Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
http://rhn.redhat.com/errata/RHSA-2016-0049.html
http://rhn.redhat.com/errata/RHSA-2016-0050.html
http://rhn.redhat.com/errata/RHSA-2016-0053.html
http://rhn.redhat.com/errata/RHSA-2016-0054.html
http://rhn.redhat.com/errata/RHSA-2016-0055.html
http://rhn.redhat.com/errata/RHSA-2016-0056.html
http://www.debian.org/security/2016/dsa-3436
http://www.debian.org/security/2016/dsa-3437
http://www.debian.org/security/2016/dsa-3457
http://www.debian.org/security/2016/dsa-3458
http://www.debian.org/security/2016/dsa-3465
http://www.debian.org/security/2016/dsa-3491
http://www.debian.org/security/2016/dsa-3688
http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/79684
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1034541
http://www.securitytracker.com/id/1036467
http://www.ubuntu.com/usn/USN-2863-1
http://www.ubuntu.com/usn/USN-2864-1
http://www.ubuntu.com/usn/USN-2865-1
http://www.ubuntu.com/usn/USN-2866-1
http://www.ubuntu.com/usn/USN-2884-1
http://www.ubuntu.com/usn/USN-2904-1
https://access.redhat.com/errata/RHSA-2016:1430
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
https://security.gentoo.org/glsa/201701-46
https://security.gentoo.org/glsa/201706-18
Source: MITRE
Published: 2016-01-09
Updated: 2018-10-30
Type: CWE-19
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
Base Score: 5.9
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 2.2
Severity: MEDIUM
OR
cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* versions up to 3.20.1 (inclusive)
OR
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
OR
cpe:2.3:a:mozilla:firefox_esr:38.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.1.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.2.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.2.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.3.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.4.0:*:*:*:*:*:*:*
OR
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
OR
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* versions up to 43.0.1 (inclusive)
ID | Name | Product | Family | Severity |
---|---|---|---|---|
124891 | EulerOS Virtualization for ARM 64 3.0.1.0 : gnutls (EulerOS-SA-2019-1388) | Nessus | Huawei Local Security Checks | medium |
700654 | Oracle Java SE 6 < Update 111 / 7 < Update 95 / 8 < Update 71 Multiple Vulnerabilities (January 2016 CPU) (SLOTH) | Nessus Network Monitor | Web Clients | critical |
119974 | SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0428-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
106039 | GLSA-201801-15 : PolarSSL: Multiple vulnerabilities (SLOTH) | Nessus | Gentoo Local Security Checks | high |
104123 | AIX bind Advisory : nettcp_advisory2.asc (IV86116) (IV86117) (IV86118) (IV86119) (IV86120) (IV86132) | Nessus | AIX Local Security Checks | medium |
100944 | GLSA-201706-18 : mbed TLS: Multiple vulnerabilities (SLOTH) | Nessus | Gentoo Local Security Checks | medium |
96643 | GLSA-201701-46 : Mozilla Network Security Service (NSS): Multiple vulnerabilities (Logjam) (SLOTH) | Nessus | Gentoo Local Security Checks | medium |
94181 | AIX 5.3 TL 12 : nettcp (IV88960) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94180 | AIX 5.3 TL 12 : nettcp (IV88959) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94179 | AIX 5.3 TL 12 : nettcp (IV88957) (SLOTH) (deprecated) | Nessus | AIX Local Security Checks | medium |
94178 | AIX 7.1 TL 3 : nettcp (IV82412) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94177 | AIX 7.1 TL 3 : nettcp (IV82331) (SLOTH) (deprecated) | Nessus | AIX Local Security Checks | medium |
94176 | AIX 7.1 TL 3 : nettcp (IV82330) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94175 | AIX 7.1 TL 3 : nettcp (IV82328) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94174 | AIX 7.1 TL 3 : nettcp (IV82327) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94173 | AIX 6.1 TL 9 : nettcp (IV79072) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94172 | AIX 6.1 TL 9 : nettcp (IV79071) (SLOTH) (deprecated) | Nessus | AIX Local Security Checks | medium |
