The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:1981 advisory.

    Network Security Services (NSS) is a set of libraries designed to support     cross-platform development of security-enabled client and server     applications. Netscape Portable Runtime (NSPR) provides platform     independence for non-GUI operating system facilities.

    A use-after-poison flaw and a heap-based buffer overflow flaw were found in     the way NSS parsed certain ASN.1 structures. An attacker could use these     flaws to cause NSS to crash or execute arbitrary code with the permissions     of the user running an application compiled against the NSS library.
    (CVE-2015-7181, CVE-2015-7182)

    A heap-based buffer overflow was found in NSPR. An attacker could use this     flaw to cause NSPR to crash or execute arbitrary code with the permissions     of the user running an application compiled against the NSPR library.
    (CVE-2015-7183)

    Note: Applications using NSPR's PL_ARENA_ALLOCATE, PR_ARENA_ALLOCATE,     PL_ARENA_GROW, or PR_ARENA_GROW macros need to be rebuild against the fixed     nspr packages to completely resolve the CVE-2015-7183 issue. This erratum     includes nss and nss-utils packages rebuilt against the fixed nspr version.

    Red Hat would like to thank the Mozilla project for reporting these issues.
    Upstream acknowledges Tyson Smith, David Keeler and Ryan Sleevi as the     original reporter.

    All nss, nss-util and nspr users are advised to upgrade to these updated     packages, which contain backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 6 / 7 : nss, nss-util, and nspr (RHSA-2015:1981)

critical Nessus Plugin ID 86745

Version 2.21