CVE-2016-1978
Public on 2016-03-13
Modified on 2016-05-18
Description
A use-after-free flaw was found in the way NSS handled DHE (Diffie–Hellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | nspr | 2016-05-18 | ALAS-2016-702 | Fixed |
| Amazon Linux 1 | nss | 2016-05-18 | ALAS-2016-702 | Fixed |
| Amazon Linux 1 | nss-softokn | 2016-05-18 | ALAS-2016-702 | Fixed |
| Amazon Linux 1 | nss-util | 2016-05-18 | ALAS-2016-702 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv2 | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| NVD | CVSSv2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 7.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |