CVE-2015-7575 - Vulnerability Details

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Mozilla	Firefox Network Security Services
Opensuse	Leap Opensuse
Redhat	Enterprise Linux Network Satellite Rhel Extras Rhel Extras Oracle Java

Configuration 1 [-]

cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:opensuse:leap:42.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:mozilla:firefox:38.0:::::::*
	cpe:2.3:a:mozilla:firefox:38.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:38.0.5:::::::*
	cpe:2.3:a:mozilla:firefox:38.1.0:::::::*
	cpe:2.3:a:mozilla:firefox:38.1.1:::::::*
	cpe:2.3:a:mozilla:firefox:38.2.0:::::::*
	cpe:2.3:a:mozilla:firefox:38.2.1:::::::*
	cpe:2.3:a:mozilla:firefox:38.3.0:::::::*
	cpe:2.3:a:mozilla:firefox:38.4.0:::::::*
	cpe:2.3:a:mozilla:firefox:38.5.0:::::::*
	cpe:2.3:a:mozilla:firefox:38.5.1:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:15.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*

Configuration 5 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Oracle Java for Red Hat Enterprise Linux 5
java-1.7.0-oracle-1:1.7.0.95-1jpp.1.el5_11	cpe:/a:redhat:rhel_extras_oracle_java:5	RHSA-2016:0056	2016-01-21T00:00:00Z
Oracle Java for Red Hat Enterprise Linux 6
java-1.8.0-oracle-1:1.8.0.71-1jpp.1.el6_7	cpe:/a:redhat:rhel_extras_oracle_java:6	RHSA-2016:0055	2016-01-21T00:00:00Z
java-1.7.0-oracle-1:1.7.0.95-1jpp.1.el6_7	cpe:/a:redhat:rhel_extras_oracle_java:6	RHSA-2016:0056	2016-01-21T00:00:00Z
Oracle Java for Red Hat Enterprise Linux 7
java-1.8.0-oracle-1:1.8.0.71-1jpp.1.el7	cpe:/a:redhat:rhel_extras_oracle_java:7	RHSA-2016:0055	2016-01-21T00:00:00Z
java-1.7.0-oracle-1:1.7.0.95-1jpp.2.el7	cpe:/a:redhat:rhel_extras_oracle_java:7	RHSA-2016:0056	2016-01-21T00:00:00Z
Red Hat Enterprise Linux 5
java-1.7.0-openjdk-1:1.7.0.95-2.6.4.1.el5_11	cpe:/o:redhat:enterprise_linux:5	RHSA-2016:0054	2016-01-21T00:00:00Z
Red Hat Enterprise Linux 5 Supplementary
java-1.7.0-ibm-1:1.7.0.9.30-1jpp.1.el5	cpe:/a:redhat:rhel_extras:5	RHSA-2016:0100	2016-02-02T00:00:00Z
java-1.6.0-ibm-1:1.6.0.16.20-1jpp.1.el5	cpe:/a:redhat:rhel_extras:5	RHSA-2016:0101	2016-02-02T00:00:00Z
Red Hat Enterprise Linux 6
nss-0:3.19.1-8.el6_7	cpe:/o:redhat:enterprise_linux:6	RHSA-2016:0007	2016-01-07T00:00:00Z
openssl-0:1.0.1e-42.el6_7.2	cpe:/o:redhat:enterprise_linux:6	RHSA-2016:0008	2016-01-08T00:00:00Z
gnutls-0:2.8.5-19.el6_7	cpe:/o:redhat:enterprise_linux:6	RHSA-2016:0012	2016-01-08T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.71-1.b15.el6_7	cpe:/o:redhat:enterprise_linux:6	RHSA-2016:0050	2016-01-20T00:00:00Z
java-1.7.0-openjdk-1:1.7.0.95-2.6.4.0.el6_7	cpe:/o:redhat:enterprise_linux:6	RHSA-2016:0053	2016-01-21T00:00:00Z
Red Hat Enterprise Linux 6 Supplementary
java-1.7.1-ibm-1:1.7.1.3.30-1jpp.2.el6_7	cpe:/a:redhat:rhel_extras:6	RHSA-2016:0099	2016-02-02T00:00:00Z
java-1.6.0-ibm-1:1.6.0.16.20-1jpp.1.el6_7	cpe:/a:redhat:rhel_extras:6	RHSA-2016:0101	2016-02-02T00:00:00Z
Red Hat Enterprise Linux 7
nss-0:3.19.1-19.el7_2	cpe:/o:redhat:enterprise_linux:7	RHSA-2016:0007	2016-01-07T00:00:00Z
openssl-1:1.0.1e-51.el7_2.2	cpe:/o:redhat:enterprise_linux:7	RHSA-2016:0008	2016-01-08T00:00:00Z
gnutls-0:3.3.8-14.el7_2	cpe:/o:redhat:enterprise_linux:7	RHSA-2016:0012	2016-01-08T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.71-2.b15.el7_2	cpe:/o:redhat:enterprise_linux:7	RHSA-2016:0049	2016-01-20T00:00:00Z
java-1.7.0-openjdk-1:1.7.0.95-2.6.4.0.el7_2	cpe:/o:redhat:enterprise_linux:7	RHSA-2016:0054	2016-01-21T00:00:00Z
Red Hat Enterprise Linux 7 Supplementary
java-1.8.0-ibm-1:1.8.0.2.10-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2016:0098	2016-02-02T00:00:00Z
java-1.7.1-ibm-1:1.7.1.3.30-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2016:0099	2016-02-02T00:00:00Z
Red Hat Satellite 5.6
java-1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5	cpe:/a:redhat:network_satellite:5.6::el5	RHSA-2016:1430	2016-07-18T00:00:00Z
java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7	cpe:/a:redhat:network_satellite:5.6::el5	RHSA-2016:1430	2016-07-18T00:00:00Z
spacewalk-java-0:2.0.2-109.el5sat	cpe:/a:redhat:network_satellite:5.6::el5	RHSA-2016:1430	2016-07-18T00:00:00Z
Red Hat Satellite 5.7
java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7	cpe:/a:redhat:network_satellite:5.7::el6	RHSA-2016:1430	2016-07-18T00:00:00Z
spacewalk-java-0:2.3.8-146.el6sat	cpe:/a:redhat:network_satellite:5.7::el6	RHSA-2016:1430	2016-07-18T00:00:00Z

