Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2015-2808

Published: 01/04/2015 Updated: 07/09/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Oracle

Vulnerability Summary

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote malicious users to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oracle http server 11.1.1.9.0

oracle http server 12.2.1.2.0

oracle http server 12.1.3.0.0

oracle http server 11.1.1.7.0

oracle integrated lights out manager firmware

oracle communications application session controller

oracle http server 12.2.1.1.0

oracle communications policy management

debian debian linux 8.0

debian debian linux 7.0

redhat enterprise linux desktop 7.0

redhat enterprise linux server 5.0

redhat enterprise linux workstation 7.0

redhat satellite 5.7

redhat enterprise linux server 7.0

redhat enterprise linux workstation 5.0

redhat enterprise linux server aus 6.6

redhat enterprise linux desktop 6.0

redhat enterprise linux server 6.0

redhat enterprise linux workstation 6.0

redhat enterprise linux eus 7.1

redhat enterprise linux eus 6.6

redhat enterprise linux server tus 7.3

redhat enterprise linux desktop 5.0

redhat enterprise linux server aus 7.3

redhat enterprise linux server aus 7.4

redhat enterprise linux eus 7.3

redhat enterprise linux eus 7.4

redhat enterprise linux eus 7.5

redhat enterprise linux server tus 7.6

redhat enterprise linux server aus 7.6

redhat enterprise linux eus 7.6

redhat enterprise linux eus 7.2

redhat enterprise linux server aus 7.7

redhat enterprise linux server tus 7.7

redhat enterprise linux eus 7.7

suse linux enterprise server 11

suse linux enterprise desktop 11

suse linux enterprise debuginfo 11

suse linux enterprise software development kit 11

suse linux enterprise server 10

opensuse opensuse 13.1

opensuse opensuse 13.2

suse linux enterprise server 12

suse linux enterprise software development kit 12

suse linux enterprise desktop 12

suse manager 1.7

canonical ubuntu linux 15.04

canonical ubuntu linux 12.04

canonical ubuntu linux 14.04

redhat satellite 5.6

fujitsu sparc_enterprise_m3000_firmware

fujitsu sparc_enterprise_m4000_firmware

fujitsu sparc_enterprise_m5000_firmware

fujitsu sparc_enterprise_m8000_firmware

fujitsu sparc_enterprise_m9000_firmware

huawei e6000_firmware -

huawei e9000_firmware -

huawei oceanstor_18500_firmware -

huawei oceanstor_18800_firmware -

huawei oceanstor_18800f_firmware -

huawei oceanstor_9000_firmware -

huawei oceanstor_cse_firmware -

huawei oceanstor_hvs85t_firmware -

huawei oceanstor_s2600t_firmware -

huawei oceanstor_s5500t_firmware -

huawei oceanstor_s5600t_firmware -

huawei oceanstor_s5800t_firmware -

huawei oceanstor_s6800t_firmware -

huawei oceanstor_vis6600t_firmware -

huawei quidway_s9300_firmware -

huawei s7700_firmware -

huawei 9700_firmware -

huawei s12700_firmware -

huawei s2700_firmware -

huawei s3700_firmware -

huawei s5700ei_firmware -

huawei s5700hi_firmware -

huawei s5700si_firmware -

huawei s5710ei_firmware -

huawei s5710hi_firmware -

huawei s6700_firmware -

huawei s2750_firmware -

huawei s5700li_firmware -

huawei s5700s-li_firmware -

huawei s5720hi_firmware -

huawei s5720ei_firmware -

huawei te60_firmware -

huawei policy center v100r003c10

huawei policy center v100r003c00

huawei smc2.0 v100r002c01

huawei smc2.0 v100r002c02

huawei smc2.0 v100r002c03

huawei smc2.0 v100r002c04

huawei ultravr v100r003c00

huawei oceanstor replicationdirector v100r003c00

ibm cognos metrics manager 10.2.1

ibm cognos metrics manager 10.2

ibm cognos metrics manager 10.1.1

ibm cognos metrics manager 10.1

ibm cognos metrics manager 10.2.2

Vendor Advisories

Ubuntu Security Notice: openjdk-6 vulnerabilities
Several security issues were fixed in OpenJDK 6 ...
Ubuntu Security Notice: openjdk-7 vulnerabilities
Several security issues were fixed in OpenJDK 7 ...
Debian Security Advisories: DSA-3339-1 openjdk-6 -- security update
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, denial of service or insecure cryptography For the oldstable distribution (wheezy), these problems have been fixed in version 6b36-1138-1~deb7 ...
Debian Security Advisories: DSA-3316-1 openjdk-7 -- security update
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, denial of service or insecure cryptography For the oldstable distribution (wheezy), these problems have been fixed in version 7u79-256-1~deb7u ...
Red Hat: CVE-2015-2808
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invar ...
Amazon Linux AMI: ALAS-2015-570
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733) A flaw was found in the way the Libraries component of OpenJDK ve ...
Amazon Linux AMI: ALAS-2015-586
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733) A flaw was found in the way the Libraries component of OpenJDK ve ...
Amazon Linux AMI: ALAS-2015-571
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733) A flaw was found in the way the Libraries component of OpenJDK ve ...

