ID CVE-2017-7502
Summary Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.
References
Vulnerable Configurations
  • cpe:2.3:a:mozilla:network_security_services:3.24.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.24.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.25.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.25.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.25.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.25.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.26.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.26.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.26.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.26.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.27.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.27.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.27.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.27.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.27.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.27.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.28.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.28.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.29.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.29.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.30.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.30.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:network_security_services:3.30.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:3.30.1:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 05-01-2018 - 02:31)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1446631
    title CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment nss is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364005
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364010
      • AND
        • comment nss-devel is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364009
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364016
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364013
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364018
      • AND
        • comment nss-sysinit is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364011
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364014
      • AND
        • comment nss-tools is earlier than 0:3.28.4-3.el6_9
          oval oval:com.redhat.rhsa:tst:20171364007
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364012
    rhsa
    id RHSA-2017:1364
    released 2017-05-30
    severity Important
    title RHSA-2017:1364: nss security and bug fix update (Important)
  • bugzilla
    id 1446631
    title CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment nss is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365007
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364010
      • AND
        • comment nss-devel is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365009
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364016
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365011
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364018
      • AND
        • comment nss-sysinit is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365005
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364014
      • AND
        • comment nss-tools is earlier than 0:3.28.4-1.2.el7_3
          oval oval:com.redhat.rhsa:tst:20171365013
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364012
    rhsa
    id RHSA-2017:1365
    released 2017-05-30
    severity Important
    title RHSA-2017:1365: nss security and bug fix update (Important)
  • rhsa
    id RHSA-2017:1567
  • rhsa
    id RHSA-2017:1712
rpms
  • nss-0:3.28.4-3.el6_9
  • nss-devel-0:3.28.4-3.el6_9
  • nss-pkcs11-devel-0:3.28.4-3.el6_9
  • nss-sysinit-0:3.28.4-3.el6_9
  • nss-tools-0:3.28.4-3.el6_9
  • nss-0:3.28.4-1.2.el7_3
  • nss-devel-0:3.28.4-1.2.el7_3
  • nss-pkcs11-devel-0:3.28.4-1.2.el7_3
  • nss-sysinit-0:3.28.4-1.2.el7_3
  • nss-tools-0:3.28.4-1.2.el7_3
refmap via4
bid 98744
confirm
debian DSA-3872
sectrack 1038579
Last major update 05-01-2018 - 02:31
Published 30-05-2017 - 18:29
Back to Top