CVE-2021-43527

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-43527
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-12-08 22:15:00 UTC
Updated2023-02-23 01:40:00 UTC
DescriptionNSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

Risk And Classification

Problem Types: CWE-787

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Mozilla Nss All All All All
Application Mozilla Nss Esr All All All All
Application Netapp Cloud Backup - All All All
Application Netapp E-series Santricity Os Controller All All All All
Application Oracle Communications Cloud Native Core Binding Support Function 1.11.0 All All All
Application Oracle Communications Cloud Native Core Network Repository Function 1.15.0 All All All
Application Oracle Communications Cloud Native Core Network Repository Function 1.15.1 All All All
Application Oracle Communications Cloud Native Core Network Slice Selection Function 1.8.0 All All All
Application Oracle Communications Policy Management 12.6.0.0.0 All All All
Application Starwindsoftware Starwind San Nas v8r13 All All All
Application Starwindsoftware Starwind Virtual San v8r13 14398 All All

References

ReferenceSourceLinkTags
CVE-2021-43527 Libnss Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Oracle Critical Patch Update Advisory - April 2022 MISC www.oracle.com
Access Denied MISC bugzilla.mozilla.org
Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures — Mozilla MISC www.mozilla.org
Directory Listing: /pub/security/nss/releases/NSS_3_73_RTM/ MISC ftp.mozilla.org
Directory Listing: /pub/security/nss/releases/NSS_3_68_1_RTM/ MISC ftp.mozilla.org
cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf CONFIRM cert-portal.siemens.com
CVE-2021-43527 NSS heap overflow in StarWind products MISC www.starwindsoftware.com
Mozilla Network Security Service (NSS): Multiple Vulnerabilities (GLSA 202212-05) — Gentoo security GENTOO security.gentoo.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159543 Oracle Enterprise Linux Security Update for nss (ELSA-2021-4903)
  • 159544 Oracle Enterprise Linux Security Update for nss (ELSA-2021-4904)
  • 159569 Oracle Enterprise Linux Security Update for nss (ELSA-2021-9591)
  • 178920 Debian Security Update for nss (DSA 5016-1)
  • 178921 Debian Security Update for nss (DLA 2836-1)
  • 178931 Debian Security Update for nss (DLA 2836-2)
  • 184071 Debian Security Update for nss (CVE-2021-43527)
  • 198590 Ubuntu Security Notification for Thunderbird Vulnerability (USN-5168-2)
  • 198591 Ubuntu Security Notification for NSS Vulnerability (USN-5168-1)
  • 239921 Red Hat Update for nss (RHSA-2021:4904)
  • 239922 Red Hat Update for nss (RHSA-2021:4903)
  • 239923 Red Hat Update for nss (RHSA-2021:4909)
  • 239924 Red Hat Update for nss (RHSA-2021:4919)
  • 239930 Red Hat Update for thunderbird (RHSA-2021:4954)
  • 239931 Red Hat Update for nss (RHSA-2021:4953)
  • 257135 CentOS Security Update for nss (CESA-2021:4904)
  • 282094 Fedora Security Update for nss (FEDORA-2021-d0be347892)
  • 282125 Fedora Security Update for nss (FEDORA-2021-d8e9f6222a)
  • 296061 Oracle Solaris 11.4 Support Repository Update (SRU) 42.113.1 Missing (CPUJAN2022)
  • 353043 Amazon Linux Security Advisory for nss : ALAS-2021-1552
  • 353044 Amazon Linux Security Advisory for nss, nss-util, nss-softokn, nspr : ALAS2-2021-1722
  • 353096 Amazon Linux Security Advisory for nss : AL2012-2021-357
  • 354422 Amazon Linux Security Advisory for nss : ALAS2022-2022-223
  • 354451 Amazon Linux Security Advisory for nss : ALAS2022-2021-002
  • 354534 Amazon Linux Security Advisory for nss : ALAS-2022-223
  • 354756 Amazon Linux Security Advisory for nss-util : ALAS2-2023-1954
  • 354759 Amazon Linux Security Advisory for nss : ALAS2-2023-1952
  • 354764 Amazon Linux Security Advisory for nspr : ALAS2-2023-1953
  • 354779 Amazon Linux Security Advisory for nss-softokn : ALAS2-2023-1955
  • 355198 Amazon Linux Security Advisory for nss : ALAS2023-2023-031
  • 376265 LibreOffice check for Memory corruption via DER-encoded DSA and Rivest-Shamir-Adleman (RSA)-PSS (CVE-2021-43527)
  • 376930 Alibaba Cloud Linux Security Update for nss (ALINUX3-SA-2021:0081)
  • 376947 Alibaba Cloud Linux Security Update for nss (ALINUX2-SA-2021:0070)
  • 390251 Oracle Managed Virtualization (VM) Server for x86 Security Update for nss (OVMSA-2021-0040)
  • 390279 Oracle Managed Virtualization (VM) Server for x86 Security Update for nss (OVMSA-2023-0014)
  • 500460 Alpine Linux Security Update for nss
  • 501646 Alpine Linux Security Update for nss
  • 502128 Alpine Linux Security Update for nss
  • 502319 Alpine Linux Security Update for nss
  • 505126 Alpine Linux Security Update for nss
  • 591224 Siemens RUGGEDCOM ROX products Remote Code Execution (RCE) and Denial of Service (DoS) Vulnerability (SSA-594438)
  • 671355 EulerOS Security Update for nss (EulerOS-SA-2022-1278)
  • 671366 EulerOS Security Update for nss (EulerOS-SA-2022-1310)
  • 671371 EulerOS Security Update for nss (EulerOS-SA-2022-1294)
  • 671484 EulerOS Security Update for nss (EulerOS-SA-2022-1468)
  • 671532 EulerOS Security Update for nss (EulerOS-SA-2022-1477)
  • 690727 Free Berkeley Software Distribution (FreeBSD) Security Update for nss (47695a9c-5377-11ec-8be6-d4c9ef517024)
  • 690729 Free Berkeley Software Distribution (FreeBSD) Security Update for nss (47695a9c-5377-11ec-8be6-d4c9ef517024)
  • 710692 Gentoo Linux Mozilla Network Security Service (NSS) Multiple Vulnerabilities (GLSA 202212-05)
  • 730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
  • 751449 SUSE Enterprise Linux Security Update for mozilla-nss (SUSE-SU-2021:3934-1)
  • 751453 SUSE Enterprise Linux Security Update for mozilla-nss (SUSE-SU-2021:3939-1)
  • 751464 OpenSUSE Security Update for mozilla-nss (openSUSE-SU-2021:3934-1)
  • 752379 SUSE Enterprise Linux Security Update for mozilla-nspr, mozilla-nss (SUSE-SU-2022:2536-1)
  • 752380 SUSE Enterprise Linux Security Update for mozilla-nss (SUSE-SU-2022:2533-1)
  • 752409 SUSE Enterprise Linux Security Update for mozilla-nss (SUSE-SU-2022:2595-1)
  • 900336 Common Base Linux Mariner (CBL-Mariner) Security Update for nss (7020)
  • 900957 Common Base Linux Mariner (CBL-Mariner) Security Update for nss (7024-1)
  • 940321 AlmaLinux Security Update for nss (ALSA-2021:4903)
  • 960047 Rocky Linux Security Update for nss (RLSA-2021:4903)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report