CVE-2021-43527
First published: Wed Nov 17 2021(Updated: )
A flaw was found in the way NSS verifies certificates. That will happen both when client reads the Certificate message from the server or when server is configured to ask for client certificates and then receives one. Firefox is not vulnerable as it uses the mozilla::pkix for certificate verification. Crucially, NSS fully parses the certificate before any other checks, so disabled signature methods or certificate types don't impact exploitability. Any TLS and DTLS client that does use NSS built in certificate verification routines is vulnerable as well as any server that has certificate based client authentication enabled. But the issue is not limited to TLS, any applications that use certificate verification are vulnerable, S/MIME is impacted too.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nss | <0:3.44.0-12.el6_10 | 0:3.44.0-12.el6_10 |
| redhat/nss | <0:3.67.0-4.el7_9 | 0:3.67.0-4.el7_9 |
| redhat/nss | <0:3.28.4-2.el7_3 | 0:3.28.4-2.el7_3 |
| redhat/nss | <0:3.28.4-18.el7_4 | 0:3.28.4-18.el7_4 |
| redhat/nss | <0:3.36.0-10.2.el7_6 | 0:3.36.0-10.2.el7_6 |
| redhat/nss | <0:3.44.0-8.el7_7 | 0:3.44.0-8.el7_7 |
| redhat/nss | <0:3.67.0-7.el8_5 | 0:3.67.0-7.el8_5 |
| redhat/nss | <0:3.44.0-10.el8_1 | 0:3.44.0-10.el8_1 |
| redhat/thunderbird | <0:91.3.0-3.el8_1 | 0:91.3.0-3.el8_1 |
| redhat/nss | <0:3.53.1-12.el8_2 | 0:3.53.1-12.el8_2 |
| redhat/thunderbird | <0:91.3.0-3.el8_2 | 0:91.3.0-3.el8_2 |
| redhat/nss | <0:3.67.0-7.el8_4 | 0:3.67.0-7.el8_4 |
| redhat/redhat-virtualization-host | <0:4.3.20-20211202.1.el7_9 | 0:4.3.20-20211202.1.el7_9 |
| Mozilla NSS | <3.68.1 | 3.68.1 |
| Mozilla NSS | <3.73 | 3.73 |
| redhat/nss | <3.73.0 | 3.73.0 |
| redhat/nss | <3.68.1 | 3.68.1 |
| Mozilla NSS | <3.73 | |
| Mozilla Nss Esr | <3.68.1 | |
| Netapp Cloud Backup | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.1 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.11.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.1 | |
| Oracle Communications Cloud Native Core Network Slice Selection Function | =1.8.0 | |
| Oracle Communications Policy Management | =12.6.0.0.0 | |
| Starwindsoftware Starwind San \& Nas | =v8r13 | |
| Starwindsoftware Starwind Virtual San | =v8r13-14398 |
Remedy
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1737470
- https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/
- https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
- https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf
- https://security.gentoo.org/glsa/202212-05
- https://security.netapp.com/advisory/ntap-20211229-0002/
- https://www.mozilla.org/security/advisories/mfsa2021-51/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.starwindsoftware.com/security/sw-20220802-0001/
- https://hg.mozilla.org/projects/nss/rev/6b3dc97a8767d9dc5c4c181597d1341d0899aa58
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2028186
- https://access.redhat.com/errata/RHSA-2021:4903
- https://access.redhat.com/errata/RHSA-2021:4904
- https://access.redhat.com/errata/RHSA-2021:4907
- https://access.redhat.com/errata/RHSA-2021:4909
- https://access.redhat.com/errata/RHSA-2021:4919
- https://access.redhat.com/errata/RHSA-2021:4932
- https://access.redhat.com/errata/RHSA-2021:4933
- https://access.redhat.com/errata/RHSA-2021:4946
- https://access.redhat.com/errata/RHSA-2021:4953
- https://access.redhat.com/errata/RHSA-2021:4954
- https://access.redhat.com/errata/RHSA-2021:4969
- https://access.redhat.com/errata/RHSA-2021:4994
- https://access.redhat.com/errata/RHSA-2021:5006
- https://access.redhat.com/errata/RHSA-2021:5035
- https://access.redhat.com/security/cve/cve-2021-43527
- https://bugzilla.redhat.com/show_bug.cgi?id=2024370
- https://www.cve.org/CVERecord?id=CVE-2021-43527 https://nvd.nist.gov/vuln/detail/CVE-2021-43527 https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-43527?
CVE-2021-43527 is a remote code execution vulnerability in NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR.
What is the severity of CVE-2021-43527?
The severity of CVE-2021-43527 is critical with a CVSS score of 9.8.
Which applications are likely to be impacted by CVE-2021-43527?
Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted by CVE-2021-43527.
How can I fix CVE-2021-43527?
To fix CVE-2021-43527, upgrade NSS to version 3.73.0 or 3.68.1 ESR.
Where can I find more information about CVE-2021-43527?
You can find more information about CVE-2021-43527 at the following references: [Link 1](https://bugzilla.mozilla.org/show_bug.cgi?id=1737470), [Link 2](https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/), [Link 3](https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/).
- collector/redhat-cve
- collector/mozilla-advisory
- vendor/mozilla
- product/nss
- canonical/mozilla nss
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/remedy
- source/Mozilla
- agent/software-canonical-lookup
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-43527
- agent/event
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- canonical/mozilla nss esr
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.70.1
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.11.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/1.15.0
- version/oracle communications cloud native core network repository function/1.15.1
- canonical/oracle communications cloud native core network slice selection function
- version/oracle communications cloud native core network slice selection function/1.8.0
- canonical/oracle communications policy management
- version/oracle communications policy management/12.6.0.0.0
- vendor/starwindsoftware
- canonical/starwindsoftware starwind san \& nas
- version/starwindsoftware starwind san \& nas/v8r13
- canonical/starwindsoftware starwind virtual san
- version/starwindsoftware starwind virtual san/v8r13-14398