Vulnerability Description
Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 24.3 |
| Mozilla | Network Security Services | < 3.15.4 |
| Mozilla | Seamonkey | < 2.24 |
| Mozilla | Thunderbird | < 24.3.0 |
| Oracle | Enterprise Manager Ops Center | < 12.1.4 |
| Oracle | Vm Server | 3.2 |
| Fedoraproject | Fedora | 19 |
| Opensuse | Opensuse | 11.4 |
| Suse | Linux Enterprise Desktop | 11 |
| Suse | Linux Enterprise Server | 11 |
| Suse | Linux Enterprise Software Development Kit | 11 |
| Debian | Debian Linux | 7.0 |
| Canonical | Ubuntu Linux | 12.04 |
Related Weaknesses (CWE)
References
- http://hg.mozilla.org/projects/nss/rev/12c42006aed8PatchVendor Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.hThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.hThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.htmlMailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2014/Dec/23Not Applicable
- http://secunia.com/advisories/56858Third Party Advisory
- http://secunia.com/advisories/56888Third Party Advisory
- http://secunia.com/advisories/56922Third Party Advisory
- http://www.debian.org/security/2014/dsa-2858Third Party Advisory
- http://www.debian.org/security/2014/dsa-2994Third Party Advisory
- http://www.mozilla.org/security/announce/2014/mfsa2014-12.htmlThird Party AdvisoryVendor Advisory
FAQ
What is CVE-2014-1491?
CVE-2014-1491 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does no...
How severe is CVE-2014-1491?
CVE-2014-1491 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-1491?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Network Security Services, Mozilla Seamonkey, Mozilla Thunderbird, Oracle Enterprise Manager Ops Center.