ICS Advisories

Mitsubishi Electric Air Conditioning Systems
Critical Infrastructure Sectors: Commercial Facilities

Github Repositories

https://github.com/tzaffi/testssl-report

Download and run Dirk Wetter's testssl.sh on a list of url's and compile the failures into a single spreadsheet.

Test SSL Given a list of urls, run Dirk Wetter's testsslsh on each and tabulate failures only into a single spreadheet List of URLS to test These should be put in urlstxt on separate lines Run standalone /cloneRunAndAggregatesh The file results/failscsv will be generated Example If urlstxt consists of googlecom yahoocom m

References

CWE-327https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdfhttp://www-01.ibm.com/support/docview.wss?uid=swg1IV71888http://www-01.ibm.com/support/docview.wss?uid=swg21883640http://www-01.ibm.com/support/docview.wss?uid=swg1IV71892http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://marc.info/?l=bugtraq&m=143817021313142&w=2http://marc.info/?l=bugtraq&m=143817899717054&w=2http://marc.info/?l=bugtraq&m=143741441012338&w=2http://marc.info/?l=bugtraq&m=143818140118771&w=2http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://www.huawei.com/en/psirt/security-advisories/hw-454055https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.securityfocus.com/bid/91787https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05193347http://marc.info/?l=bugtraq&m=144060576831314&w=2http://marc.info/?l=bugtraq&m=144069189622016&w=2http://marc.info/?l=bugtraq&m=144493176821532&w=2http://marc.info/?l=bugtraq&m=144102017024820&w=2http://marc.info/?l=bugtraq&m=143629696317098&w=2http://marc.info/?l=bugtraq&m=144043644216842&w=2http://marc.info/?l=bugtraq&m=144059660127919&w=2http://marc.info/?l=bugtraq&m=144059703728085&w=2http://marc.info/?l=bugtraq&m=144104565600964&w=2http://marc.info/?l=bugtraq&m=143456209711959&w=2http://marc.info/?l=bugtraq&m=144104533800819&w=2http://marc.info/?l=bugtraq&m=144060606031437&w=2https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888https://kc.mcafee.com/corporate/index?page=content&id=SB10163http://www.securitytracker.com/id/1032599http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.htmlhttps://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789https://security.gentoo.org/glsa/201512-10http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454055.htmhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.htmlhttps://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098709http://www.securitytracker.com/id/1033769http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246http://www.securitytracker.com/id/1033737https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773256https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773119https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04772190https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04770140http://www.securitytracker.com/id/1033432http://www.securitytracker.com/id/1033431http://www.securitytracker.com/id/1033415http://www.securitytracker.com/id/1033386https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241http://www.ubuntu.com/usn/USN-2706-1http://www.ubuntu.com/usn/USN-2696-1http://www.debian.org/security/2015/dsa-3339http://rhn.redhat.com/errata/RHSA-2015-1526.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.htmlhttp://www-304.ibm.com/support/docview.wss?uid=swg21960769http://www-304.ibm.com/support/docview.wss?uid=swg21960015http://www-304.ibm.com/support/docview.wss?uid=swg21903565http://www.securitytracker.com/id/1032868http://www.securitytracker.com/id/1032858http://www.securitytracker.com/id/1032788http://www.securitytracker.com/id/1032734http://www.securitytracker.com/id/1032708http://www.securitytracker.com/id/1032707http://rhn.redhat.com/errata/RHSA-2015-1091.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1021.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1020.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1007.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.htmlhttp://www.securityfocus.com/bid/73684https://kb.juniper.net/JSA10783http://www.securitytracker.com/id/1036222https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04711380https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04708650http://www.securitytracker.com/id/1033072http://www.securitytracker.com/id/1033071http://www.securitytracker.com/id/1032990http://www.securitytracker.com/id/1032910http://www.securitytracker.com/id/1032600http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.debian.org/security/2015/dsa-3316https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04687922http://rhn.redhat.com/errata/RHSA-2015-1243.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1242.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1241.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1230.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1229.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1228.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttps://www.secpod.com/blog/cve-2015-2808-bar-mitzvah-attack-in-rc4-2/https://nvd.nist.govhttps://usn.ubuntu.com/2706-1/https://access.redhat.com/security/cve/cve-2015-2808https://www.cisa.gov/uscert/ics/advisories/icsa-22-160-01
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook