New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 5.9
Synopsis
The remote CentOS Linux host is missing one or more security updates.
Description
The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4076 advisory.
- nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)
- nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)
- nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)
- nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)
- nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)
- nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400)
- nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)
- nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)
- nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)
- nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.