CVE-2015-7182

Summary

CVE	CVE-2015-7182
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2015-11-05 05:59:00 UTC
Updated	2017-11-04 01:29:00 UTC
Description	Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.

Risk And Classification

Problem Types: CWE-119

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Mozilla	Firefox	All	All	All	All
Application	Mozilla	Firefox Esr	38.0	All	All	All
Application	Mozilla	Firefox Esr	38.0.1	All	All	All
Application	Mozilla	Firefox Esr	38.0.5	All	All	All
Application	Mozilla	Firefox Esr	38.1.0	All	All	All
Application	Mozilla	Firefox Esr	38.1.1	All	All	All
Application	Mozilla	Firefox Esr	38.2.0	All	All	All
Application	Mozilla	Firefox Esr	38.2.1	All	All	All
Application	Mozilla	Firefox Esr	38.3.0	All	All	All
Application	Mozilla	Firefox Esr	38.0	All	All	All
Application	Mozilla	Firefox Esr	38.0.1	All	All	All
Application	Mozilla	Firefox Esr	38.0.5	All	All	All
Application	Mozilla	Firefox Esr	38.1.0	All	All	All
Application	Mozilla	Firefox Esr	38.1.1	All	All	All
Application	Mozilla	Firefox Esr	38.2.0	All	All	All
Application	Mozilla	Firefox Esr	38.2.1	All	All	All
Application	Mozilla	Firefox Esr	38.3.0	All	All	All
Application	Mozilla	Network Security Services	3.20.0	All	All	All
Application	Mozilla	Network Security Services	3.20.0	All	All	All
Application	Mozilla	Network Security Services	All	All	All	All
Application	Oracle	Glassfish Server	2.1.1	All	All	All
Application	Oracle	Glassfish Server	2.1.1	All	All	All
Application	Oracle	Iplanet Web Proxy Server	4.0	All	All	All
Application	Oracle	Iplanet Web Proxy Server	4.0	All	All	All
Application	Oracle	Iplanet Web Server	7.0	All	All	All
Application	Oracle	Iplanet Web Server	7.0	All	All	All
Application	Oracle	Opensso	3.0-0.7	All	All	All
Application	Oracle	Opensso	3.0-0.7	All	All	All
Application	Oracle	Traffic Director	11.1.1.7.0	All	All	All
Application	Oracle	Traffic Director	11.1.1.9.0	All	All	All
Application	Oracle	Traffic Director	11.1.1.7.0	All	All	All
Application	Oracle	Traffic Director	11.1.1.9.0	All	All	All

References

Reference	Source	Link	Tags
Oracle Solaris Bulletin - April 2016	CONFIRM	www.oracle.com
Oracle Critical Patch Update Advisory - April 2016	CONFIRM	www.oracle.com	Patch
Mozilla Network Security Services Memory Corruption and Heap Buffer Overflow Vulnerabilities	BID	www.securityfocus.com
Oracle Critical Patch Update - July 2016	CONFIRM	www.oracle.com
[security-announce] SUSE-SU-2015:1978-1: important: Security update for	SUSE	lists.opensuse.org
Oracle July 2016 Critical Patch Update Multiple Vulnerabilities	BID	www.securityfocus.com
openSUSE-SU-2015:2245-1: moderate: Security update for Mozilla Thunderbi	SUSE	lists.opensuse.org
openSUSE-SU-2015:2229-1: moderate: Security update for MozillaThunderbir	SUSE	lists.opensuse.org
USN-2791-1: NSS vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
Mozilla Products: Multiple vulnerabilities (GLSA 201605-06) — Gentoo security	GENTOO	security.gentoo.org
NSS 3.20.1 release notes - Mozilla \| MDN	CONFIRM	developer.mozilla.org	Vendor Advisory
[security-announce] SUSE-SU-2015:1981-1: important: Security update for	SUSE	lists.opensuse.org
[security-announce] SUSE-SU-2015:1926-1: important: Security update for	SUSE	lists.opensuse.org
NSS and NSPR memory corruption issues — Mozilla	CONFIRM	www.mozilla.org	Vendor Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Debian -- Security Information -- DSA-3688-1 nss	DEBIAN	www.debian.org
The Slackware Linux Project: Slackware Security Advisories	SLACKWARE	www.slackware.com
Oracle VM Server for x86 Bulletin - July 2016	CONFIRM	www.oracle.com
Debian -- Security Information -- DSA-3393-1 iceweasel	DEBIAN	www.debian.org
USN-2819-1: Thunderbird vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
Debian -- Security Information -- DSA-3410-1 icedove	DEBIAN	www.debian.org
Oracle Linux Bulletin - October 2015	CONFIRM	www.oracle.com
1202868 - (CVE-2015-7182) ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings	CONFIRM	bugzilla.mozilla.org
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks - SecurityTracker	SECTRACK	www.securitytracker.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Mozilla Products: Multiple vulnerabilities (GLSA 201512-10) — Gentoo Security	GENTOO	security.gentoo.org
Slackware Security Advisory - mozilla-nss Updates ≈ Packet Storm	MISC	packetstormsecurity.com
NSS 3.19.4 release notes - Mozilla \| MDN	CONFIRM	developer.mozilla.org	Vendor Advisory
Broadcom Support Portal	CONFIRM	bto.bluecoat.com
[security-announce] openSUSE-SU-2015:1942-1: important: Security update	SUSE	lists.opensuse.org
[security-announce] SUSE-SU-2015:2081-1: important: Security update for	SUSE	lists.opensuse.org
Oracle Critical Patch Update - October 2017	CONFIRM	www.oracle.com
NSS 3.19.2.1 release notes - Mozilla \| MDN	CONFIRM	developer.mozilla.org	Vendor Advisory
USN-2785-1: Firefox vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

904894 Common Base Linux Mariner (CBL-Mariner) Security Update for openjdk8 (12399)