ID CVE-2017-7502
Summary Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.
References
Vulnerable Configurations
  • cpe:2.3:a:mozilla:network_security_services:3.25.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.25.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.30.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.30.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.25.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.25.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.26.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.26.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.30.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.30.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.24.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.24.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.27.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.27.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.27.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.27.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.27.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.27.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.26.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.26.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 12-02-2023 - 23:30)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1446631
    title CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment nss is earlier than 0:3.28.4-3.el6_9
            oval oval:com.redhat.rhsa:tst:20171364001
          • comment nss is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364006
        • AND
          • comment nss-devel is earlier than 0:3.28.4-3.el6_9
            oval oval:com.redhat.rhsa:tst:20171364003
          • comment nss-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364008
        • AND
          • comment nss-pkcs11-devel is earlier than 0:3.28.4-3.el6_9
            oval oval:com.redhat.rhsa:tst:20171364005
          • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364010
        • AND
          • comment nss-sysinit is earlier than 0:3.28.4-3.el6_9
            oval oval:com.redhat.rhsa:tst:20171364007
          • comment nss-sysinit is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364012
        • AND
          • comment nss-tools is earlier than 0:3.28.4-3.el6_9
            oval oval:com.redhat.rhsa:tst:20171364009
          • comment nss-tools is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364014
    rhsa
    id RHSA-2017:1364
    released 2017-05-30
    severity Important
    title RHSA-2017:1364: nss security and bug fix update (Important)
  • bugzilla
    id 1446631
    title CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment nss is earlier than 0:3.28.4-1.2.el7_3
            oval oval:com.redhat.rhsa:tst:20171365001
          • comment nss is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364006
        • AND
          • comment nss-devel is earlier than 0:3.28.4-1.2.el7_3
            oval oval:com.redhat.rhsa:tst:20171365003
          • comment nss-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364008
        • AND
          • comment nss-pkcs11-devel is earlier than 0:3.28.4-1.2.el7_3
            oval oval:com.redhat.rhsa:tst:20171365005
          • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364010
        • AND
          • comment nss-sysinit is earlier than 0:3.28.4-1.2.el7_3
            oval oval:com.redhat.rhsa:tst:20171365007
          • comment nss-sysinit is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364012
        • AND
          • comment nss-tools is earlier than 0:3.28.4-1.2.el7_3
            oval oval:com.redhat.rhsa:tst:20171365009
          • comment nss-tools is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20150364014
    rhsa
    id RHSA-2017:1365
    released 2017-05-30
    severity Important
    title RHSA-2017:1365: nss security and bug fix update (Important)
  • rhsa
    id RHSA-2017:1567
  • rhsa
    id RHSA-2017:1712
rpms
  • nss-0:3.28.4-3.el6_9
  • nss-debuginfo-0:3.28.4-3.el6_9
  • nss-devel-0:3.28.4-3.el6_9
  • nss-pkcs11-devel-0:3.28.4-3.el6_9
  • nss-sysinit-0:3.28.4-3.el6_9
  • nss-tools-0:3.28.4-3.el6_9
  • nss-0:3.28.4-1.2.el7_3
  • nss-debuginfo-0:3.28.4-1.2.el7_3
  • nss-devel-0:3.28.4-1.2.el7_3
  • nss-pkcs11-devel-0:3.28.4-1.2.el7_3
  • nss-sysinit-0:3.28.4-1.2.el7_3
  • nss-tools-0:3.28.4-1.2.el7_3
refmap via4
bid 98744
confirm
debian DSA-3872
sectrack 1038579
Last major update 12-02-2023 - 23:30
Published 30-05-2017 - 18:29
Last modified 12-02-2023 - 23:30
Back to Top