Lucene search

[email protected]NVD:CVE-2015-2721

HistoryJul 06, 2015 - 2:00 a.m.

CVE-2015-2721

2015-07-0602:00:49

CWE-310

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

4.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.4%

JSON

Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a “SMACK SKIP-TLS” issue.

Affected configurations

NVD

Node

novellsuse_linux_enterprise_software_development_kitMatch12.0

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch14.10

canonicalubuntu_linuxMatch15.04

debiandebian_linuxMatch7.0

debiandebian_linuxMatch8.0

novellsuse_linux_enterprise_desktopMatch12.0

novellsuse_linux_enterprise_serverMatch11sp4

novellsuse_linux_enterprise_serverMatch12.0

Node

mozillanetwork_security_servicesMatch3.19

AND

mozillafirefoxRange≤38.1.0

mozillafirefox_esrMatch31.0

mozillafirefox_esrMatch31.1

mozillafirefox_esrMatch31.1.0

mozillafirefox_esrMatch31.1.1

mozillafirefox_esrMatch31.2

mozillafirefox_esrMatch31.3

mozillafirefox_esrMatch31.3.0

mozillafirefox_esrMatch31.4

mozillafirefox_esrMatch31.5

mozillafirefox_esrMatch31.5.1

mozillafirefox_esrMatch31.5.2

mozillafirefox_esrMatch31.5.3

mozillafirefox_esrMatch31.6.0

mozillafirefox_esrMatch31.7.0

mozillafirefox_esrMatch38.0

mozillathunderbirdRange≤38.0.1

Node

oraclesolarisMatch11.3

oraclevm_serverMatch3.2

References

lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html

lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html

lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html

lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html

rhn.redhat.com/errata/RHSA-2015-1185.html

rhn.redhat.com/errata/RHSA-2015-1664.html

www.debian.org/security/2015/dsa-3324

www.debian.org/security/2015/dsa-3336

www.mozilla.org/security/announce/2015/mfsa2015-71.html

www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

www.securityfocus.com/bid/75541

www.securityfocus.com/bid/83398

www.securityfocus.com/bid/91787

www.securitytracker.com/id/1032783

www.securitytracker.com/id/1032784

www.ubuntu.com/usn/USN-2656-1

www.ubuntu.com/usn/USN-2656-2

www.ubuntu.com/usn/USN-2672-1

www.ubuntu.com/usn/USN-2673-1

bugzilla.mozilla.org/show_bug.cgi?id=1086145

developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes

security.gentoo.org/glsa/201512-10

security.gentoo.org/glsa/201701-46

smacktls.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

4.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.4%

JSON

Related for NVD:CVE-2015-2721

cvelist1 mozilla1 veracode1 prion1 openvas28 debiancve1 cve1 ubuntucve1 nessus34 osv3 oraclelinux1 redhat2 centos2 ubuntu4 debian4 gentoo3 mageia1 suse6 kaspersky1 securityvulns1 freebsd1 oracle2