製品・ソフトウェアに関する情報

JVN脆弱性詳細

Mozilla Firefox で使用される Network Security Services におけるヒープベースのバッファオーバーフローの脆弱性

Title	Mozilla Firefox で使用される Network Security Services におけるヒープベースのバッファオーバーフローの脆弱性
Summary	Mozilla Firefox で使用される Network Security Services (NSS) には、ヒープベースのバッファオーバーフローの脆弱性が存在します。
Possible impacts	第三者により、X.509 証明書の巧妙に細工された ASN.1 データを介して、任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 8, 2016, midnight
Registration Date	March 24, 2016, 4:56 p.m.
Last Update	Nov. 22, 2016, 3:32 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

オラクル

Oracle GlassFish Server 2.1.1

Oracle iPlanet Web Proxy Server 4.0

Oracle iPlanet Web Server 7.0

Oracle Linux

Oracle VM サーバー

Mozilla Foundation

Mozilla Firefox 45.0 未満

Mozilla Firefox ESR 38.7 未満の 38.x

Mozilla Network Security Services (NSS) 3.19.2.3 未満

Mozilla Network Security Services (NSS) 3.20.x

Mozilla Network Security Services (NSS) 3.21.1 未満の 3.21.x

アップル

Apple Mac OS X 10.11 から 10.11.3

iOS 9.3 未満 (iPad 2 以降)

iOS 9.3 未満 (iPhone 4s 以降)

iOS 9.3 未満 (iPod touch 第 5 世代以降)

tvOS 9.2 未満 (Apple TV 第 4 世代)

watchOS 2.2 未満 (Apple Watch Edition)

watchOS 2.2 未満 (Apple Watch Hermes)

watchOS 2.2 未満 (Apple Watch Sport)

watchOS 2.2 未満 (Apple Watch)

openSUSE project

openSUSE

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-1950	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
National Vulnerability Database (NVD)
2	CVE-2016-1950	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1950

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2016-03-21-1 iOS 9.3	http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
2	APPLE-SA-2016-03-21-2 watchOS 2.2	http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
3	APPLE-SA-2016-03-21-3 tvOS 9.2	http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
4	APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002	http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
Apple Security Updates
5	HT206166	https://support.apple.com/en-us/HT206166
6	HT206167	https://support.apple.com/en-us/HT206167
7	HT206168	https://support.apple.com/en-us/HT206168
8	HT206169	https://support.apple.com/en-us/HT206169
Apple セキュリティアップデート
9	HT206166	http://support.apple.com/ja-jp/HT206166
10	HT206167	http://support.apple.com/ja-jp/HT206167
11	HT206168	http://support.apple.com/ja-jp/HT206168
12	HT206169	http://support.apple.com/ja-jp/HT206169
Mozilla Developer Network
13	NSS 3.19.2.3 release notes	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.3_release_notes
14	NSS 3.21.1 release notes	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notes
Mozilla Foundation Security Advisory
15	MFSA2016-35	http://www.mozilla.org/security/announce/2016/mfsa2016-35.html
Mozilla Foundation セキュリティアドバイザリ
16	MFSA2016-35	http://www.mozilla-japan.org/security/announce/2016/mfsa2016-35.html
opensuse-security-announce
17	openSUSE-SU-2016:1557	https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.html
Oracle Critical Patch Update
18	Oracle Critical Patch Update Advisory - October 2016	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
19	Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices	http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html
Oracle Technology Network
20	Oracle Linux Bulletin - January 2016	http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
21	Oracle VM Server for x86 Bulletin - July 2016	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
SECURITY BLOG
22	October 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2016_critical_patch_update

その他

No	Name	URL
JVN
1	JVNVU#97668313	http://jvn.jp/vu/JVNVU97668313/index.html

Change Log

No	Changed Details	Date of change
0	[2016年03月24日] 掲載 [2016年03月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：アップル (HT206166) を追加ベンダ情報：アップル (HT206167) を追加ベンダ情報：アップル (HT206168) を追加ベンダ情報：アップル (HT206169) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-1 iOS 9.3) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-2 watchOS 2.2) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-3 tvOS 9.2) を追加参考情報：JVN (JVNVU#97668313) を追加 [2016年11月22日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices) を追加ベンダ情報：オラクル (October 2016 Critical Patch Update Released) を追加ベンダ情報：オラクル (Oracle Linux Bulletin - January 2016) を追加ベンダ情報：オラクル (Oracle VM Server for x86 Bulletin - July 2016) を追加ベンダ情報：openSUSE project (openSUSE-SU-2016:1557) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-1950

Summary	Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.
Publication Date	March 14, 2016, 3:59 a.m.
Registration Date	Jan. 26, 2021, 2:08 p.m.
Last Update	Nov. 21, 2024, 11:47 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:network_security_services:3.19.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.20:::::::*
cpe:2.3:a:mozilla:network_security_services:3.20.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.21:::::::*
cpe:2.3:a:mozilla:firefox::::::::		44.0.2
cpe:2.3:a:mozilla:firefox:38.0:::::::*
cpe:2.3:a:mozilla:firefox:38.0.1:::::::*
cpe:2.3:a:mozilla:firefox:38.0.5:::::::*
cpe:2.3:a:mozilla:firefox:38.1.0:::::::*
cpe:2.3:a:mozilla:firefox:38.1.1:::::::*
cpe:2.3:a:mozilla:firefox:38.2.0:::::::*
cpe:2.3:a:mozilla:firefox:38.2.1:::::::*
cpe:2.3:a:mozilla:firefox:38.3.0:::::::*
cpe:2.3:a:mozilla:firefox:38.4.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.1:::::::*
cpe:2.3:a:mozilla:firefox:38.6.0:::::::*
cpe:2.3:a:mozilla:firefox:38.6.1:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:oracle:linux:5.0:::::::*
cpe:2.3:o:oracle:vm_server:3.2:::::::*
cpe:2.3:o:oracle:linux:6:::::::*
cpe:2.3:o:oracle:linux:7:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:apple:watchos::::::::		2.1
cpe:2.3:o:apple:iphone_os::::::::		9.2.1
cpe:2.3:o:apple:mac_os_x::::::::		10.11.3
cpe:2.3:o:apple:tvos::::::::		9.1

