10.1:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp11:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp11.1:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp12:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp12.1:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp12.2:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp12.3:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp12.5:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp3:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp5:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_application_server_5300:3.0:sp7:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_communication_manager:*:*:*:*:*:*:*:* versions from 6.0 to 6.3.117.0 (inclusive)

cpe:2.3:a:avaya:aura_communication_manager:7.0:-:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_communication_manager:7.0:sp:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_communication_manager:7.0:sp3:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_communication_manager_messagint:7.0:-:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_communication_manager_messagint:7.0:sp1:*:*:*:*:*:*

cpe:2.3:a:avaya:breeze_platform:*:*:*:*:*:*:*:* versions from 3.0 to 3.2 (inclusive)

cpe:2.3:a:avaya:call_management_system:17.0:-:*:*:*:*:*:*

cpe:2.3:a:avaya:call_management_system:17.0:r3:*:*:*:*:*:*

cpe:2.3:a:avaya:call_management_system:17.0:r4:*:*:*:*:*:*

cpe:2.3:a:avaya:call_management_system:17.0:r5:*:*:*:*:*:*

cpe:2.3:a:avaya:call_management_system:17.0:r6:*:*:*:*:*:*

cpe:2.3:a:avaya:call_management_system:*:*:*:*:*:*:*:* versions from 18.0.0.1 to 18.0.0.2 (inclusive)

cpe:2.3:a:avaya:iq:5.2.x:*:*:*:*:*:*:*

Configuration 6

AND

OR

cpe:2.3:o:avaya:cs1000e_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:avaya:cs1000e:-:*:*:*:*:*:*:*

Configuration 7

AND

OR

cpe:2.3:o:avaya:cs1000m_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:avaya:cs1000m:-:*:*:*:*:*:*:*

Configuration 8

AND

OR

cpe:2.3:o:avaya:cs1000e\/cs1000m_signaling_server_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:avaya:cs1000e\/cs1000m_signaling_server:-:*:*:*:*:*:*:*

Configuration 9

OR

cpe:2.3:a:avaya:aura_conferencing:7.0:*:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:7.2:*:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:8.0:-:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:8.0:sp2:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:8.0:sp4:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:8.0:sp5:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:8.0:sp7:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:8.0:sp8:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_conferencing:8.0:sp9:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_experience_portal:*:*:*:*:*:*:*:* versions from 6.0 to 7.1 (inclusive)

Configuration 10

OR

cpe:2.3:a:avaya:ip_office:8.1:*:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:-:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp1:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp10:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp11:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp12:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp3:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp4:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp5:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp6:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp7:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp8:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:9.1:sp9:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:-:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:sp1:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:sp2:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:sp3:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:sp4:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:sp5:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:sp6:*:*:*:*:*:*

cpe:2.3:a:avaya:ip_office:10.0:sp7:*:*:*:*:*:*

Configuration 11

OR

cpe:2.3:a:avaya:aura_messaging:6.3:*:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_messaging:6.3.3:-:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_messaging:6.3.3:sp4:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_messaging:6.3.3:sp5:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_messaging:6.3.3:sp6:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_session_manager:*:*:*:*:*:*:*:* versions from 6.3 to 6.3.18 (inclusive)

cpe:2.3:a:avaya:aura_session_manager:7.0:-:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_session_manager:7.0:sp1:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_session_manager:7.0:sp2:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_session_manager:7.0.1:-:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_session_manager:7.0.1:sp1:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_session_manager:7.0.1:sp2:*:*:*:*:*:*

cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:* versions from 6.3 to 6.3.18 (inclusive)

cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:* versions from 7.0 to 7.0.1.3 (inclusive)

cpe:2.3:a:avaya:aura_utility_services:*:*:*:*:*:*:*:* versions from 6.3 to 6.3.14 (inclusive)

cpe:2.3:a:avaya:aura_utility_services:*:*:*:*:*:*:*:* versions from 7.0 to 7.0.1.2 (inclusive)

cpe:2.3:a:avaya:meeting_exchange:6.2:-:*:*:*:*:*:*

cpe:2.3:a:avaya:meeting_exchange:6.2:sp3:*:*:*:*:*:*

cpe:2.3:a:avaya:message_networking:*:*:*:*:*:*:*:* versions from 5.2 to 6.3 (inclusive)

cpe:2.3:a:avaya:one-x_client_enablement_services:6.2:-:*:*:*:*:*:*

cpe:2.3:a:avaya:one-x_client_enablement_services:6.2:sp1:*:*:*:*:*:*

cpe:2.3:a:avaya:one-x_client_enablement_services:6.2:sp2:*:*:*:*:*:*

cpe:2.3:a:avaya:one-x_client_enablement_services:6.2:sp5:*:*:*:*:*:*

cpe:2.3:a:avaya:proactive_contact:*:*:*:*:*:*:*:* versions from 5.0 to 5.1.2 (inclusive)

Configuration 12

AND

OR

cpe:2.3:o:avaya:session_border_controller_for_enterprise_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:avaya:session_border_controller_for_enterprise_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:avaya:session_border_controller_for_enterprise:-:*:*:*:*:*:*:*

Configuration 13

AND

OR

cpe:2.3:o:avaya:aura_system_platform_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:avaya:aura_system_platform:-:*:*:*:*:*:*:*

Tenable Plugins

View all (11 total)

IDNameProductFamilySeverity
99843EulerOS 2.0 SP1 : nss, nss-util (EulerOS-SA-2016-1084)NessusHuawei Local Security Checks
high
96643GLSA-201701-46 : Mozilla Network Security Service (NSS): Multiple vulnerabilities (Logjam) (SLOTH)NessusGentoo Local Security Checks
high
96304Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : nss vulnerabilities (USN-3163-1)NessusUbuntu Local Security Checks
high
95894Amazon Linux AMI : nss-util / nss,nss-softokn (ALAS-2016-774)NessusAmazon Linux Local Security Checks
high
95797SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3105-1)NessusSuSE Local Security Checks
critical
95712SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3080-1)NessusSuSE Local Security Checks
critical
95565SUSE SLED12 / SLES12 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3014-1)NessusSuSE Local Security Checks
critical
95052Scientific Linux Security Update : nss and nss-util on SL5.x, SL6.x, SL7.x i386/x86_64 (20161116)NessusScientific Linux Local Security Checks
high
94981CentOS 5 / 6 / 7 : nss / nss-util (CESA-2016:2779)NessusCentOS Local Security Checks
high
94927Oracle Linux 5 / 6 / 7 : nss / nss-util (ELSA-2016-2779)NessusOracle Linux Local Security Checks
high
94912RHEL 5 / 6 / 7 : nss and nss-util (RHSA-2016:2779)NessusRed Hat Local Security Checks
high