CVE-2015-7575

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 43.0.2 Mozilla Firefox ESR versions prior to 38.5.2 Mozilla Network Security Services (NSS) versions prior to 3.20.2 Oracle Java SE (affected versions not specified)

Description The issue is related to errors in the code of a security component, which can be exploited by a remote attacker to gain read, modify, add, or delete access to data using network packets. Specifically, the problem lies in the TLS 1.2 Handshake Protocol traffic, where MD5 signatures in Server Key Exchange messages are not rejected. This makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision, potentially allowing them to impersonate a TLS server and obtain credentials.

Recommendations For Mozilla Firefox versions prior to 43.0.2, update to version 43.0.2 or later to resolve the issue. For Mozilla Firefox ESR versions prior to 38.5.2, update to version 38.5.2 or later to resolve the issue. For Mozilla Network Security Services (NSS) versions prior to 3.20.2, update to version 3.20.2 or later to resolve the issue. For Oracle Java SE, at the moment, there is no information about a newer version that contains a fix for this vulnerability.