製品・ソフトウェアに関する情報

JVN脆弱性詳細

Mozilla Network Security Services の certificate-checking の実装における SSL サーバになりすまされる脆弱性

Title	Mozilla Network Security Services の certificate-checking の実装における SSL サーバになりすまされる脆弱性
Summary	Mozilla Network Security Services (NSS) の certificate-checking の実装の lib/certdb/certdb.c 内の cert_TestHostName 関数は、国際化ドメイン名の U-label に埋め込まれているワイルドカード文字を受け入れるため、SSL サーバになりすまされる脆弱性が存在します。
Possible impacts	中間者攻撃 (man-in-the-middle attack) により、巧妙に細工された証明書を介して、SSL サーバになりすまされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 5, 2014, midnight
Registration Date	March 27, 2014, 11:09 a.m.
Last Update	Jan. 29, 2016, 4:29 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

オラクル

Oracle Communications Applications の Oracle Communications Messaging Server 7.0.5.30.0 およびそれ以前

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 7.0

Oracle Fusion Middleware の Oracle OpenSSO 3.0-04

Oracle Fusion Middleware の Oracle Traffic Director 11.1.1.7.0

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 11.1.1.7

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 7.0

Oracle Fusion Middleware の Oracle OpenSSO 3.0-04

Oracle Fusion Middleware の Oracle Traffic Director 11.1.1.7.0

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 11.1.1.7

Oracle GlassFish Server 2.1.1

Oracle iPlanet Web Proxy Server 4.0.24

Oracle iPlanet Web Server 6.1

Oracle iPlanet Web Server 7.0

Oracle iPlanet Web Server 6.1

Oracle iPlanet Web Server 7.0

Mozilla Foundation

Mozilla Firefox 29 未満

Mozilla Network Security Services (NSS) 3.16 未満

Mozilla SeaMonkey 2.26 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-1492	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
2	CVE-2014-1492	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
National Vulnerability Database (NVD)
3	CVE-2014-1492	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492
4	CVE-2014-1492	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Mozilla
1	changeset 11063 - 709d4e597979	https://hg.mozilla.org/projects/nss/rev/709d4e597979
2	changeset 11063 - 709d4e597979	https://hg.mozilla.org/projects/nss/rev/709d4e597979
Mozilla Developer Network
3	NSS 3.16 release notes	https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
4	NSS 3.16 release notes	https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
Mozilla Foundation Security Advisory
5	MFSA2014-45	http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
6	MFSA2014-45	http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
Mozilla Foundation セキュリティアドバイザリ
7	MFSA2014-45	http://www.mozilla-japan.org/security/announce/2014/mfsa2014-45.html
8	MFSA2014-45	http://www.mozilla-japan.org/security/announce/2014/mfsa2014-45.html
Oracle Critical Patch Update
9	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
10	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
11	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
12	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
13	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
14	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
15	Oracle Critical Patch Update Advisory - October 2014	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
16	Oracle Critical Patch Update Advisory - October 2014	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
17	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
18	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
19	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
20	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
21	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
22	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
23	Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html
24	Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html
Red Hat Bugzilla
25	Bug 1079851	https://bugzilla.redhat.com/show_bug.cgi?id=1079851
26	Bug 1079851	https://bugzilla.redhat.com/show_bug.cgi?id=1079851
SECURITY BLOG
27	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
28	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
29	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
30	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
31	Multiple vulnerabilities fixed in NSS 3.16	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_fixed_in_nss
32	Multiple vulnerabilities fixed in NSS 3.16	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_fixed_in_nss
33	October 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2014_critical_patch_update
34	October 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2014_critical_patch_update

