Vulnerability Details : CVE-2015-2721
Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.
Exploit prediction scoring system (EPSS) score for CVE-2015-2721
Probability of exploitation activity in the next 30 days: 0.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 48 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-2721
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-2721
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2721
-
http://www.mozilla.org/security/announce/2015/mfsa2015-71.html
NSS incorrectly permits skipping of ServerKeyExchange — MozillaVendor Advisory
-
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
NSS 3.19 release notes - Mozilla | MDNRelease Notes
-
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html
[security-announce] SUSE-SU-2015:1269-1: important: Security update forThird Party Advisory
-
http://www.securitytracker.com/id/1032783
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Gain Elevated Privileges - SecurityTracker
-
https://smacktls.com
miTLS, Triple Handshake, SMACK, FREAK, Logjam, and SLOTHTechnical Description
-
https://security.gentoo.org/glsa/201512-10
Mozilla Products: Multiple vulnerabilities (GLSA 201512-10) — Gentoo security
-
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
cpuapr2016v3Third Party Advisory
-
http://www.securityfocus.com/bid/91787
Oracle July 2016 Critical Patch Update Multiple VulnerabilitiesThird Party Advisory
-
http://www.securityfocus.com/bid/75541
Mozilla Firefox/Thunderbird Multiple Security Vulnerabilities
-
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Oracle Solaris Third Party Bulletin - October 2015Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
[security-announce] SUSE-SU-2015:1449-1: important: Security update for
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016Third Party Advisory
-
http://www.securitytracker.com/id/1032784
Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions - SecurityTracker
-
http://www.debian.org/security/2015/dsa-3336
Debian -- Security Information -- DSA-3336-1 nssThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-1664.html
RHSA-2015:1664 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-2656-2
USN-2656-2: Firefox vulnerabilities | Ubuntu security notices
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1086145
1086145 - (CVE-2015-2721) NSS incorrectly permits skipping of ServerKeyExchangeExploit;Issue Tracking;VDB Entry;Vendor Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Oracle Critical Patch Update - July 2016Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-1185.html
RHSA-2015:1185 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2015/dsa-3324
Debian -- Security Information -- DSA-3324-1 icedoveThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
[security-announce] openSUSE-SU-2015:1266-1: important: Mozilla (Firefox
-
http://www.ubuntu.com/usn/USN-2672-1
USN-2672-1: NSS vulnerabilities | Ubuntu security notices
-
http://www.ubuntu.com/usn/USN-2656-1
USN-2656-1: Firefox vulnerabilities | Ubuntu security notices
-
http://www.securityfocus.com/bid/83398
Mozilla Network Security Services CVE-2015-2721 Security Bypass Vulnerability
-
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html
[security-announce] SUSE-SU-2015:1268-1: important: Security update forThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2673-1
USN-2673-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
Oracle VM Server for x86 Bulletin - July 2016Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html
[security-announce] openSUSE-SU-2015:1229-1: important: Security update
-
https://security.gentoo.org/glsa/201701-46
Mozilla Network Security Service (NSS): Multiple vulnerabilities (GLSA 201701-46) — Gentoo security
Products affected by CVE-2015-2721
- cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:*:*:*:*:*:*:*
- cpe:2.3:o:novell:suse_linux_enterprise_server:11:sp4:*:*:*:*:*:*
- cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:*:*:*:*:*:*:*
- cpe:2.3:a:novell:suse_linux_enterprise_software_development_kit:12.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:vm_server:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.19:*:*:*:*:*:*:*When used together with: Mozilla » Thunderbird
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*