RHSA-2019:4190 Vulnerability

[johnburns320]

The following high level security vulnerability is being flagged by a scan on the latest version of the centos7 image. This is occuring after a yum -y update.

RHSA-2019:4190: [High] 
Found in: nss [3.44.0-4.el7]
Fixed By: 0:3.44.0-7.el7_7
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
https://access.redhat.com/errata/RHSA-2019:4190
-----------------------------------------
RHSA-2019:4190: [High] 
Found in: nss-sysinit [3.44.0-4.el7]
Fixed By: 0:3.44.0-7.el7_7
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
https://access.redhat.com/errata/RHSA-2019:4190
-----------------------------------------
RHSA-2019:4190: [High] 
Found in: nss-softokn [3.44.0-5.el7]
Fixed By: 0:3.44.0-8.el7_7
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
https://access.redhat.com/errata/RHSA-2019:4190
-----------------------------------------
RHSA-2019:4190: [High] 
Found in: nss-util [3.44.0-3.el7]
Fixed By: 0:3.44.0-4.el7_7
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
https://access.redhat.com/errata/RHSA-2019:4190
-----------------------------------------
RHSA-2019:4190: [High] 
Found in: nss-tools [3.44.0-4.el7]
Fixed By: 0:3.44.0-7.el7_7
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
https://access.redhat.com/errata/RHSA-2019:4190
-----------------------------------------
RHSA-2019:4190: [High] 
Found in: nss-softokn-freebl [3.44.0-5.el7]
Fixed By: 0:3.44.0-8.el7_7
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
https://access.redhat.com/errata/RHSA-2019:4190
-----------------------------------------

[jperrin]

The sources for the fixes associated here were just released yesterday. It will take time to build, test and release them. They will be available once they're ready.

[johnburns320]

Thanks, @jperrin. Is there a place I can track the propagation of the fixes?

[johnburns320]

I tried a new build using the centos7 image and it passed the vulnerability scan. Yay!

[varshneysan001]

Hi @jperrin can you please share which adject version is passing through above vulnerability. As with centos7 latest docker image, I am still getting this issue.