Change Log

No	Changed Details	Date of change
0	[2014年03月27日] 掲載 [2014年05月14日] 影響を受けるシステム：Mozilla Foundation (MFSA2014-45) の情報を追加ベンダ情報：Mozilla Foundation (MFSA2014-45) を追加 [2014年07月25日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices) を追加 [2014年10月21日] ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices) を追加ベンダ情報：オラクル (October 2014 Critical Patch Update Released) を追加 [2014年12月02日] ベンダ情報：オラクル (Multiple vulnerabilities fixed in NSS 3.16) を追加 [2015年02月02日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2016年01月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.
0	[2014年03月27日] 掲載 [2014年05月14日] 影響を受けるシステム：Mozilla Foundation (MFSA2014-45) の情報を追加ベンダ情報：Mozilla Foundation (MFSA2014-45) を追加 [2014年07月25日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices) を追加 [2014年10月21日] ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices) を追加ベンダ情報：オラクル (October 2014 Critical Patch Update Released) を追加 [2014年12月02日] ベンダ情報：オラクル (Multiple vulnerabilities fixed in NSS 3.16) を追加 [2015年02月02日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2016年01月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-1492

Summary	The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Publication Date	March 25, 2014, 10:25 p.m.
Registration Date	Jan. 26, 2021, 3:06 p.m.
Last Update	Nov. 21, 2024, 11:04 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:network_security_services:3.11.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.8:::::::*
cpe:2.3:a:mozilla:network_security_services::::::::		3.15.5
cpe:2.3:a:mozilla:network_security_services:3.15.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.11:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14:::::::*
cpe:2.3:a:mozilla:network_security_services:3.8:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.10:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.3.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
2	http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
3	http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html
5	http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html
6	http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html
7	http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html
8	http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html
9	http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
10	http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
11	http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
12	http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
13	http://seclists.org/fulldisclosure/2014/Dec/23
14	http://seclists.org/fulldisclosure/2014/Dec/23
15	http://secunia.com/advisories/59866
16	http://secunia.com/advisories/59866
17	http://secunia.com/advisories/60621
18	http://secunia.com/advisories/60621
19	http://secunia.com/advisories/60794
20	http://secunia.com/advisories/60794
21	http://www.debian.org/security/2014/dsa-2994
22	http://www.debian.org/security/2014/dsa-2994
23	http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
24	http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
25	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
26	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
27	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
28	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
29	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
30	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
31	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
32	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
33	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
34	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
35	http://www.securityfocus.com/archive/1/534161/100/0/threaded
36	http://www.securityfocus.com/archive/1/534161/100/0/threaded
37	http://www.securityfocus.com/bid/66356
38	http://www.securityfocus.com/bid/66356
39	http://www.ubuntu.com/usn/USN-2159-1
40	http://www.ubuntu.com/usn/USN-2159-1
41	http://www.ubuntu.com/usn/USN-2185-1
42	http://www.ubuntu.com/usn/USN-2185-1
43	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
44	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
45	https://bugzilla.mozilla.org/show_bug.cgi?id=903885
46	https://bugzilla.mozilla.org/show_bug.cgi?id=903885
47	https://bugzilla.redhat.com/show_bug.cgi?id=1079851
48	https://bugzilla.redhat.com/show_bug.cgi?id=1079851
49	https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
50	https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
51	https://hg.mozilla.org/projects/nss/rev/709d4e597979	Exploit Patch
52	https://hg.mozilla.org/projects/nss/rev/709d4e597979	Exploit Patch
53	https://security.gentoo.org/glsa/201504-01
54	https://security.gentoo.org/glsa/201504-01

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:network_security_services:3.11.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.6:::::::*
cpe:2.3:a:mozilla:network_security_services:3.2.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.8:::::::*
cpe:2.3:a:mozilla:network_security_services::::::::		3.15.5
cpe:2.3:a:mozilla:network_security_services:3.15.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.11:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.9:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14:::::::*
cpe:2.3:a:mozilla:network_security_services:3.8:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.10:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.7.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.4.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.5:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.3.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.14.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12.7:::::::*
cpe:2.3:a:mozilla:network_security_services:3.15.4:::::::*
cpe:2.3:a:mozilla:network_security_services:3.11.3:::::::*
cpe:2.3:a:mozilla:network_security_services:3.12:::::::*
cpe:2.3:a:mozilla:network_security_services:3.3.1:::::::*