Vulnerability Description
Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Novell | Suse Linux Enterprise Software Development Kit | 12.0 |
| Canonical | Ubuntu Linux | 12.04 |
| Debian | Debian Linux | 7.0 |
| Novell | Suse Linux Enterprise Desktop | 12.0 |
| Novell | Suse Linux Enterprise Server | 11 |
| Mozilla | Network Security Services | 3.19 |
| Mozilla | Firefox | <= 38.1.0 |
| Mozilla | Firefox Esr | 31.1 |
| Mozilla | Thunderbird | <= 38.0.1 |
| Oracle | Solaris | 11.3 |
| Oracle | Vm Server | 3.2 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
- http://rhn.redhat.com/errata/RHSA-2015-1185.html
- http://rhn.redhat.com/errata/RHSA-2015-1664.html
- http://www.debian.org/security/2015/dsa-3324Third Party Advisory
- http://www.debian.org/security/2015/dsa-3336Third Party Advisory
- http://www.mozilla.org/security/announce/2015/mfsa2015-71.htmlVendor Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmThird Party Advisory
FAQ
What is CVE-2015-2721?
CVE-2015-2721 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not pr...
How severe is CVE-2015-2721?
CVE-2015-2721 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2721?
Check the references section above for vendor advisories and patch information. Affected products include: Novell Suse Linux Enterprise Software Development Kit, Canonical Ubuntu Linux, Debian Debian Linux, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Server.