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
http://rhn.redhat.com/errata/RHSA-2016-0049.html
http://rhn.redhat.com/errata/RHSA-2016-0050.html
http://rhn.redhat.com/errata/RHSA-2016-0053.html
http://rhn.redhat.com/errata/RHSA-2016-0054.html
http://rhn.redhat.com/errata/RHSA-2016-0055.html
http://rhn.redhat.com/errata/RHSA-2016-0056.html
http://www.debian.org/security/2016/dsa-3436
http://www.debian.org/security/2016/dsa-3437
http://www.debian.org/security/2016/dsa-3457
http://www.debian.org/security/2016/dsa-3458
http://www.debian.org/security/2016/dsa-3465
http://www.debian.org/security/2016/dsa-3491
http://www.debian.org/security/2016/dsa-3688
http://www.mitls.org/pages/attacks/SLOTH
http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/79684
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1034541
http://www.securitytracker.com/id/1036467
http://www.ubuntu.com/usn/USN-2863-1
http://www.ubuntu.com/usn/USN-2864-1
http://www.ubuntu.com/usn/USN-2865-1
http://www.ubuntu.com/usn/USN-2866-1
http://www.ubuntu.com/usn/USN-2884-1
http://www.ubuntu.com/usn/USN-2904-1
https://access.redhat.com/articles/2112261
https://access.redhat.com/errata/RHSA-2016:1430
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
https://nvd.nist.gov/vuln/detail/CVE-2015-7575
https://security.gentoo.org/glsa/201701-46
https://security.gentoo.org/glsa/201706-18
https://security.gentoo.org/glsa/201801-15
https://security.netapp.com/advisory/ntap-20160225-0001/
https://www.cve.org/CVERecord?id=CVE-2015-7575
https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/

