CVE-2022-3479: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-3479 is a vulnerability discovered in Mozilla's Network Security Services (NSS) library that was disclosed on October 14, 2022. The vulnerability affects NSS client authentication functionality, where the client can crash when accessing a server without a user certificate in the database, leading to a segmentation fault. This vulnerability affects NSS versions up to 3.81 (Mozilla Bug, NVD).

The vulnerability occurs in the default authentication certificate handler when the server requests client authentication, but the client has no certificates in its database. The issue stems from an error in checking for an empty list that is NULL, introduced in a previous patch. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability primarily affects the availability of systems using NSS, potentially causing application crashes. Notably, while the vulnerability exists in NSS, Firefox is not affected as it overrides the default authentication certificate handler where the vulnerability is present. However, other client applications using NSS's default handler, such as tstclient, are vulnerable to crashes (Mozilla Bug).

The vulnerability was fixed in NSS version 3.87.1. The fix involves adding proper NULL checks for certificate lists returned by CERTFindUserCertsByUsage and updating the handling of cases where no certificates are available. Users are advised to upgrade to NSS version 3.87.1 or later ([Mozilla Bug](https://bugzilla.mozilla.org/showbug.cgi?id=1774654), Gentoo Advisory).