CVE-2015-2808

DEB

Medium

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initializa…

CVSS

4.3

Medium

EPSS

0.31

p96

Published

2015-01-01

Updated

2015-01-01

Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Tags · CWE

Crypto

CWE-327

CAPEC-20

CAPEC-97

CAPEC-459

CAPEC-473

CAPEC-475

CAPEC-608

CAPEC-614

Affected products

Java-1.5.0-ibmJava-1.5.0-ibmJava-1.6.0-ibmJava-1.6.0-ibmJava-1.6.0-ibmJava-1.6.0-ibmJava-1.6.0-openjdkJava-1.6.0-openjdkJava-1.6.0-openjdkJava-1.6.0-sunJava-1.6.0-sunJava-1.6.0-sunJava-1.7.0-ibmJava-1.7.0-openjdkJava-1.7.0-openjdkJava-1.7.0-openjdkJava-1.7.0-oracleJava-1.7.0-oracleJava-1.7.0-oracleJava-1.7.1-ibm

CVSS vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Timeline

2015-01-01

Published

2015-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: M

Medium

Authentication

Au: N

None (N)

Confidentiality Impact

C: P

Partial

Integrity Impact

I: N

None (N)

Availability Impact

A: N

None (N)

Exploit indicators

EPSS

0.308 · p96

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1036.001Invalid Code Signature

└ via CAPEC-473 · CWE-327

T1553.002Code Signing

└ via CAPEC-473 · CWE-327

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected software

Product	Vendor	Status
java-1.5.0-ibm		Tracked
java-1.5.0-ibm		Tracked
java-1.6.0-ibm		Tracked
java-1.6.0-ibm		Tracked
java-1.6.0-ibm		Tracked
java-1.6.0-ibm		Tracked
java-1.6.0-openjdk		Tracked
java-1.6.0-openjdk		Tracked
java-1.6.0-openjdk		Tracked
java-1.6.0-sun		Tracked
java-1.6.0-sun		Tracked
java-1.6.0-sun		Tracked
java-1.7.0-ibm		Tracked
java-1.7.0-openjdk		Tracked
java-1.7.0-openjdk		Tracked
java-1.7.0-openjdk		Tracked
java-1.7.0-oracle		Tracked
java-1.7.0-oracle		Tracked
java-1.7.0-oracle		Tracked
java-1.7.1-ibm		Tracked

Source databases

DEB

CVE

RED

UBU