94171 | AIX 6.1 TL 9 : nettcp (IV79070) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94170 | AIX 6.1 TL 9 : nettcp (IV78625) (SLOTH) | Nessus | AIX Local Security Checks | medium |
94169 | AIX 6.1 TL 9 : nettcp (IV78624) (SLOTH) | Nessus | AIX Local Security Checks | medium |
93871 | Debian DSA-3688-1 : nss - security update (Logjam) (SLOTH) | Nessus | Debian Local Security Checks | high |
92565 | AIX 7.2 TL 0 : nettcp (IV86132) (SLOTH) | Nessus | AIX Local Security Checks | medium |
92564 | AIX 5.3 TL 12 : nettcp (IV86120) (SLOTH) | Nessus | AIX Local Security Checks | medium |
92563 | AIX 7.2 TL 0 : nettcp (IV86119) (SLOTH) | Nessus | AIX Local Security Checks | medium |
92562 | AIX 7.1 TL 4 : nettcp (IV86118) (SLOTH) | Nessus | AIX Local Security Checks | medium |
92561 | AIX 7.1 TL 3 : nettcp (IV86117) (SLOTH) | Nessus | AIX Local Security Checks | medium |
92560 | AIX 6.1 TL 9 : nettcp (IV86116) (SLOTH) | Nessus | AIX Local Security Checks | medium |
92400 | RHEL 5 / 6 : java-1.7.0-ibm and java-1.7.1-ibm (RHSA-2016:1430) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
91379 | GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH) | Nessus | Gentoo Local Security Checks | critical |
91154 | OracleVM 3.3 / 3.4 : openssl (OVMSA-2016-0049) (SLOTH) | Nessus | OracleVM Local Security Checks | critical |
89989 | SUSE SLES10 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0776-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
89961 | SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0770-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
89842 | Amazon Linux AMI : openssl (ALAS-2016-661) (DROWN) (SLOTH) | Nessus | Amazon Linux Local Security Checks | critical |
89776 | Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : thunderbird vulnerabilities (USN-2904-1) (SLOTH) | Nessus | Ubuntu Local Security Checks | critical |
89657 | SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0636-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
89053 | AIX Java Advisory : java_jan2016_advisory.asc (January 2016 CPU) (SLOTH) | Nessus | AIX Local Security Checks | critical |
89021 | SUSE SLES11 Security Update : MozillaFirefox, MozillaFirefox-branding-SLED, MozillaFirefox-branding-SLES-for-VMware, mozilla-nss (SUSE-SU-2016:0584-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
89018 | openSUSE Security Update : bouncycastle (openSUSE-2016-282) (SLOTH) | Nessus | SuSE Local Security Checks | medium |
88943 | Debian DSA-3491-1 : icedove - security update (SLOTH) | Nessus | Debian Local Security Checks | critical |
9076 | Mozilla Firefox < 43.0.2 RSA-MD5 Collision-based Forgery Weakness (SLOTH) | Nessus Network Monitor | Web Clients | medium |
88830 | openSUSE Security Update : Thunderbird (openSUSE-2016-225) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88710 | SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0433-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88709 | SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0431-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88703 | F5 Networks BIG-IP : SLOTH: TLS 1.2 handshake vulnerability (K02201365) (SLOTH) | Nessus | F5 Networks Local Security Checks | medium |
88692 | SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2016:0390-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88663 | Amazon Linux AMI : gnutls (ALAS-2016-651) (SLOTH) | Nessus | Amazon Linux Local Security Checks | medium |
88659 | Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2016-647) (SLOTH) | Nessus | Amazon Linux Local Security Checks | critical |
88657 | Amazon Linux AMI : nss (ALAS-2016-645) (SLOTH) | Nessus | Amazon Linux Local Security Checks | medium |
88655 | Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-643) (SLOTH) | Nessus | Amazon Linux Local Security Checks | critical |
88591 | AIX OpenSSL Advisory : openssl_advisory16.asc (SLOTH) | Nessus | AIX Local Security Checks | medium |
88580 | Debian DLA-410-1 : openjdk-6 security update (SLOTH) | Nessus | Debian Local Security Checks | critical |