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:oracle:glassfish_server:2.1.1:::::::*
cpe:2.3:a:oracle:iplanet_web_proxy_server:4.0:::::::*
cpe:2.3:a:oracle:iplanet_web_server:7.0:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:oracle:linux:5.0:::::::*
cpe:2.3:o:oracle:linux:6:::::::*
cpe:2.3:o:oracle:linux:7:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html	Mailing List
2	http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html	Mailing List
3	http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html	Mailing List
4	http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html	Mailing List
5	http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html	Mailing List
6	http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html	Mailing List
7	http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html	Mailing List
8	http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html	Mailing List
9	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html
10	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html
11	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html
12	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html
13	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html
14	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html
15	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html
16	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html
17	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html
18	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html
19	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html
20	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html
21	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.html	Third Party Advisory
22	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.html	Third Party Advisory
23	http://rhn.redhat.com/errata/RHSA-2016-0495.html
24	http://rhn.redhat.com/errata/RHSA-2016-0495.html
25	http://www.debian.org/security/2016/dsa-3510
26	http://www.debian.org/security/2016/dsa-3510
27	http://www.debian.org/security/2016/dsa-3520
28	http://www.debian.org/security/2016/dsa-3520
29	http://www.debian.org/security/2016/dsa-3688
30	http://www.debian.org/security/2016/dsa-3688
31	http://www.mozilla.org/security/announce/2016/mfsa2016-35.html	Vendor Advisory
32	http://www.mozilla.org/security/announce/2016/mfsa2016-35.html	Vendor Advisory
33	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
34	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
35	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	Third Party Advisory
36	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	Third Party Advisory
37	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
38	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
39	http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	Third Party Advisory
40	http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	Third Party Advisory
41	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html	Third Party Advisory
42	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html	Third Party Advisory
43	http://www.securityfocus.com/bid/84223
44	http://www.securityfocus.com/bid/84223
45	http://www.securitytracker.com/id/1035215
46	http://www.securitytracker.com/id/1035215
47	http://www.ubuntu.com/usn/USN-2917-1
48	http://www.ubuntu.com/usn/USN-2917-1
49	http://www.ubuntu.com/usn/USN-2917-2
50	http://www.ubuntu.com/usn/USN-2917-2
51	http://www.ubuntu.com/usn/USN-2917-3
52	http://www.ubuntu.com/usn/USN-2917-3
53	http://www.ubuntu.com/usn/USN-2924-1
54	http://www.ubuntu.com/usn/USN-2924-1
55	http://www.ubuntu.com/usn/USN-2934-1
56	http://www.ubuntu.com/usn/USN-2934-1
57	https://bto.bluecoat.com/security-advisory/sa119
58	https://bto.bluecoat.com/security-advisory/sa119
59	https://bugzilla.mozilla.org/show_bug.cgi?id=1245528	Issue Tracking
60	https://bugzilla.mozilla.org/show_bug.cgi?id=1245528	Issue Tracking
61	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.3_release_notes	Release Notes
62	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.3_release_notes	Release Notes
63	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notes	Release Notes
64	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notes	Release Notes
65	https://security.gentoo.org/glsa/201605-06
66	https://security.gentoo.org/glsa/201605-06
67	https://support.apple.com/HT206166	Third Party Advisory
68	https://support.apple.com/HT206166	Third Party Advisory
69	https://support.apple.com/HT206167	Third Party Advisory
70	https://support.apple.com/HT206167	Third Party Advisory
71	https://support.apple.com/HT206168	Third Party Advisory
72	https://support.apple.com/HT206168	Third Party Advisory
73	https://support.apple.com/HT206169	Third Party Advisory
74	https://support.apple.com/HT206169	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:network_security_services:3.19.2:::::::*
cpe:2.3:a:mozilla:network_security_services:3.20:::::::*
cpe:2.3:a:mozilla:network_security_services:3.20.1:::::::*
cpe:2.3:a:mozilla:network_security_services:3.21:::::::*
cpe:2.3:a:mozilla:firefox::::::::		44.0.2
cpe:2.3:a:mozilla:firefox:38.0:::::::*
cpe:2.3:a:mozilla:firefox:38.0.1:::::::*
cpe:2.3:a:mozilla:firefox:38.0.5:::::::*
cpe:2.3:a:mozilla:firefox:38.1.0:::::::*
cpe:2.3:a:mozilla:firefox:38.1.1:::::::*
cpe:2.3:a:mozilla:firefox:38.2.0:::::::*
cpe:2.3:a:mozilla:firefox:38.2.1:::::::*
cpe:2.3:a:mozilla:firefox:38.3.0:::::::*
cpe:2.3:a:mozilla:firefox:38.4.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.1:::::::*
cpe:2.3:a:mozilla:firefox:38.6.0:::::::*
cpe:2.3:a:mozilla:firefox:38.6.1:::::::*