History

Tue, 22 Oct 2024 14:00:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:mozilla:firefox_esr:38.0.1:::::::* cpe:2.3:a:mozilla:firefox_esr:38.0.5:::::::* cpe:2.3:a:mozilla:firefox_esr:38.0:::::::* cpe:2.3:a:mozilla:firefox_esr:38.1.0:::::::* cpe:2.3:a:mozilla:firefox_esr:38.1.1:::::::* cpe:2.3:a:mozilla:firefox_esr:38.2.0:::::::* cpe:2.3:a:mozilla:firefox_esr:38.2.1:::::::* cpe:2.3:a:mozilla:firefox_esr:38.3.0:::::::* cpe:2.3:a:mozilla:firefox_esr:38.4.0:::::::*	cpe:2.3:a:mozilla:firefox:38.0.1:::::::* cpe:2.3:a:mozilla:firefox:38.0.5:::::::* cpe:2.3:a:mozilla:firefox:38.0:::::::* cpe:2.3:a:mozilla:firefox:38.1.0:::::::* cpe:2.3:a:mozilla:firefox:38.1.1:::::::* cpe:2.3:a:mozilla:firefox:38.2.0:::::::* cpe:2.3:a:mozilla:firefox:38.2.1:::::::* cpe:2.3:a:mozilla:firefox:38.3.0:::::::* cpe:2.3:a:mozilla:firefox:38.4.0:::::::*
Vendors & Products	Mozilla firefox Esr

Mon, 21 Oct 2024 13:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:mozilla:firefox_esr:38.5.0:::::::* cpe:2.3:a:mozilla:firefox_esr:38.5.1:::::::*	cpe:2.3:a:mozilla:firefox:38.5.0:::::::* cpe:2.3:a:mozilla:firefox:38.5.1:::::::*

