Vulnerabilities > CVE-2015-4497 - Use After Free Denial of Service vulnerability in Mozilla Firefox and Firefox ESR

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
mozilla
critical
nessus

Summary

Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token sequences for a CANVAS element. <a href="http://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-565.NASL
    descriptionMozillaFirefox was updated to version 40.0.3 to fix two security issues and several bugs. Changes in MozillaFirefox : - update to Firefox 40.0.3 (bnc#943550) - Disable the asynchronous plugin initialization (bmo#1198590) - Fix a segmentation fault in the GStreamer support (bmo#1145230) - Fix a regression with some Japanese fonts used in the <input> field (bmo#1194055) - On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes - MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278, bsc#943557) Use-after-free when resizing canvas element during restyling - MFSA 2015-95/CVE-2015-4498 (bmo#1042699, bsc#943558) Add-on notification bypass through data URLs
    last seen2020-06-05
    modified2015-09-08
    plugin id85834
    published2015-09-08
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85834
    titleopenSUSE Security Update : MozillaFirefox (openSUSE-2015-565)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_40_0_3.NASL
    descriptionThe version of Mozilla Firefox installed on the remote Mac OS X host is prior to 40.0.3. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the
    last seen2020-06-01
    modified2020-06-02
    plugin id85687
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85687
    titleFirefox < 40.0.3 Multiple Vulnerabilities (Mac OS X)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_40_0_3.NASL
    descriptionThe version of Mozilla Firefox installed on the remote Windows host is prior to 40.0.3. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the
    last seen2020-06-01
    modified2020-06-02
    plugin id85689
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85689
    titleFirefox < 40.0.3 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3345.NASL
    descriptionMultiple security issues have been found in Iceweasel, Debian
    last seen2020-06-01
    modified2020-06-02
    plugin id85696
    published2015-08-31
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85696
    titleDebian DSA-3345-1 : iceweasel - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1693.NASL
    descriptionUpdated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen2020-05-31
    modified2015-08-28
    plugin id85680
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85680
    titleRHEL 5 / 6 / 7 : firefox (RHSA-2015:1693)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150827_FIREFOX_ON_SL5_X.NASL
    descriptionA flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) After installing the update, Firefox must be restarted for the changes to take effect.
    last seen2020-03-18
    modified2015-08-31
    plugin id85706
    published2015-08-31
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85706
    titleScientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20150827)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_38_2_1_ESR.NASL
    descriptionThe version of Mozilla Firefox ESR installed on the remote Windows host is prior to 38.2.1. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the
    last seen2020-06-01
    modified2020-06-02
    plugin id85688
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85688
    titleFirefox ESR < 38.2.1 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1476-1.NASL
    descriptionMozilla Firefox was updated to version 38.2.1 ESR to fix several critical and non critical security vulnerabilities. - Firefox was updated to 38.2.1 ESR (bsc#943608) - MFSA 2015-94/CVE-2015-4497 (bsc#943557) Use-after-free when resizing canvas element during restyling - MFSA 2015-95/CVE-2015-4498 (bsc#943558) Add-on notification bypass through data URLs - Firefox was updated to 38.2.0 ESR (bsc#940806) - MFSA 2015-78/CVE-2015-4495 (bmo#1178058, bmo#1179262) Same origin violation and local file stealing via PDF reader - MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 (bmo#1143130, bmo#1161719, bmo#1177501, bmo#1181204, bmo#1184068, bmo#1188590, bmo#1146213, bmo#1178890, bmo#1182711) Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties - MFSA 2015-83/CVE-2015-4479 (bmo#1185115, bmo#1144107, bmo#1170344, bmo#1186718) Overflow issues in libstagefright - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 (bmo#1176270, bmo#1182723, bmo#1171603) Vulnerabilities found through code inspection - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers Mozilla NSS switched the CKBI ABI from 1.98 to 2.4, which is what Firefox 38ESR uses. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85763
    published2015-09-03
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85763
    titleSUSE SLED12 / SLES12 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2015:1476-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1693.NASL
    descriptionUpdated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id86498
    published2015-10-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86498
    titleCentOS 5 / 6 / 7 : firefox (CESA-2015:1693)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2723-1.NASL
