A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 22.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5892-1 advisory.

  - A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user     certificate in the database and this can lead us to a segmentation fault or crash. (CVE-2022-3479)

  - An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory     writes via PKCS 12 Safe Bag attributes being mishandled.  (CVE-2023-0767)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0130-1 advisory.

  - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL     certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from     TrustCor from the root store. These are in the process of being removed from Mozilla's trust store.
    TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting     that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's     investigation can be found in the linked google group discussion. (CVE-2022-23491)

  - A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user     certificate in the database and this can lead us to a segmentation fault or crash. (CVE-2022-3479)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0119-1 advisory.

  - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL     certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from     TrustCor from the root store. These are in the process of being removed from Mozilla's trust store.
    TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting     that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's     investigation can be found in the linked google group discussion. (CVE-2022-23491)

  - A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user     certificate in the database and this can lead us to a segmentation fault or crash. (CVE-2022-3479)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0118-1 advisory.

  - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL     certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from     TrustCor from the root store. These are in the process of being removed from Mozilla's trust store.
    TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting     that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's     investigation can be found in the linked google group discussion. (CVE-2022-23491)

  - A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user     certificate in the database and this can lead us to a segmentation fault or crash. (CVE-2022-3479)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202212-05 (Mozilla Network Security Service (NSS):
Multiple Vulnerabilities)

  - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow     when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures     encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for     certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how     they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and     PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and     Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.
    (CVE-2021-43527)

  - A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user     certificate in the database and this can lead us to a segmentation fault or crash. (CVE-2022-3479)

  - <code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe     way on different threads, leading to a use-after-free and potentially exploitable crash.  (CVE-2022-1097)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of mozilla-nss installed on the remote host is prior to 3.84. It is, therefore, affected by a vulnerability as referenced in the SSA:2022-307-01 advisory.

  - A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user     certificate in the database and this can lead us to a segmentation fault or crash. (CVE-2022-3479)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
171951	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : NSS vulnerabilities (USN-5892-1)	Nessus	Ubuntu Local Security Checks	high
170616	SUSE SLES15 Security Update : mozilla-nss (SUSE-SU-2023:0130-1)	Nessus	SuSE Local Security Checks	high
170253	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : mozilla-nss (SUSE-SU-2023:0119-1)	Nessus	SuSE Local Security Checks	high
170241	SUSE SLES12 Security Update : mozilla-nss (SUSE-SU-2023:0118-1)	Nessus	SuSE Local Security Checks	high
168908	GLSA-202212-05 : Mozilla Network Security Service (NSS): Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
166949	Slackware Linux 15.0 / current mozilla-nss Vulnerability (SSA:2022-307-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2022-3479

high

Tenable Plugins

high

high

high

high

critical

high