Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-2721

Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.

Published

2015-07-06T02:00:49.283

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-310

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	novell	suse_linux_enterprise_software_development_kit	12.0	Yes
Operating System	canonical	ubuntu_linux	12.04	Yes
Operating System	canonical	ubuntu_linux	14.04	Yes
Operating System	canonical	ubuntu_linux	14.10	Yes
Operating System	canonical	ubuntu_linux	15.04	Yes
Operating System	debian	debian_linux	7.0	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	novell	suse_linux_enterprise_desktop	12.0	Yes
Operating System	novell	suse_linux_enterprise_server	11	Yes
Operating System	novell	suse_linux_enterprise_server	12.0	Yes
Application	mozilla	network_security_services	3.19	Yes
Application	mozilla	firefox	≤ 38.1.0	No
Application	mozilla	firefox	31.0	No
Application	mozilla	firefox	31.1.0	No
Application	mozilla	firefox	31.1.1	No
Application	mozilla	firefox	31.3.0	No
Application	mozilla	firefox	31.5.1	No
Application	mozilla	firefox	31.5.2	No
Application	mozilla	firefox	31.5.3	No
Application	mozilla	firefox	38.0	No
Application	mozilla	firefox_esr	31.1	No
Application	mozilla	firefox_esr	31.2	No
Application	mozilla	firefox_esr	31.3	No
Application	mozilla	firefox_esr	31.4	No
Application	mozilla	firefox_esr	31.5	No
Application	mozilla	firefox_esr	31.6.0	No
Application	mozilla	firefox_esr	31.7.0	No
Application	mozilla	thunderbird	≤ 38.0.1	No
Operating System	oracle	solaris	11.3	Yes
Operating System	oracle	vm_server	3.2	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2015-1185.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2015-1664.html ([email protected])
http://www.debian.org/security/2015/dsa-3324 Third Party Advisory ([email protected])
http://www.debian.org/security/2015/dsa-3336 Third Party Advisory ([email protected])
http://www.mozilla.org/security/announce/2015/mfsa2015-71.html Vendor Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/75541 ([email protected])
http://www.securityfocus.com/bid/83398 ([email protected])
http://www.securityfocus.com/bid/91787 Third Party Advisory ([email protected])
http://www.securitytracker.com/id/1032783 ([email protected])
http://www.securitytracker.com/id/1032784 ([email protected])
http://www.ubuntu.com/usn/USN-2656-1 ([email protected])
http://www.ubuntu.com/usn/USN-2656-2 ([email protected])
http://www.ubuntu.com/usn/USN-2672-1 ([email protected])
http://www.ubuntu.com/usn/USN-2673-1 Third Party Advisory ([email protected])
https://bugzilla.mozilla.org/show_bug.cgi?id=1086145 Exploit, Issue Tracking, VDB Entry, Vendor Advisory ([email protected])
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes Release Notes ([email protected])
https://security.gentoo.org/glsa/201512-10 ([email protected])
https://security.gentoo.org/glsa/201701-46 ([email protected])
https://smacktls.com Technical Description ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2015-1185.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2015-1664.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2015/dsa-3324 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2015/dsa-3336 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mozilla.org/security/announce/2015/mfsa2015-71.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/75541 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/83398 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/91787 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1032783 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1032784 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-2656-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-2656-2 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-2672-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-2673-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.mozilla.org/show_bug.cgi?id=1086145 Exploit, Issue Tracking, VDB Entry, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201512-10 (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201701-46 (af854a3a-2127-422b-91ae-364da2661108)
https://smacktls.com Technical Description (af854a3a-2127-422b-91ae-364da2661108)