CVE-2009-2404

Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.12.3

Description A heap-based buffer overflow issue exists in the regular-expression parser of Mozilla Network Security Services (NSS), which can be triggered by a long domain name in the subject's Common Name (CN) field of an X.509 certificate. This issue may allow remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code. The issue is related to the cert TestHostName function.

Recommendations For versions prior to 3.12.3, update to version 3.12.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the cert TestHostName function until a patch is available. Avoid using long domain names in the subject's Common Name (CN) field of an X.509 certificate to minimize the risk of exploitation.