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2016-01-09T02:00:00

Updated: 2024-08-06T07:51:28.586Z

Reserved: 2015-09-29T00:00:00

Link: CVE-2015-7575

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-01-09T02:59:10.910

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-7575

Redhat

Severity : Moderate

Publid Date: 2016-01-06T00:00:00Z

Links: CVE-2015-7575 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-12-22T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-15T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-3688", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3688"}, {"name": "DSA-3457", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3457"}, {"name": "DSA-3491", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3491"}, {"name": "openSUSE-SU-2016:0272", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html"}, {"name": "1036467", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1036467"}, {"name": "GLSA-201701-46", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-46"}, {"name": "openSUSE-SU-2016:0279", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html"}, {"name": "openSUSE-SU-2016:0161", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"}, {"name": "USN-2884-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2884-1"}, {"name": "79684", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/79684"}, {"name": "DSA-3465", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3465"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"name": "RHSA-2016:1430", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2016:1430"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1158489"}, {"name": "RHSA-2016:0049", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0049.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"name": "openSUSE-SU-2016:0270", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html"}, {"name": "openSUSE-SU-2016:0308", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html"}, {"name": "DSA-3437", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3437"}, {"name": "RHSA-2016:0053", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0053.html"}, {"name": "USN-2904-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2904-1"}, {"name": "openSUSE-SU-2015:2405", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20160225-0001/"}, {"name": "SUSE-SU-2016:0269", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html"}, {"name": "DSA-3436", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3436"}, {"name": "openSUSE-SU-2016:0263", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html"}, {"name": "USN-2866-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2866-1"}, {"name": "SUSE-SU-2016:0256", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"}, {"name": "91787", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/91787"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-150.html"}, {"name": "RHSA-2016:0055", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0055.html"}, {"name": "GLSA-201801-15", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201801-15"}, {"name": "RHSA-2016:0054", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0054.html"}, {"name": "openSUSE-SU-2016:0488", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html"}, {"name": "GLSA-201706-18", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201706-18"}, {"name": "USN-2864-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2864-1"}, {"name": "openSUSE-SU-2016:0162", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html"}, {"name": "openSUSE-SU-2016:0605", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html"}, {"name": "RHSA-2016:0056", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0056.html"}, {"name": "openSUSE-SU-2016:0268", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html"}, {"name": "openSUSE-SU-2016:0307", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html"}, {"name": "RHSA-2016:0050", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0050.html"}, {"name": "DSA-3458", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3458"}, {"name": "SUSE-SU-2016:0265", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html"}, {"name": "USN-2865-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2865-1"}, {"name": "1034541", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034541"}, {"name": "openSUSE-SU-2016:0007", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html"}, {"name": "USN-2863-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2863-1"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:51:28.586Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3688", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3688"}, {"name": "DSA-3457", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3457"}, {"name": "DSA-3491", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3491"}, {"name": "openSUSE-SU-2016:0272", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html"}, {"name": "1036467", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1036467"}, {"name": "GLSA-201701-46", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201701-46"}, {"name": "openSUSE-SU-2016:0279", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html"}, {"name": "openSUSE-SU-2016:0161", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"}, {"name": "USN-2884-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2884-1"}, {"name": "79684", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/79684"}, {"name": "DSA-3465", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3465"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"name": "RHSA-2016:1430", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2016:1430"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1158489"}, {"name": "RHSA-2016:0049", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0049.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"name": "openSUSE-SU-2016:0270", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html"}, {"name": "openSUSE-SU-2016:0308", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html"}, {"name": "DSA-3437", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3437"}, {"name": "RHSA-2016:0053", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0053.html"}, {"name": "USN-2904-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2904-1"}, {"name": "openSUSE-SU-2015:2405", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20160225-0001/"}, {"name": "SUSE-SU-2016:0269", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html"}, {"name": "DSA-3436", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3436"}, {"name": "openSUSE-SU-2016:0263", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html"}, {"name": "USN-2866-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2866-1"}, {"name": "SUSE-SU-2016:0256", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"}, {"name": "91787", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/91787"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-150.html"}, {"name": "RHSA-2016:0055", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