CVE-2015-2808
LOWCVSS 3.7/10EPSS 74.01%
Last modified
CVE-2015-2808 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.. EPSS estimates a 74.01% chance of exploitation in the next 30 days.
Description
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Oracle | Communications Application Session Controller | >= 3.0.0, <= 3.9.0 | — |
| Oracle | Communications Policy Management | < 9.9.2 | — |
| Oracle | Http Server | 11.1.1.7.0 | — |
| Oracle | Http Server | 11.1.1.9.0 | — |
| Oracle | Http Server | 12.1.3.0.0 | — |
| Oracle | Http Server | 12.2.1.1.0 | — |
| Oracle | Http Server | 12.2.1.2.0 | — |
| Oracle | Integrated Lights Out Manager Firmware | >= 3.0.0, <= 3.2.11 | — |
| Oracle | Integrated Lights Out Manager Firmware | >= 4.0.0, <= 4.0.4 | — |
| Debian | Debian Linux | 7.0 | — |
| Debian | Debian Linux | 8.0 | — |
| Redhat | Satellite | 5.7 | — |
| Redhat | Enterprise Linux Desktop | 5.0 | — |
| Redhat | Enterprise Linux Desktop | 6.0 | — |
| Redhat | Enterprise Linux Desktop | 7.0 | — |
| Redhat | Enterprise Linux Eus | 6.6 | — |
| Redhat | Enterprise Linux Eus | 7.1 | — |
| Redhat | Enterprise Linux Eus | 7.2 | — |
| Redhat | Enterprise Linux Eus | 7.3 | — |
| Redhat | Enterprise Linux Eus | 7.4 | — |
| Redhat | Enterprise Linux Eus | 7.5 | — |
| Redhat | Enterprise Linux Eus | 7.6 | — |
| Redhat | Enterprise Linux Eus | 7.7 | — |
| Redhat | Enterprise Linux Server | 5.0 | — |
| Redhat | Enterprise Linux Server | 6.0 | — |
| Redhat | Enterprise Linux Server | 7.0 | — |
| Redhat | Enterprise Linux Server Aus | 6.6 | — |
| Redhat | Enterprise Linux Server Aus | 7.3 | — |
| Redhat | Enterprise Linux Server Aus | 7.4 | — |
| Redhat | Enterprise Linux Server Aus | 7.6 | — |
| Redhat | Enterprise Linux Server Aus | 7.7 | — |
| Redhat | Enterprise Linux Server Tus | 7.3 | — |
| Redhat | Enterprise Linux Server Tus | 7.6 | — |
| Redhat | Enterprise Linux Server Tus | 7.7 | — |
| Redhat | Enterprise Linux Workstation | 5.0 | — |
| Redhat | Enterprise Linux Workstation | 6.0 | — |
| Redhat | Enterprise Linux Workstation | 7.0 | — |
| Suse | Linux Enterprise Debuginfo | 11 | Sp3 |
| Opensuse | Opensuse | 13.1 | — |
| Opensuse | Opensuse | 13.2 | — |
| Suse | Linux Enterprise Desktop | 11 | Sp3 |
| Suse | Linux Enterprise Desktop | 12 | — |
| Suse | Linux Enterprise Server | 10 | Sp4 |
| Suse | Linux Enterprise Server | 11 | Sp1 |
| Suse | Linux Enterprise Server | 12 | — |
| Suse | Linux Enterprise Software Development Kit | 11 | Sp3 |
| Suse | Linux Enterprise Software Development Kit | 12 | — |
| Suse | Manager | 1.7 | — |
| Canonical | Ubuntu Linux | 12.04 | — |
| Canonical | Ubuntu Linux | 14.04 | — |
Showing 50 of 102 affected configurations. See NVD for the full list.
References
- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034Third Party Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Third Party Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143456209711959&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143629696317098&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143741441012338&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143817021313142&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143817899717054&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143818140118771&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144043644216842&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144059660127919&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144059703728085&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144060576831314&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144060606031437&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144069189622016&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144102017024820&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144104533800819&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144104565600964&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144493176821532&w=2Issue Tracking, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1006.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1007.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1020.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1021.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1091.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1228.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1229.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1230.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1241.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1242.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1243.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1526.htmlThird Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV71888Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV71892Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21883640Third Party Advisory
- http://www-304.ibm.com/support/docview.wss?uid=swg21903565Third Party Advisory
- http://www-304.ibm.com/support/docview.wss?uid=swg21960015Third Party Advisory
- http://www-304.ibm.com/support/docview.wss?uid=swg21960769Third Party Advisory
- http://www.debian.org/security/2015/dsa-3316Third Party Advisory
- http://www.debian.org/security/2015/dsa-3339Third Party Advisory
- http://www.huawei.com/en/psirt/security-advisories/hw-454055Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlThird Party Advisory
- http://www.securityfocus.com/bid/73684Third Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/91787Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032599Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032600Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032707Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032708Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032734Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032788Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032858Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032868Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032910Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032990Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033071Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033072Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033386Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033415Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033431Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033432Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033737Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033769Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1036222Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2696-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2706-1Third Party Advisory
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04708650Third Party Advisory
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04711380Third Party Advisory
- https://kb.juniper.net/JSA10783Third Party Advisory
- https://security.gentoo.org/glsa/201512-10Third Party Advisory
- https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098709Third Party Advisory
- https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdfTechnical Description, Third Party Advisory
- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034Third Party Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Third Party Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143456209711959&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143629696317098&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143741441012338&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143817021313142&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143817899717054&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=143818140118771&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144043644216842&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144059660127919&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144059703728085&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144060576831314&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144060606031437&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144069189622016&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144102017024820&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144104533800819&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144104565600964&w=2Issue Tracking, Third Party Advisory
- http://marc.info/?l=bugtraq&m=144493176821532&w=2Issue Tracking, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1006.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1007.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1020.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1021.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1091.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1228.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1229.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1230.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1241.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1242.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1243.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1526.htmlThird Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV71888Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV71892Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21883640Third Party Advisory
- http://www-304.ibm.com/support/docview.wss?uid=swg21903565Third Party Advisory
- http://www-304.ibm.com/support/docview.wss?uid=swg21960015Third Party Advisory
- http://www-304.ibm.com/support/docview.wss?uid=swg21960769Third Party Advisory
- http://www.debian.org/security/2015/dsa-3316Third Party Advisory
- http://www.debian.org/security/2015/dsa-3339Third Party Advisory
- http://www.huawei.com/en/psirt/security-advisories/hw-454055Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlThird Party Advisory
- http://www.securityfocus.com/bid/73684Third Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/91787Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032599Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032600Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032707Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032708Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032734Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032788Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032858Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032868Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032910Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032990Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033071Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033072Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033386Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033415Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033431Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033432Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033737Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1033769Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1036222Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2696-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2706-1Third Party Advisory
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04708650Third Party Advisory
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04711380Third Party Advisory
- https://kb.juniper.net/JSA10783Third Party Advisory
- https://security.gentoo.org/glsa/201512-10Third Party Advisory
- https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098709Third Party Advisory
- https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdfTechnical Description, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2015-2808?
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
How severe is CVE-2015-2808?
CVE-2015-2808 has a CVSS score of 3.7/10 (LOW severity). The EPSS model estimates a 74.01% probability of exploitation in the next 30 days.
How do I fix CVE-2015-2808?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2015-2808?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST