Vulnerability Description
A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote malicious user cause a Denial of Service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Nss | < 3.26 |
| Debian | Debian Linux | 8.0 |
| Redhat | Enterprise Linux | 5.0 |
| Suse | Linux Enterprise Server | 11 |
| Avaya | Aura Application Enablement Services | >= 6.1, <= 6.3.3 |
| Avaya | Aura Application Server 5300 | 3.0 |
| Avaya | Aura Communication Manager | >= 6.0, <= 6.3.117.0 |
| Avaya | Aura Communication Manager Messagint | 7.0 |
| Avaya | Breeze Platform | >= 3.0, <= 3.2 |
| Avaya | Call Management System | >= 18.0.0.1, <= 18.0.0.2 |
| Avaya | Iq | 5.2.x |
| Avaya | Cs1000E Firmware | >= 7.0, <= 7.6 |
| Avaya | Cs1000E | - |
| Avaya | Cs1000M Firmware | >= 7.0, <= 7.6 |
| Avaya | Cs1000M | - |
| Avaya | Cs1000E\/Cs1000M Signaling Server Firmware | >= 7.0, <= 7.6 |
| Avaya | Cs1000E\/Cs1000M Signaling Server | - |
| Avaya | Aura Conferencing | 7.0 |
| Avaya | Aura Experience Portal | >= 6.0, <= 7.1 |
| Avaya | Ip Office | 8.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00049.htmlMailing ListThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2016-2779.html
- http://www.securityfocus.com/bid/94349
- http://www.ubuntu.com/usn/USN-3163-1
- https://bto.bluecoat.com/security-advisory/sa137
- https://bugzilla.mozilla.org/show_bug.cgi?id=1306103
- https://security.gentoo.org/glsa/201701-46
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00049.htmlMailing ListThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2016-2779.html
- http://www.securityfocus.com/bid/94349
- http://www.ubuntu.com/usn/USN-3163-1
FAQ
What is CVE-2016-5285?
CVE-2016-5285 is a vulnerability with a CVSS score of 7.5 (HIGH). A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote ma...
How severe is CVE-2016-5285?
CVE-2016-5285 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-5285?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Nss, Debian Debian Linux, Redhat Enterprise Linux, Suse Linux Enterprise Server, Avaya Aura Application Enablement Services.