Oracle iPlanet Web Server 7.0.x < 7.0.23 NSS ASN.1 Decoder RCE (April 2016 CPU)
Critical Nessus Plugin ID 90628
SynopsisThe remote web server is affected by a remote code execution vulnerability.
DescriptionAccording to its self-reported version, the Oracle iPlanet Web Server (formerly known as Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.23. It is, therefore, affected by a heap buffer overflow condition in the ASN.1 decoder in the Network Security Services (NSS) library. A remote attacker can exploit this, via crafted OCTET STRING data, to cause a denial of service or to execute arbitrary code.
SolutionUpgrade to Oracle iPlanet Web Server version 7.0.23 or later as referenced in the April 2016 Oracle Critical Patch Update advisory.