Oracle iPlanet Web Server 7.0.x < 7.0.21 NSS Signature Verification Vulnerability

High Nessus Plugin ID 82995


The remote web server is affected by a signature forgery vulnerability.


According to its self-reported version, the Oracle iPlanet Web Server (formerly known as Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.21. It is, therefore, affected by a flaw in the Network Security Services (NSS) library due to improper parsing of ASN.1 values in an RSA signature. A man-in-the-middle attacker, using a crafted certificate, can exploit this to forge RSA signatures, such as SSL certificates.


Upgrade to Oracle iPlanet Web Server 7.0.21 or later.

See Also

Plugin Details

Severity: High

ID: 82995

File Name: sun_java_web_server_7_0_21.nasl

Version: $Revision: 1.9 $

Type: remote

Family: Web Servers

Published: 2015/04/22

Modified: 2016/05/17

Dependencies: 85271

Risk Information

Risk Factor: High


Base Score: 8.8

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:oracle:iplanet_web_server, cpe:/a:mozilla:network_security_services

Required KB Items: installed_sw/Oracle iPlanet Web Server/

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/04/14

Vulnerability Publication Date: 2014/09/24

Reference Information

CVE: CVE-2014-1568

BID: 70116

OSVDB: 112036

CERT: 772676