    descriptionA use-after-free was discovered when resizing a canvas element during restyling in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4497) Bas Venis discovered that the addon install permission prompt could be bypassed using data: URLs in some circumstances. It was also discovered that the installation notification could be made to appear over another site. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to install a malicious addon. (CVE-2015-4498). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85682
    published2015-08-28
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85682
    titleUbuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox vulnerabilities (USN-2723-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1693.NASL
    descriptionFrom Red Hat Security Advisory 2015:1693 : Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen2020-05-31
    modified2015-08-28
    plugin id85679
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85679
    titleOracle Linux 5 / 6 / 7 : firefox (ELSA-2015-1693)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1504-1.NASL
    descriptionMozilla Firefox was updated to 38.2.1 ESR, fixing two severe security bugs. (bsc#943608) - MFSA 2015-94/CVE-2015-4497 (bsc#943557): Use-after-free when resizing canvas element during restyling - MFSA 2015-95/CVE-2015-4498 (bsc#943558): Add-on notification bypass through data URLs Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85868
    published2015-09-09
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85868
    titleSUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2015:1504-1)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_38_2_1_ESR.NASL
    descriptionThe version of Mozilla Firefox ESR installed on the remote Mac OS X host is prior to 38.2.1. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the
    last seen2020-06-01
    modified2020-06-02
    plugin id85686
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85686
    titleFirefox ESR < 38.2.1 Multiple Vulnerabilities (Mac OS X)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-2081-1.NASL
    descriptionMozillaFirefox ESR was updated to version 38.4.0ESR to fix multiple security issues. MFSA 2015-116/CVE-2015-4513 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) MFSA 2015-122/CVE-2015-7188 Trailing whitespace in IP address hostnames can bypass same-origin policy MFSA 2015-123/CVE-2015-7189 Buffer overflow during image interactions in canvas MFSA 2015-127/CVE-2015-7193 CORS preflight is bypassed when non-standard Content-Type headers are received MFSA 2015-128/CVE-2015-7194 Memory corruption in libjar through zip files MFSA 2015-130/CVE-2015-7196 JavaScript garbage collection crash with Java applet MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 Vulnerabilities found through code inspection MFSA 2015-132/CVE-2015-7197 Mixed content WebSocket policy bypass through workers MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 NSS and NSPR memory corruption issues It also includes fixes from 38.3.0ESR : MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) MFSA 2015-101/CVE-2015-4506 Buffer overflow in libvpx while parsing vp9 format video MFSA 2015-105/CVE-2015-4511 Buffer overflow while decoding WebM video MFSA 2015-106/CVE-2015-4509 Use-after-free while manipulating HTML media content MFSA 2015-110/CVE-2015-4519 Dragging and dropping images exposes final URL after redirects MFSA 2015-111/CVE-2015-4520 Errors in the handling of CORS preflight request headers MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522 CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177 CVE-2015-7180 Vulnerabilities found through code inspection It also includes fixes from the Firefox 38.2.1ESR release : MFSA 2015-94/CVE-2015-4497 (bsc#943557) Use-after-free when resizing canvas element during restyling MFSA 2015-95/CVE-2015-4498 (bsc#943558) Add-on notification bypass through data URLs It also includes fixes from the Firefox 38.2.0ESR release : MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) MFSA 2015-80/CVE-2015-4475 Out-of-bounds read with malformed MP3 file MFSA 2015-82/CVE-2015-4478 Redefinition of non-configurable JavaScript object properties MFSA 2015-83/CVE-2015-4479 Overflow issues in libstagefright MFSA 2015-87/CVE-2015-4484 Crash when using shared memory in JavaScript MFSA 2015-88/CVE-2015-4491 Heap overflow in gdk-pixbuf when scaling bitmap images MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 Buffer overflows on Libvpx when decoding WebM video MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection MFSA 2015-92/CVE-2015-4492 Use-after-free in XMLHttpRequest with shared workers Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id87063
    published2015-11-25
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87063
    titleSUSE SLES10 Security Update : Mozilla Firefox (SUSE-SU-2015:2081-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_237A201C888B487F84D37D92266381D6.NASL
    descriptionThe Mozilla Project reports : MFSA 2015-95 Add-on notification bypass through data URLs MFSA 2015-94 Use-after-free when resizing canvas element during restyling
    last seen2020-06-01
    modified2020-06-02
    plugin id85699
    published2015-08-31
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85699
    titleFreeBSD : mozilla -- multiple vulnerabilities (237a201c-888b-487f-84d3-7d92266381d6)

Redhat

advisories
rhsa
idRHSA-2015:1693
rpms
  • firefox-0:38.2.1-1.ael7b_1
  • firefox-0:38.2.1-1.el5_11
  • firefox-0:38.2.1-1.el6_7
  • firefox-0:38.2.1-1.el7_1
  • firefox-debuginfo-0:38.2.1-1.ael7b_1
  • firefox-debuginfo-0:38.2.1-1.el5_11
  • firefox-debuginfo-0:38.2.1-1.el6_7
  • firefox-debuginfo-0:38.2.1-1.el7_1