Executive Summary

Informations
NameCVE-2014-1544First vendor Publication2014-07-23
VendorCveLast vendor Modification2017-01-06

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1544

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24914
 
Oval ID: oval:org.mitre.oval:def:24914
Title: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.
Description: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1544
Version: 7
Platform(s): Microsoft Windows Server 2012 R2
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows 8
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25335
 
Oval ID: oval:org.mitre.oval:def:25335
Title: RHSA-2014:0916: nss and nspr security update (Critical)
Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A race condition was found in the way NSS verified certain certificates. A remote attacker could use this flaw to crash an application using NSS or, possibly, execute arbitrary code with the privileges of the user running that application. (CVE-2014-1544) Red Hat would like to thank the Mozilla project for reporting CVE-2014-1544. Upstream acknowledges Tyson Smith and Jesse Schwartzentruber as the original reporters. Users of NSS and NSPR are advised to upgrade to these updated packages, which correct this issue. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0916-00
CESA-2014:0916
CVE-2014-1544
Version: 3
Platform(s): Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 5
CentOS Linux 5
CentOS Linux 7
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26268
 
Oval ID: oval:org.mitre.oval:def:26268
Title: USN-2343-1 -- nss vulnerability
Description: NSS could be made to crash or run programs as your login if it processed a specially crafted certificate.
Family: unix Class: patch
Reference(s): USN-2343-1
CVE-2014-1544
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27274
 
Oval ID: oval:org.mitre.oval:def:27274
Title: ELSA-2014-0916 -- nss and nspr security update (critical)
Description: nspr [4.10.2-4] - Rebase to nspr-4.10.6 - Resolves: Bug 1116199 [4.10.2-3] - Retagging - Resolves: rhbz#1032466 nss [3.15.3-7] - Remove an unused patch - Related: Bug 1116199 [3.15.3-6] - Fix race-condition in certificate validation - Resolves: Bug 1116199 [3.15.3-5] - Remove two unused patches - Resolves: Bug 1042683 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
Family: unix Class: patch
Reference(s): ELSA-2014-0916
CVE-2014-1544
Version: 3
Platform(s): Oracle Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27684
 
Oval ID: oval:org.mitre.oval:def:27684
Title: DSA-3071-1 -- nss security update
Description: In nss, a set of libraries designed to support cross-platform development of security-enabled client and server applications, Tyson Smith and Jesse Schwartzentruber discovered a use-after-free vulnerability that allows remote attackers to execute arbitrary code by triggering the improper removal of an NSSCertificate structure from a trust domain.
Family: unix Class: patch
Reference(s): DSA-3071-1
CVE-2014-1544
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): nss
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application340
Application10
Application51
Application151

Information Assurance Vulnerability Management (IAVM)

DateDescription
2014-07-24IAVM : 2014-A-0113 - Multiple Vulnerabilities in Mozilla Products
Severity : Category I - VMSKEY : V0053309

