CVE-2017-5462
First published: Wed Apr 19 2017(Updated: )
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.
Credit: security@mozilla.org security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <52.1 | 52.1 |
| Mozilla Firefox ESR | <52.1 | 52.1 |
| Mozilla Firefox ESR | <45.9 | 45.9 |
| Mozilla Firefox | <53 | 53 |
| Debian GNU/Linux | =8.0 | |
| Mozilla Firefox | <53.0 | |
| Mozilla Firefox | =52.0 | |
| Mozilla Firefox ESR | <45.9.0 | |
| Mozilla NSS ESR | <3.28.4 | |
| Mozilla Thunderbird | <52.1.0 | |
| Mozilla Firefox ESR | =52.0 | |
| debian/firefox | 135.0-1 | |
| debian/firefox-esr | 115.14.0esr-1~deb11u1 128.7.0esr-1~deb11u1 128.5.0esr-1~deb12u1 128.7.0esr-1~deb12u1 128.7.0esr-1 | |
| debian/nss | 2:3.61-1+deb11u3 2:3.61-1+deb11u4 2:3.87.1-1+deb12u1 2:3.107-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1345089
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/
- https://www.mozilla.org/security/advisories/mfsa2017-10/
- https://www.mozilla.org/security/advisories/mfsa2017-11/
- https://www.mozilla.org/security/advisories/mfsa2017-12/
- https://www.mozilla.org/security/advisories/mfsa2017-13/
- https://www.debian.org/security/2017/dsa-3831
- https://www.debian.org/security/2017/dsa-3872
- https://security.gentoo.org/glsa/201705-04
- http://www.securityfocus.com/bid/97940
- http://www.securitytracker.com/id/1038320
- https://launchpad.net/bugs/cve/CVE-2017-5462
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5462
- https://hg.mozilla.org/projects/nss/rev/7248d38b76e5
- https://security-tracker.debian.org/tracker/CVE-2017-5462
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5462
- https://nvd.nist.gov/vuln/detail/CVE-2017-5462
- https://ubuntu.com/security/CVE-2017-5462
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2017-5433
- CVE-2017-5435
- CVE-2017-5436
- CVE-2017-5461
- CVE-2017-5459
- CVE-2017-5466
- CVE-2017-5434
- CVE-2017-5432
- CVE-2017-5460
- CVE-2017-5438
- CVE-2017-5439
- CVE-2017-5440
- CVE-2017-5441
- CVE-2017-5442
- CVE-2017-5464
- CVE-2017-5443
- CVE-2017-5444
- CVE-2017-5446
- CVE-2017-5447
- CVE-2017-5465
- CVE-2016-10196
- CVE-2017-5454
- CVE-2017-5469
- CVE-2017-5445
- CVE-2017-5449
- CVE-2017-5451
- CVE-2017-5462
- CVE-2017-5467
- CVE-2017-5430
- CVE-2017-5429
- CVE-2017-5448
- CVE-2017-5455
- CVE-2017-5456
- CVE-2017-5450
- CVE-2017-5463
- CVE-2017-5452
- CVE-2017-5453
- CVE-2017-5458
- CVE-2017-5468
Frequently Asked Questions
What is the severity of CVE-2017-5462?
CVE-2017-5462 has been classified as medium severity due to its impact on the pseudorandom number generation.
How do I fix CVE-2017-5462?
To fix CVE-2017-5462, upgrade to Firefox version 53 or later, Thunderbird version 52.2 or later, or Firefox ESR version 52.1 or later.
What products are affected by CVE-2017-5462?
CVE-2017-5462 affects Mozilla Firefox versions up to 53, Firefox ESR versions up to 52.1, and Thunderbird versions up to 52.1.
What is the impact of CVE-2017-5462?
The impact of CVE-2017-5462 could allow an attacker to predict or influence the outcome of cryptographic operations using the flawed pseudorandom number generator.
Is CVE-2017-5462 a vulnerability in third-party software?
CVE-2017-5462 specifically affects Mozilla's products such as Firefox and Thunderbird and does not directly impact third-party software.
- collector/mozilla-advisory
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/remedy
- agent/severity
- source/Mozilla
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/author
- agent/last-modified-date
- agent/trending
- agent/source
- agent/event
- collector/security-tracker-debian
- source/Debian
- collector/nvd-api
- source/NVD
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- collector/nvd-index
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- package-manager/debian
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- version/mozilla firefox/52.0
- canonical/mozilla nss esr
- version/mozilla firefox esr/52.0