製品・ソフトウェアに関する情報

JVN脆弱性詳細

Mozilla Network Security Services の libssl における SSL サーバになりすまされる脆弱性

Title	Mozilla Network Security Services の libssl における SSL サーバになりすまされる脆弱性
Summary	Mozilla Network Security Services (NSS) の libssl の sslsecur.c 内の ssl_Do1stHandshake 関数には、TLS False Start 機能が有効な場合、SSL サーバになりすまされる脆弱性が存在します。
Possible impacts	中間者攻撃 (man-in-the-middle attack) により、特定のハンドシェイクトラフィックの間、任意の X.509 証明書を使用されることで、SSL サーバになりすまされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 23, 2013, midnight
Registration Date	Jan. 22, 2014, 2:16 p.m.
Last Update	Jan. 29, 2016, 4:29 p.m.

CVSS2.0 : 警告
Score	5.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:N

Affected System

オラクル

Oracle Communications Applications の Oracle Communications Messaging Server 7.0.5.30.0 およびそれ以前

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 11.1.1.7

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 7.0

Oracle Fusion Middleware の Oracle OpenSSO 3.0-04

Oracle Fusion Middleware の Oracle Traffic Director 11.1.1.7.0

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 11.1.1.7

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 7.0

Oracle Fusion Middleware の Oracle OpenSSO 3.0-04

Oracle Fusion Middleware の Oracle Traffic Director 11.1.1.7.0

Oracle GlassFish Server 2.1.1

Oracle iPlanet Web Proxy Server 4.0.24

Oracle iPlanet Web Server 6.1

Oracle iPlanet Web Server 7.0

Oracle iPlanet Web Server 6.1

Oracle iPlanet Web Server 7.0

Mozilla Foundation

Mozilla Network Security Services (NSS) 3.15.4 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1740	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1740
2	CVE-2013-1740	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1740
National Vulnerability Database (NVD)
3	CVE-2013-1740	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740
4	CVE-2013-1740	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html
2	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
Gentoo's Bugzilla
1	Bug 498172	https://bugs.gentoo.org/show_bug.cgi?id=498172
2	Bug 498172	https://bugs.gentoo.org/show_bug.cgi?id=498172
Mozilla Bugzilla
3	Bug 919877	https://bugzilla.mozilla.org/show_bug.cgi?id=919877
4	Bug 919877	https://bugzilla.mozilla.org/show_bug.cgi?id=919877
Mozilla Developer Network
5	NSS 3.15.4 release notes	https://developer.mozilla.org/ja/docs/NSS/NSS_3.15.4_release_notes
6	NSS 3.15.4 release notes	https://developer.mozilla.org/ja/docs/NSS/NSS_3.15.4_release_notes
Oracle Critical Patch Update
7	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
8	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
9	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
10	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
11	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
12	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
13	Oracle Critical Patch Update Advisory - October 2014	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
14	Oracle Critical Patch Update Advisory - October 2014	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
15	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
16	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
17	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
18	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
19	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
20	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
21	Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html
22	Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html
Red Hat Bugzilla
23	Bug 1053725	https://bugzilla.redhat.com/show_bug.cgi?id=1053725
24	Bug 1053725	https://bugzilla.redhat.com/show_bug.cgi?id=1053725
SECURITY BLOG
25	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
26	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
27	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
28	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
29	Multiple vulnerabilities fixed in NSS 3.16	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_fixed_in_nss
30	Multiple vulnerabilities fixed in NSS 3.16	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_fixed_in_nss
31	October 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2014_critical_patch_update
32	October 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2014_critical_patch_update

Change Log

No	Changed Details	Date of change
0	[2014年01月22日] 掲載 [2014年07月25日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices) を追加 [2014年10月21日] ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices) を追加ベンダ情報：オラクル (October 2014 Critical Patch Update Released) を追加 [2014年12月02日] ベンダ情報：オラクル (Multiple vulnerabilities fixed in NSS 3.16) を追加 [2015年01月30日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2016年01月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.
0	[2014年01月22日] 掲載 [2014年07月25日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices) を追加 [2014年10月21日] ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices) を追加ベンダ情報：オラクル (October 2014 Critical Patch Update Released) を追加 [2014年12月02日] ベンダ情報：オラクル (Multiple vulnerabilities fixed in NSS 3.16) を追加 [2015年01月30日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2016年01月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-1740

Summary	The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
Publication Date	Jan. 19, 2014, 7:55 a.m.
Registration Date	Jan. 26, 2021, 3:36 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:network_security_services:3.11.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.8:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.11:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14:::::::*
cpe:2.3:a:mozilla:network_security_services:3.8:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.10:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.3:::::::*
cpe:2.3:a:mozilla:network_security_services::::::::		3.15.3
cpe:2.3:a:mozilla:network_security_services:3.12:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html
2	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html
3	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html
4	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html
5	http://seclists.org/fulldisclosure/2014/Dec/23
6	http://seclists.org/fulldisclosure/2014/Dec/23
7	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
8	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
9	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
10	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
11	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
12	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
13	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
14	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
15	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
16	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
17	http://www.securityfocus.com/archive/1/534161/100/0/threaded
18	http://www.securityfocus.com/archive/1/534161/100/0/threaded
19	http://www.securityfocus.com/bid/64944
20	http://www.securityfocus.com/bid/64944
21	http://www.ubuntu.com/usn/USN-2088-1
22	http://www.ubuntu.com/usn/USN-2088-1
23	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
24	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
25	https://bugs.gentoo.org/show_bug.cgi?id=498172
26	https://bugs.gentoo.org/show_bug.cgi?id=498172
27	https://bugzilla.mozilla.org/show_bug.cgi?id=919877	Exploit
28	https://bugzilla.mozilla.org/show_bug.cgi?id=919877	Exploit
29	https://bugzilla.redhat.com/show_bug.cgi?id=1053725
30	https://bugzilla.redhat.com/show_bug.cgi?id=1053725
31	https://developer.mozilla.org/docs/NSS/NSS_3.15.4_release_notes
32	https://developer.mozilla.org/docs/NSS/NSS_3.15.4_release_notes
33	https://exchange.xforce.ibmcloud.com/vulnerabilities/90394
34	https://exchange.xforce.ibmcloud.com/vulnerabilities/90394

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:network_security_services:3.11.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.8:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.11:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14:::::::*
cpe:2.3:a:mozilla:network_security_services:3.8:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.10:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.3:::::::*
cpe:2.3:a:mozilla:network_security_services::::::::		3.15.3
cpe:2.3:a:mozilla:network_security_services:3.12:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.1:::::::*