88568 | Debian DSA-3465-1 : openjdk-6 - security update (SLOTH) | Nessus | Debian Local Security Checks | critical |
88557 | RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2016:0101) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88556 | RHEL 5 : java-1.7.0-ibm (RHSA-2016:0100) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88555 | RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2016:0099) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88554 | RHEL 7 : java-1.8.0-ibm (RHSA-2016:0098) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88550 | openSUSE Security Update : SeaMonkey (openSUSE-2016-129) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88547 | openSUSE Security Update : seamonkey (openSUSE-2016-126) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88541 | openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-115) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88540 | openSUSE Security Update : Java7 (openSUSE-2016-110) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88538 | openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-107) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88537 | openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-106) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88536 | openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-105) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88516 | Ubuntu 14.04 LTS / 15.04 / 15.10 : openjdk-7 vulnerabilities (USN-2884-1) (SLOTH) | Nessus | Ubuntu Local Security Checks | critical |
88486 | SUSE SLED11 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:0269-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88485 | SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:0265-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88453 | SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2016:0256-1) (SLOTH) | Nessus | SuSE Local Security Checks | critical |
88427 | Debian DSA-3458-1 : openjdk-7 - security update (SLOTH) | Nessus | Debian Local Security Checks | critical |
88426 | Debian DSA-3457-1 : iceweasel - security update (SLOTH) | Nessus | Debian Local Security Checks | critical |
88132 | openSUSE Security Update : polarssl (openSUSE-2016-60) (SLOTH) | Nessus | SuSE Local Security Checks | medium |
88131 | openSUSE Security Update : mbedtls (openSUSE-2016-59) (SLOTH) | Nessus | SuSE Local Security Checks | medium |
88082 | SUSE SLED11 / SLES11 Security Update : mozilla-nss (SUSE-SU-2016:0189-1) (SLOTH) | Nessus | SuSE Local Security Checks | medium |
88080 | Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20160121) (SLOTH) | Nessus | Scientific Linux Local Security Checks | critical |
88079 | Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL7.x i386/x86_64 (20160121) (SLOTH) | Nessus | Scientific Linux Local Security Checks | critical |
88078 | Scientific Linux Security Update : java-1.8.0-openjdk on SL7.x x86_64 (20160120) (SLOTH) | Nessus | Scientific Linux Local Security Checks | critical |
88075 | RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2016:0056) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88074 | RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2016:0055) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88073 | RHEL 5 / 7 : java-1.7.0-openjdk (RHSA-2016:0054) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88072 | RHEL 6 : java-1.7.0-openjdk (RHSA-2016:0053) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88071 | Oracle Linux 5 / 7 : java-1.7.0-openjdk (ELSA-2016-0054) (SLOTH) | Nessus | Oracle Linux Local Security Checks | critical |
88070 | Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2016-0053) (SLOTH) | Nessus | Oracle Linux Local Security Checks | critical |
88069 | Oracle Linux 6 : java-1.8.0-openjdk (ELSA-2016-0050) (SLOTH) | Nessus | Oracle Linux Local Security Checks | critical |
88063 | CentOS 5 / 7 : java-1.7.0-openjdk (CESA-2016:0054) (SLOTH) | Nessus | CentOS Local Security Checks | critical |