0055.html"}, {"name": "GLSA-201801-15", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201801-15"}, {"name": "RHSA-2016:0054", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0054.html"}, {"name": "openSUSE-SU-2016:0488", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html"}, {"name": "GLSA-201706-18", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201706-18"}, {"name": "USN-2864-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2864-1"}, {"name": "openSUSE-SU-2016:0162", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html"}, {"name": "openSUSE-SU-2016:0605", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html"}, {"name": "RHSA-2016:0056", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0056.html"}, {"name": "openSUSE-SU-2016:0268", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html"}, {"name": "openSUSE-SU-2016:0307", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html"}, {"name": "RHSA-2016:0050", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0050.html"}, {"name": "DSA-3458", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3458"}, {"name": "SUSE-SU-2016:0265", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html"}, {"name": "USN-2865-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2865-1"}, {"name": "1034541", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034541"}, {"name": "openSUSE-SU-2016:0007", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html"}, {"name": "USN-2863-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2863-1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-7575", "datePublished": "2016-01-09T02:00:00", "dateReserved": "2015-09-29T00:00:00", "dateUpdated": "2024-08-06T07:51:28.586Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "92954403-582A-4A55-B45C-64CADCF40909", "versionEndIncluding": "3.20.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*", "matchCriteriaId": "35BF0AFB-26BA-4BEA-B6B8-11CF88E951DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "1F007CC6-9391-4E1C-A747-F3DE5E572FA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "45E9641F-430C-4B3A-BD63-EC13DBD3D1E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5AADD23B-A8AF-4679-990D-C29A1D6EB5CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "1343A1FD-98CF-4A6C-A697-1253E538FD5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6D098567-B55E-4EAC-8FAA-31FAFDD4058F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "BE0389BC-D295-4957-8AE7-EDAC770F596D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E75E69A5-AC94-4F35-9EFB-1BFF8B78210D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "2765E663-C9CF-476A-B7A8-6F02D0E2D72D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "62B4E871-0ACB-4EC5-8392-EAD0DF25E64B", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:38.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "435D6EF5-C879-4121-9D47-EF2236E53409", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "11D313EA-95EE-456C-B27B-FB4207DE9492", "versionEndIncluding": "43.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision."}, {"lang": "es", "value": "Mozilla Network Security Services (NSS) en versiones anteriores a 3.20.2, tal como se utiliza en Mozilla Firefox en versiones anteriores a 43.0.2 y Firefox ESR 38.x en versiones anteriores a 38.5.2, no rechaza las firmas MD5 en mensajes Server Key Exchange en el tr\u00e1fico de TLS 1.2 Handshake Protocol, lo que facilita a atacantes man-in-the-middle falsificar servidores desencadenando una colisi\u00f3n."}], "id": "CVE-2015-7575", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-01-09T02:59:10.910", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0049.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0050.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0053.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0054.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0055.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0056.html"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3436"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3437"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3457"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3458"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3465"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3491"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3688"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-150.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/79684"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/91787"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1034541"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1036467"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2863-1"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2864-1"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2865-1"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2866-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2884-1"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2904-1"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2016:1430"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1158489"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201701-46"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201706-18"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201801-15"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20160225-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0049.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0050.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0053.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0054.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0055.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0056.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3436"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3437"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3457"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3458"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3465"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3491"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3688"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-150.