Vulnerability CVE-2017-7502

Vulnerability Name:

CVE-2017-7502 (CCN-126599)

Assigned:

2017-01-03

Published:

2017-01-03

Updated:

2023-02-12

Summary:

Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-476

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2017-7502

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: IBM Security Bulletin T1025398 (PowerKVM)
A vulnerability in NSS affects PowerKVM

Source: CCN
Type: IBM Security Bulletin T1025538 (SmartCloud Entry)
Multiple vulnerabilities in coreutils, sudo, jasper, bind, bash, libtirpc, nss and nss-util affect IBM SmartCloud Entry

Source: CCN
Type: IBM Security Bulletin S1010530 (FlashSystem 840)
Vulnerability in Mozilla NSS affects the IBM FlashSystem models 840 and 900

Source: CCN
Type: IBM Security Bulletin S1010531 (FlashSystem V840)
Vulnerability in Mozilla NSS affects the IBM FlashSystem model V840

Source: CCN
Type: IBM Security Bulletin 2011971 (Security Directory Suite)
Multiple security vulnerabilities have been fixed in products bundled with IBM Security Directory Suite 8.0.1

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: BID-98744
Mozilla Network Security Services CVE-2017-7502 Denial of Service Vulnerability

Source: secalert@redhat.com
Type: Third Party Advisory, VDB Entry
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: XF
Type: UNKNOWN
nss-cve20177502-dos(126599)

Source: CCN
Type: Mozilla Bug 1328122
Fix various ssl3_GatherData() issues r=mt,franziskus

Source: secalert@redhat.com
Type: Patch
secalert@redhat.com

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-7502

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 9:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 10:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:network_security_services:3.24.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:smartcloud_entry:3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_entry:3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_entry:2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_entry:2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:powerkvm:2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:powerkvm:3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_directory_suite:8.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.redhat.rhsa:def:20171364	P	RHSA-2017:1364: nss security and bug fix update (Important)	2017-05-30
oval:com.ubuntu.xenial:def:201775020000000	V	CVE-2017-7502 on Ubuntu 16.04 LTS (xenial) - medium.	2017-05-30
oval:com.redhat.rhsa:def:20171365	P	RHSA-2017:1365: nss security and bug fix update (Important)	2017-05-30
oval:com.ubuntu.trusty:def:20177502000	V	CVE-2017-7502 on Ubuntu 14.04 LTS (trusty) - medium.	2017-05-30
oval:com.ubuntu.xenial:def:20177502000	V	CVE-2017-7502 on Ubuntu 16.04 LTS (xenial) - medium.	2017-05-30

BACK