Critical CVE-2021-43527 Vulnerability in Mozilla’s Network Security Services (NSS) library
search cancel

Critical CVE-2021-43527 Vulnerability in Mozilla’s Network Security Services (NSS) library

book

Article ID: 231256

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

A critical CVE, CVE-2021-43527 (https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ ) has been identified that affects NSS versions prior to 3.73 or 3.68.1 ESR and is caused by a heap overflow when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format.  The defect can be exploited to crash a vulnerable application and potentially execute arbitrary code. 

The SiteMinder Policy Server embeds Mozilla’s NSS library for digital signature validation when communicating with LDAP servers when those servers are acting as a user store, key store, policy store, or session store.

This vulnerability does not impact SiteMinder when communicating with LDAP servers acting as external Administrator account stores.   Also this vulnerability does not impact SiteMinder when communicated with databases.

Environment

Policy Server - 12.8.x or higher version.

Component: SMPLC

Resolution

All versions of SiteMinder Policy Servers are impacted.   

Please find the below link for the patch(#99111311) along with instructions for SiteMinder Policy Server which are within their mainstream support period (12.8.x or higher versions).

https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111311&os=MULTI-PLATFORM

or by contacting Broadcom customer support.

If you have any questions or require assistance, please contact Customer Support at +1-800-225-5224 in North America or see https://support.broadcom.com/contact-support.html for the local number in your country.

 

Powered by Wolken Software