First published: Tue Jan 22 2019(Updated: )
A NULL pointer dereference issue was found in several CMS function. A specially crafted data could possibly crash nss. External References: <a href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes">https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes</a>
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nspr | <0:4.21.0-2.el8_0 | 0:4.21.0-2.el8_0 |
redhat/nss | <0:3.44.0-7.el8_0 | 0:3.44.0-7.el8_0 |
redhat/nss | <3.41.1 | 3.41.1 |
Siemens RUGGEDCOM ROX MX5000 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1400 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1500 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1501 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1510 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX1511 | <2.14.0 | 2.14.0 |
Siemens RUGGEDCOM ROX RX500 | <2.14.0 | 2.14.0 |
Mozilla Network Security Services | <3.36.7 | |
Mozilla Network Security Services | >=3.41<3.41.1 | |
Siemens Ruggedcom Rox Mx5000 Firmware | <2.14.0 | |
Siemens RUGGEDCOM ROX MX5000 | ||
Siemens Ruggedcom Rox Rx1400 Firmware | <2.14.0 | |
Siemens RUGGEDCOM ROX RX1400 | ||
Siemens Ruggedcom Rox Rx1500 Firmware | <2.14.0 | |
Siemens RUGGEDCOM ROX RX1500 | ||
Siemens Ruggedcom Rox Rx1501 Firmware | <2.14.0 | |
Siemens RUGGEDCOM ROX RX1501 | ||
Siemens Ruggedcom Rox Rx1510 Firmware | <2.14.0 | |
Siemens RUGGEDCOM ROX RX1510 | ||
Siemens Ruggedcom Rox Rx1511 Firmware | <2.14.0 | |
Siemens RUGGEDCOM ROX RX1511 | ||
Siemens Ruggedcom Rox Rx1512 Firmware | <2.14.0 | |
Siemens RUGGEDCOM ROX RX1512 | ||
Siemens Ruggedcom Rox Rx5000 Firmware | <2.14.0 | |
Siemens Ruggedcom Rox Rx5000 | ||
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
This issue only affects applications compiled against NSS which use CMS (Cryptographic Message Syntax) API. Other applications are not affected.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2018-18508.
The severity of CVE-2018-18508 is medium with a CVSS score of 6.5.
Versions before 3.36.7 and before 3.41.1 of Network Security Services (NSS) are affected by CVE-2018-18508.
A malformed signature can cause a crash due to a null dereference by exploiting a vulnerability in the Network Security Services (NSS) library.
To fix CVE-2018-18508, update to version 3.41.1 or later of Network Security Services (NSS).