88062 | CentOS 6 : java-1.7.0-openjdk (CESA-2016:0053) (SLOTH) | Nessus | CentOS Local Security Checks | critical |
88061 | CentOS 6 : java-1.8.0-openjdk (CESA-2016:0050) (SLOTH) | Nessus | CentOS Local Security Checks | critical |
88060 | CentOS 7 : java-1.8.0-openjdk (CESA-2016:0049) (SLOTH) | Nessus | CentOS Local Security Checks | critical |
88046 | Oracle Java SE Multiple Vulnerabilities (January 2016 CPU) (SLOTH) (Unix) | Nessus | Misc. | critical |
88045 | Oracle Java SE Multiple Vulnerabilities (January 2016 CPU) (SLOTH) | Nessus | Windows | critical |
88041 | Oracle JRockit R28 < R28.3.9 Multiple Vulnerabilities (January 2016 CPU) (SLOTH) | Nessus | Windows | critical |
88037 | Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (20160120) (SLOTH) | Nessus | Scientific Linux Local Security Checks | critical |
88036 | RHEL 6 : java-1.8.0-openjdk (RHSA-2016:0050) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88035 | RHEL 7 : java-1.8.0-openjdk (RHSA-2016:0049) (SLOTH) | Nessus | Red Hat Local Security Checks | critical |
88031 | Oracle Linux 7 : java-1.8.0-openjdk (ELSA-2016-0049) (SLOTH) | Nessus | Oracle Linux Local Security Checks | critical |
87988 | SUSE SLED12 / SLES12 Security Update : mozilla-nss (SUSE-SU-2016:0149-1) (SLOTH) | Nessus | SuSE Local Security Checks | medium |
87846 | Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : firefox vulnerability (USN-2866-1) (SLOTH) | Nessus | Ubuntu Local Security Checks | medium |
87845 | Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : gnutls26, gnutls28 vulnerability (USN-2865-1) (SLOTH) | Nessus | Ubuntu Local Security Checks | medium |
87841 | Scientific Linux Security Update : openssl on SL6.x, SL7.x i386/x86_64 (20160107) (SLOTH) | Nessus | Scientific Linux Local Security Checks | medium |
87840 | Scientific Linux Security Update : nss on SL6.x, SL7.x i386/x86_64 (20160107) (SLOTH) | Nessus | Scientific Linux Local Security Checks | medium |
87838 | Scientific Linux Security Update : gnutls on SL6.x, SL7.x i386/x86_64 (20160107) (SLOTH) | Nessus | Scientific Linux Local Security Checks | medium |
87828 | Debian DSA-3437-1 : gnutls26 - security update (SLOTH) | Nessus | Debian Local Security Checks | medium |
87827 | Debian DSA-3436-1 : openssl - security update (SLOTH) | Nessus | Debian Local Security Checks | medium |
87816 | Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : nss vulnerability (USN-2864-1) (SLOTH) | Nessus | Ubuntu Local Security Checks | medium |
87815 | Ubuntu 12.04 LTS : openssl vulnerability (USN-2863-1) (SLOTH) | Nessus | Ubuntu Local Security Checks | medium |
87812 | RHEL 6 / 7 : gnutls (RHSA-2016:0012) (SLOTH) | Nessus | Red Hat Local Security Checks | medium |
87808 | RHEL 6 / 7 : openssl (RHSA-2016:0008) (SLOTH) | Nessus | Red Hat Local Security Checks | medium |
87807 | RHEL 6 / 7 : nss (RHSA-2016:0007) (SLOTH) | Nessus | Red Hat Local Security Checks | medium |
87800 | OracleVM 3.3 : openssl (OVMSA-2016-0001) (SLOTH) | Nessus | OracleVM Local Security Checks | medium |
87799 | Oracle Linux 6 / 7 : gnutls (ELSA-2016-0012) (SLOTH) | Nessus | Oracle Linux Local Security Checks | medium |
87795 | Oracle Linux 6 / 7 : openssl (ELSA-2016-0008) (SLOTH) | Nessus | Oracle Linux Local Security Checks | medium |
87794 | Oracle Linux 6 / 7 : nss (ELSA-2016-0007) (SLOTH) | Nessus | Oracle Linux Local Security Checks | medium |
87785 | CentOS 6 / 7 : gnutls (CESA-2016:0012) (SLOTH) | Nessus | CentOS Local Security Checks | medium |
87781 | CentOS 6 / 7 : openssl (CESA-2016:0008) (SLOTH) | Nessus | CentOS Local Security Checks | medium |
87780 | CentOS 6 / 7 : nss (CESA-2016:0007) (SLOTH) | Nessus | CentOS Local Security Checks | medium |
87719 | openSUSE Security Update : MozillaFirefox (openSUSE-2016-6) (SLOTH) | Nessus | SuSE Local Security Checks | medium |
87717 | openSUSE Security Update : mozilla-nss (openSUSE-2015-978) (SLOTH) | Nessus | SuSE Local Security Checks | medium |
87609 | FreeBSD : NSS -- MD5 downgrade in TLS 1.2 signatures (10f7bc76-0335-4a88-b391-0b05b3a8ce1c) (SLOTH) | Nessus | FreeBSD Local Security Checks | medium |