CVE - CVE-2015-2721

CVE-ID
CVE-2015-2721	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://smacktls.com CONFIRM:http://www.mozilla.org/security/announce/2015/mfsa2015-71.html CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=1086145 CONFIRM:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html CONFIRM:http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html DEBIAN:DSA-3324 URL:http://www.debian.org/security/2015/dsa-3324 DEBIAN:DSA-3336 URL:http://www.debian.org/security/2015/dsa-3336 GENTOO:GLSA-201512-10 URL:https://security.gentoo.org/glsa/201512-10 GENTOO:GLSA-201701-46 URL:https://security.gentoo.org/glsa/201701-46 REDHAT:RHSA-2015:1664 URL:http://rhn.redhat.com/errata/RHSA-2015-1664.html REDHAT:RHSA-2015:1185 URL:http://rhn.redhat.com/errata/RHSA-2015-1185.html SUSE:SUSE-SU-2015:1268 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html SUSE:SUSE-SU-2015:1269 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html SUSE:SUSE-SU-2015:1449 URL:http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html SUSE:openSUSE-SU-2015:1266 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html SUSE:openSUSE-SU-2015:1229 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html UBUNTU:USN-2673-1 URL:http://www.ubuntu.com/usn/USN-2673-1 UBUNTU:USN-2656-1 URL:http://www.ubuntu.com/usn/USN-2656-1 UBUNTU:USN-2672-1 URL:http://www.ubuntu.com/usn/USN-2672-1 UBUNTU:USN-2656-2 URL:http://www.ubuntu.com/usn/USN-2656-2 BID:91787 URL:http://www.securityfocus.com/bid/91787 BID:75541 URL:http://www.securityfocus.com/bid/75541 BID:83398 URL:http://www.securityfocus.com/bid/83398 SECTRACK:1032783 URL:http://www.securitytracker.com/id/1032783 SECTRACK:1032784 URL:http://www.securitytracker.com/id/1032784
Assigning CNA
N/A
Date Entry Created
20150325	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20150325)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org

Use of the Common Vulnerabilities and Exposures (CVE®) List and the associated references from this website are subject to the terms of use. CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 1999–2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. For more information, please contact us.