CVE-2016-2818
high
CVSS v3
8.8
CVSS v2
6.8
VIR risk
8.8
Description
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-2818
Vendor advisory: security@mozilla.org — http://www.mozilla.org/security/announce/2016/mfsa2016-49.html
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-2818.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | sid | fixed | 47.0-1 |
| debian | bookworm | fixed | 45.2.0esr-1 |
| debian | bullseye | fixed | 45.2.0esr-1 |
| debian | forky | fixed | 45.2.0esr-1 |
| debian | trixie | fixed | 45.2.0esr-1 |
| rhel | 5.0 | affected | |
| rhel | 6.0 | affected | |
| rhel | 7.0 | affected | |
| ubuntu | 12.04 | affected | |
| ubuntu | 14.04 | affected | |
| ubuntu | 15.10 | affected | |
| ubuntu | 16.04 | affected | |
| debian | 8.0 | affected | |
| suse | 12.0 | affected | |
| suse | 42.1 | affected | |
| suse | 13.1 | affected | |
| suse | 13.2 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| mozilla | firefox | 45.1.0 | |
| mozilla | firefox | 45.1.1 | |
| mozilla | firefox | {"endIncluding":"46.0.1"} | |
| novell | suse_linux_enterprise_software_development_kit | 12.0 | |
| novell | suse_package_hub_for_suse_linux_enterprise | 12 | |
References
- https://www.suse.com/security/cve/CVE-2016-2818.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00055.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00008.html
- http://www.debian.org/security/2016/dsa-3600
- http://www.debian.org/security/2016/dsa-3647
- http://www.mozilla.org/security/announce/2016/mfsa2016-49.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.securityfocus.com/bid/91075
- http://www.securitytracker.com/id/1036057
- http://www.ubuntu.com/usn/USN-2993-1
- http://www.ubuntu.com/usn/USN-3023-1
- https://access.redhat.com/errata/RHSA-2016:1217
- https://access.redhat.com/errata/RHSA-2016:1392
- https://bugzilla.mozilla.org/show_bug.cgi?id=1234147
- https://bugzilla.mozilla.org/show_bug.cgi?id=1256493
- https://bugzilla.mozilla.org/show_bug.cgi?id=1256739
- https://bugzilla.mozilla.org/show_bug.cgi?id=1256968
- https://bugzilla.mozilla.org/show_bug.cgi?id=1261230
- https://bugzilla.mozilla.org/show_bug.cgi?id=1261752
- https://bugzilla.mozilla.org/show_bug.cgi?id=1263384
CWEs
CWE-119
Verify integrity in audit chain (admin only). AS-IS.