{
  "threat_severity" : "Moderate",
  "public_date" : "2014-02-04T00:00:00Z",
  "bugzilla" : {
    "description" : "nss: Do not allow p-1 as a public DH value (MFSA 2014-12)",
    "id" : "1060955",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1060955"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-358",
  "details" : [ "Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.", "It was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE) parameters. This could possibly lead to weak encryption being used in communication between the client and the server." ],
  "acknowledgement" : "Red Hat would like to thank Mozilla project for reporting this issue. Upstream acknowledges Antoine Delignat-Lavaud and Karthikeyan Bhargavan as the original reporters.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2014-09-16T00:00:00Z",
    "advisory" : "RHSA-2014:1246",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "nss-0:3.16.1-2.el5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nspr-0:4.10.6-1.el6_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nss-0:3.16.1-4.el6_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nss-util-0:3.16.1-1.el6_5"
  }, {
    "product_name" : "RHEV 3.X Hypervisor and Agents for RHEL-6",
    "release_date" : "2014-07-29T00:00:00Z",
    "advisory" : "RHSA-2014:0979",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6::hypervisor",
    "package" : "rhev-hypervisor6-0:6.5-20140725.0.el6ev"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "nss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-1491\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1491\nhttp://www.mozilla.org/security/announce/2014/mfsa2014-12.html" ],
  "name" : "CVE-2014-1491",
  "csaw" : false
}