ID CVE-2017-7502
Summary Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.
References
Vulnerable Configurations
  • cpe:2.3:a:mozilla:network_security_services:3.30.0
    cpe:2.3:a:mozilla:network_security_services:3.30.0
  • cpe:2.3:a:mozilla:network_security_services:3.30.1
    cpe:2.3:a:mozilla:network_security_services:3.30.1
  • cpe:2.3:a:mozilla:network_security_services:3.28.0
    cpe:2.3:a:mozilla:network_security_services:3.28.0
  • cpe:2.3:a:mozilla:network_security_services:3.28.1
    cpe:2.3:a:mozilla:network_security_services:3.28.1
  • cpe:2.3:a:mozilla:network_security_services:3.28.2
    cpe:2.3:a:mozilla:network_security_services:3.28.2
  • Mozilla Network Security Services (NSS) 3.28.3
    cpe:2.3:a:mozilla:network_security_services:3.28.3
  • cpe:2.3:a:mozilla:network_security_services:3.29.0
    cpe:2.3:a:mozilla:network_security_services:3.29.0
  • cpe:2.3:a:mozilla:network_security_services:3.29.1
    cpe:2.3:a:mozilla:network_security_services:3.29.1
  • cpe:2.3:a:mozilla:network_security_services:3.29.2
    cpe:2.3:a:mozilla:network_security_services:3.29.2
  • Mozilla Network Security Services (NSS) 3.29.3
    cpe:2.3:a:mozilla:network_security_services:3.29.3
  • cpe:2.3:a:mozilla:network_security_services:3.26.2
    cpe:2.3:a:mozilla:network_security_services:3.26.2
  • cpe:2.3:a:mozilla:network_security_services:3.27.0
    cpe:2.3:a:mozilla:network_security_services:3.27.0
  • cpe:2.3:a:mozilla:network_security_services:3.27.1
    cpe:2.3:a:mozilla:network_security_services:3.27.1
  • cpe:2.3:a:mozilla:network_security_services:3.27.2
    cpe:2.3:a:mozilla:network_security_services:3.27.2
  • cpe:2.3:a:mozilla:network_security_services:3.25.1
    cpe:2.3:a:mozilla:network_security_services:3.25.1
  • cpe:2.3:a:mozilla:network_security_services:3.26.0
    cpe:2.3:a:mozilla:network_security_services:3.26.0
  • cpe:2.3:a:mozilla:network_security_services:3.25.0
    cpe:2.3:a:mozilla:network_security_services:3.25.0
  • cpe:2.3:a:mozilla:network_security_services:3.24.0
    cpe:2.3:a:mozilla:network_security_services:3.24.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-476
CAPEC
redhat via4
advisories
  • bugzilla
    id 1446631
    title CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment nss is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364005
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862006
      • AND
        • comment nss-devel is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364009
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862014
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364013
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862010
      • AND
        • comment nss-sysinit is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364011
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862008
      • AND
        • comment nss-tools is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364007
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862012
    rhsa
    id RHSA-2017:1364
    released 2017-05-30
    severity Important
    title RHSA-2017:1364: nss security and bug fix update (Important)
  • bugzilla
    id 1446631
    title CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment nss is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365007
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862006
      • AND
        • comment nss-devel is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365009
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862014
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365011
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862010
      • AND
        • comment nss-sysinit is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365005
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862008
      • AND
        • comment nss-tools is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365013
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862012
    rhsa
    id RHSA-2017:1365
    released 2017-05-30
    severity Important
    title RHSA-2017:1365: nss security and bug fix update (Important)
rpms
  • nss-0:3.28.4-3.el6_9
  • nss-devel-0:3.28.4-3.el6_9
  • nss-pkcs11-devel-0:3.28.4-3.el6_9
  • nss-sysinit-0:3.28.4-3.el6_9
  • nss-tools-0:3.28.4-3.el6_9
  • nss-0:3.28.4-1.2.el7_3
  • nss-devel-0:3.28.4-1.2.el7_3
  • nss-pkcs11-devel-0:3.28.4-1.2.el7_3
  • nss-sysinit-0:3.28.4-1.2.el7_3
  • nss-tools-0:3.28.4-1.2.el7_3
refmap via4
bid 98744
confirm https://hg.mozilla.org/projects/nss/rev/55ea60effd0d
sectrack 1038579
Last major update 30-05-2017 - 14:29
Published 30-05-2017 - 14:29
Last modified 07-07-2017 - 21:29
Back to Top