Nessus® Vulnerability Scanner

DateDescription
2016-05-18Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL16716.nasl - Type : ACT_GATHER_INFO
2015-04-08Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201504-01.nasl - Type : ACT_GATHER_INFO
2015-03-26Name : The remote Debian host is missing a security update.
File : debian_DLA-89.nasl - Type : ACT_GATHER_INFO
2015-03-19Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-059.nasl - Type : ACT_GATHER_INFO
2015-01-19Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_firefox_20141216.nasl - Type : ACT_GATHER_INFO
2014-11-12Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3071.nasl - Type : ACT_GATHER_INFO
2014-11-11Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0915.nasl - Type : ACT_GATHER_INFO
2014-11-08Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0979.nasl - Type : ACT_GATHER_INFO
2014-11-08Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1165.nasl - Type : ACT_GATHER_INFO
2014-10-12Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-385.nasl - Type : ACT_GATHER_INFO
2014-09-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2343-1.nasl - Type : ACT_GATHER_INFO
2014-08-12Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-487.nasl - Type : ACT_GATHER_INFO
2014-08-04Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2996.nasl - Type : ACT_GATHER_INFO
2014-08-04Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_firefox-201407-140729.nasl - Type : ACT_GATHER_INFO
2014-08-04Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_firefox-201407-140730.nasl - Type : ACT_GATHER_INFO
2014-08-01Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-476.nasl - Type : ACT_GATHER_INFO
2014-07-30Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-139.nasl - Type : ACT_GATHER_INFO
2014-07-30Name : The remote openSUSE host is missing a security update.
File : suse_12_3_openSUSE-2014--140725.nasl - Type : ACT_GATHER_INFO
2014-07-30Name : The remote openSUSE host is missing a security update.
File : suse_13_1_openSUSE-2014--140725.nasl - Type : ACT_GATHER_INFO
2014-07-26Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2986.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_978b0f76122d11e4afe3bc5ff4fb5e7b.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Mac OS X host contains a web browser that is affected by multiple ...
File : macosx_firefox_24_7_esr.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Mac OS X host contains a web browser that is affected by multiple ...
File : macosx_firefox_31.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Mac OS X host contains a mail client that is affected by multiple ...
File : macosx_thunderbird_24_7.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Mac OS X host contains a mail client that is affected by multiple ...
File : macosx_thunderbird_31_0.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Windows host contains a web browser that is affected by multiple v...
File : mozilla_firefox_24_7_esr.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Windows host contains a web browser that is affected by multiple v...
File : mozilla_firefox_31.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Windows host contains a mail client that is affected by multiple v...
File : mozilla_thunderbird_24_7.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Windows host contains a mail client that is affected by multiple v...
File : mozilla_thunderbird_31_0.nasl - Type : ACT_GATHER_INFO
2014-07-24Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0916.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0916.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0916.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140722_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140722_nss_and_nspr_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2295-1.nasl - Type : ACT_GATHER_INFO
2014-07-23Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2296-1.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

SourceUrl
BID http://www.securityfocus.com/bid/68816
CONFIRM http://www.mozilla.org/security/announce/2014/mfsa2014-63.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546....
https://bugzilla.mozilla.org/show_bug.cgi?id=963150
DEBIAN http://www.debian.org/security/2014/dsa-2986
http://www.debian.org/security/2014/dsa-2996
GENTOO https://security.gentoo.org/glsa/201504-01
SECTRACK http://www.securitytracker.com/id/1030617
SECUNIA http://secunia.com/advisories/59591
http://secunia.com/advisories/59719
http://secunia.com/advisories/59760
http://secunia.com/advisories/60083
http://secunia.com/advisories/60486
http://secunia.com/advisories/60621
http://secunia.com/advisories/60628

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
DateInformations
2017-11-22 12:05:56
  • Multiple Updates
2017-01-07 09:25:21
  • Multiple Updates
2016-12-22 09:23:37
  • Multiple Updates
2016-11-29 00:24:51
  • Multiple Updates
2016-10-04 09:24:03
  • Multiple Updates
2016-09-09 09:23:17
  • Multiple Updates
2016-06-30 21:37:25
  • Multiple Updates
2016-06-28 22:35:54
  • Multiple Updates
2016-05-19 13:27:02
  • Multiple Updates
2016-04-27 00:15:29
  • Multiple Updates
2015-04-09 13:28:53
  • Multiple Updates
2015-03-27 13:28:06
  • Multiple Updates
2015-03-20 13:28:50
  • Multiple Updates
2015-01-21 13:26:43
  • Multiple Updates
2014-11-14 13:27:30
  • Multiple Updates
2014-11-13 13:26:59
  • Multiple Updates
2014-11-12 13:27:07
  • Multiple Updates
2014-11-08 13:31:38
  • Multiple Updates
2014-10-12 13:27:11
  • Multiple Updates
2014-09-11 13:25:41
  • Multiple Updates
2014-08-13 13:24:43
  • Multiple Updates
2014-08-05 13:25:51
  • Multiple Updates
2014-08-02 13:24:17
  • Multiple Updates
2014-07-31 13:25:12
  • Multiple Updates
2014-07-27 13:27:02
  • Multiple Updates
2014-07-26 00:20:32
  • Multiple Updates
2014-07-25 13:21:41
  • Multiple Updates
2014-07-24 13:25:27
  • Multiple Updates
2014-07-23 21:25:00
  • Multiple Updates
2014-07-23 17:22:30
  • First insertion