Cyber Resilience

CVE-2021-43527

Critical

Published: 08 December 2021

Published
08 December 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0524 90.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-43527 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Oracle Communications Cloud Native Core Network Repository Function. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are…

more

likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
nss
≤ 3.73
mozilla
nss esr
≤ 3.68.1
netapp
cloud backup
all versions
netapp
e-series santricity os controller
11.0 — 11.70.1
oracle
communications cloud native core binding support function
1.11.0
oracle
communications cloud native core network repository function
1.15.0, 1.15.1
oracle
communications cloud native core network slice selection function
1.8.0
oracle
communications policy management
12.6.0.0.0
starwindsoftware
starwind san \& nas
v8r13
starwindsoftware
starwind virtual san
v8r13

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References