Vulnerability Description
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Nss | < 3.73 |
| Mozilla | Nss Esr | < 3.68.1 |
| Netapp | Cloud Backup | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.1 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
| Oracle | Communications Policy Management | 12.6.0.0.0 |
| Starwindsoftware | Starwind San \& Nas | v8r13 |
| Starwindsoftware | Starwind Virtual San | v8r13 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1737470Issue TrackingPermissions RequiredVendor Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdfThird Party Advisory
- https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/Vendor Advisory
- https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/Vendor Advisory
- https://security.gentoo.org/glsa/202212-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211229-0002/Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2021-51/Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.starwindsoftware.com/security/sw-20220802-0001/Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1737470Issue TrackingPermissions RequiredVendor Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdfThird Party Advisory
- https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/Vendor Advisory
- https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/Vendor Advisory
- https://security.gentoo.org/glsa/202212-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211229-0002/Third Party Advisory
FAQ
What is CVE-2021-43527?
CVE-2021-43527 is a vulnerability with a CVSS score of 9.8 (CRITICAL). NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatur...
How severe is CVE-2021-43527?
CVE-2021-43527 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-43527?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Nss, Mozilla Nss Esr, Netapp Cloud Backup, Netapp E-Series Santricity Os Controller, Oracle Communications Cloud Native Core Binding Support Function.