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/79684"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/91787"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1034541"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1036467"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2863-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2864-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2865-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2866-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2884-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2904-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2016:1430"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1158489"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201701-46"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201706-18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201801-15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20160225-0001/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-19"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2016:0056", "cpe": "cpe:/a:redhat:rhel_extras_oracle_java:5", "package": "java-1.7.0-oracle-1:1.7.0.95-1jpp.1.el5_11", "product_name": "Oracle Java for Red Hat Enterprise Linux 5", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0055", "cpe": "cpe:/a:redhat:rhel_extras_oracle_java:6", "package": "java-1.8.0-oracle-1:1.8.0.71-1jpp.1.el6_7", "product_name": "Oracle Java for Red Hat Enterprise Linux 6", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0056", "cpe": "cpe:/a:redhat:rhel_extras_oracle_java:6", "package": "java-1.7.0-oracle-1:1.7.0.95-1jpp.1.el6_7", "product_name": "Oracle Java for Red Hat Enterprise Linux 6", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0055", "cpe": "cpe:/a:redhat:rhel_extras_oracle_java:7", "package": "java-1.8.0-oracle-1:1.8.0.71-1jpp.1.el7", "product_name": "Oracle Java for Red Hat Enterprise Linux 7", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0056", "cpe": "cpe:/a:redhat:rhel_extras_oracle_java:7", "package": "java-1.7.0-oracle-1:1.7.0.95-1jpp.2.el7", "product_name": "Oracle Java for Red Hat Enterprise Linux 7", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0054", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "java-1.7.0-openjdk-1:1.7.0.95-2.6.4.1.el5_11", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0100", "cpe": "cpe:/a:redhat:rhel_extras:5", "package": "java-1.7.0-ibm-1:1.7.0.9.30-1jpp.1.el5", "product_name": "Red Hat Enterprise Linux 5 Supplementary", "release_date": "2016-02-02T00:00:00Z"}, {"advisory": "RHSA-2016:0101", "cpe": "cpe:/a:redhat:rhel_extras:5", "package": "java-1.6.0-ibm-1:1.6.0.16.20-1jpp.1.el5", "product_name": "Red Hat Enterprise Linux 5 Supplementary", "release_date": "2016-02-02T00:00:00Z"}, {"advisory": "RHSA-2016:0007", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "nss-0:3.19.1-8.el6_7", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-01-07T00:00:00Z"}, {"advisory": "RHSA-2016:0008", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "openssl-0:1.0.1e-42.el6_7.2", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-01-08T00:00:00Z"}, {"advisory": "RHSA-2016:0012", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "gnutls-0:2.8.5-19.el6_7", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-01-08T00:00:00Z"}, {"advisory": "RHSA-2016:0050", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "java-1.8.0-openjdk-1:1.8.0.71-1.b15.el6_7", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-01-20T00:00:00Z"}, {"advisory": "RHSA-2016:0053", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "java-1.7.0-openjdk-1:1.7.0.95-2.6.4.0.el6_7", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0099", "cpe": "cpe:/a:redhat:rhel_extras:6", "package": "java-1.7.1-ibm-1:1.7.1.3.30-1jpp.2.el6_7", "product_name": "Red Hat Enterprise Linux 6 Supplementary", "release_date": "2016-02-02T00:00:00Z"}, {"advisory": "RHSA-2016:0101", "cpe": "cpe:/a:redhat:rhel_extras:6", "package": "java-1.6.0-ibm-1:1.6.0.16.20-1jpp.1.el6_7", "product_name": "Red Hat Enterprise Linux 6 Supplementary", "release_date": "2016-02-02T00:00:00Z"}, {"advisory": "RHSA-2016:0007", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-0:3.19.1-19.el7_2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-01-07T00:00:00Z"}, {"advisory": "RHSA-2016:0008", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "openssl-1:1.0.1e-51.el7_2.2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-01-08T00:00:00Z"}, {"advisory": "RHSA-2016:0012", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "gnutls-0:3.3.8-14.el7_2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-01-08T00:00:00Z"}, {"advisory": "RHSA-2016:0049", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "java-1.8.0-openjdk-1:1.8.0.71-2.b15.el7_2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-01-20T00:00:00Z"}, {"advisory": "RHSA-2016:0054", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "java-1.7.0-openjdk-1:1.7.0.95-2.6.4.0.el7_2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-01-21T00:00:00Z"}, {"advisory": "RHSA-2016:0098", "cpe": "cpe:/a:redhat:rhel_extras:7", "package": "java-1.8.0-ibm-1:1.8.0.2.10-1jpp.1.el7", "product_name": "Red Hat Enterprise Linux 7 Supplementary", "release_date": "2016-02-02T00:00:00Z"}, {"advisory": "RHSA-2016:0099", "cpe": "cpe:/a:redhat:rhel_extras:7", "package": "java-1.7.1-ibm-1:1.7.1.3.30-1jpp.1.el7", "product_name": "Red Hat Enterprise Linux 7 Supplementary", "release_date": "2016-02-02T00:00:00Z"}, {"advisory": "RHSA-2016:1430", "cpe": "cpe:/a:redhat:network_satellite:5.6::el5", "package": "java-1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5", "product_name": "Red Hat Satellite 5.6", "release_date": "2016-07-18T00:00:00Z"}, {"advisory": "RHSA-2016:1430", "cpe": "cpe:/a:redhat:network_satellite:5.6::el5", "package": "java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7", "product_name": "Red Hat Satellite 5.6", "release_date": "2016-07-18T00:00:00Z"}, {"advisory": "RHSA-2016:1430", "cpe": "cpe:/a:redhat:network_satellite:5.6::el5", "package": "spacewalk-java-0:2.0.2-109.el5sat", "product_name": "Red Hat Satellite 5.6", "release_date": "2016-07-18T00:00:00Z"}, {"advisory": "RHSA-2016:1430", "cpe": "cpe:/a:redhat:network_satellite:5.7::el6", "package": "java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7", "product_name": "Red Hat Satellite 5.7", "release_date": "2016-07-18T00:00:00Z"}, {"advisory": "RHSA-2016:1430", "cpe": "cpe:/a:redhat:network_satellite:5.7::el6", "package": "spacewalk-java-0:2.3.8-146.el6sat", "product_name": "Red Hat Satellite 5.7", "release_date": "2016-07-18T00:00:00Z"}], "bugzilla": {"description": "TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)", "id": "1289841", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1289841"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "verified"}, "details": ["Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.", "A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client."], "name": "CVE-2015-7575", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "gnutls", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "java-1.6.0-sun", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "openssl097a", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "java-1.6.0-sun", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "openssl098e", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "java-1.6.0-sun", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "openssl098e", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Affected", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 3"}], "public_date": "2016-01-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-7575\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-7575\nhttp://www.mitls.org/pages/attacks/SLOTH\nhttps://access.redhat.com/articles/2112261\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2015-150/"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object