The following fixlet is incorrectly or falsely identifying certain versions of Firefox as vulnerable to Integer truncation in certificate parsing.
Fixlet ID 1953001
Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.
CVE: CVE-2013-1741
OVAL: OVAL19530
OVAL Status: ACCEPTED
CVSS Base Score: 7.5 (HIGH)
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Vulnerability assessment definition from MITRE OVAL repository at oval.mitre.org (schema version 5.0).
BigFix Enterprise Suite has met the Mitre OVAL/OVAL-ID Compatibility Requirements.
I believe the relevance is not respecting the file version number of the ‘nssdm3.dll’ as the latest version - as all machines I have it installed on have version 3.16 or greater. Can anyone confirm this is the case?
See attached for relevance. This fixlet is provided directly from the SVCM wizard without modification. I believe it is not respecting the next version of the fixed DLL file referenced earlier.
And you’ve walked through every step of the relevance and confirmed it can’t be anything else? Our environment does not use Firefox so I can’t attest to it working or not but relevance is usually pretty good about respecting the attributes of a file unless it’s written incorrectly.
As for the relevance it looks like it’s going with greater than 3.15 (everything after) OR less than 3.15.3 (everything before). If this particular vulnerability is only within 3.15.1 and 3.15.2 should it not be AND instead of OR?
Awesome - you are correct that it should only apply to 3.15.1 to 3.15.2. The 3.16 version resolves the vulnerability. The fixlet is delivered directly from the SCVM site (Particularly the ‘Vulnerabilities to Windows Systems’ Site) so I’ll put in a service request to IBM for them to update the fixlet to respect the fixed 3.16 version.