CVE-2017-5462

Description

A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

How to fix CVE-2017-5462

To remediate CVE-2017-5462, upgrade the affected package to a fixed version below.

—upgrade to 3.23-r1 or later
—upgrade to 45.9.0esr-1 or later
—upgrade to 2:3.26.2-1.1 or later

Is CVE-2017-5462 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.23-r1
from 0, < 45.9.0esr-1
from 0, < 2:3.26.2-1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2017-5462
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-5462