CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Details : CVE-2015-2808

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Publish Date : 2015-03-31 Last Update Date : 2018-01-18
Search Twitter   Search YouTube   Search Google

- CVSS Scores & Vulnerability Types

CVSS Score
4.3
Confidentiality Impact Partial (There is considerable informational disclosure.)
Integrity Impact None (There is no impact to the integrity of the system)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s)
CWE ID 310

- Related OVAL Definitions

Title Definition Id Class Family
RHSA-2015:1006: java-1.6.0-ibm security update (Critical) oval:com.redhat.rhsa:def:20151006 unix
RHSA-2015:1007: java-1.7.0-ibm security update (Critical) oval:com.redhat.rhsa:def:20151007 unix
RHSA-2015:1020: java-1.7.1-ibm security update (Critical) oval:com.redhat.rhsa:def:20151020 unix
RHSA-2015:1021: java-1.5.0-ibm security update (Important) oval:com.redhat.rhsa:def:20151021 unix
RHSA-2015:1228: java-1.8.0-openjdk security update (Important) oval:com.redhat.rhsa:def:20151228 unix
RHSA-2015:1229: java-1.7.0-openjdk security update (Critical) oval:com.redhat.rhsa:def:20151229 unix
RHSA-2015:1230: java-1.7.0-openjdk security update (Important) oval:com.redhat.rhsa:def:20151230 unix
RHSA-2015:1241: java-1.8.0-oracle security update (Critical) oval:com.redhat.rhsa:def:20151241 unix
RHSA-2015:1242: java-1.7.0-oracle security update (Critical) oval:com.redhat.rhsa:def:20151242 unix
RHSA-2015:1243: java-1.6.0-sun security update (Important) oval:com.redhat.rhsa:def:20151243 unix
RHSA-2015:1526: java-1.6.0-openjdk security update (Important) oval:com.redhat.rhsa:def:20151526 unix
Vulnerability in IBM SDK Java JSSE affects AIX oval:org.mitre.oval:def:28927 unix
OVAL (Open Vulnerability and Assessment Language) definitions define exactly what should be done to verify a vulnerability or a missing patch. Check out the OVAL definitions if you want to learn what you should do to verify a vulnerability.

- Products Affected By CVE-2015-2808

# Product Type Vendor Product Version Update Edition Language
1 Application Apple Safari Version Details Vulnerabilities
2 Application Google Chrome - Version Details Vulnerabilities
3 Application IBM Websphere Application Server Version Details Vulnerabilities
4 Application Jboss Jboss Enterprise Application Server Version Details Vulnerabilities
5 Application Microsoft IE Version Details Vulnerabilities
6 Application Microsoft IIS Version Details Vulnerabilities
7 Application Mozilla Firefox Version Details Vulnerabilities
8 Application Opera Opera Browser - Version Details Vulnerabilities
9 Application Oracle Glassfish Version Details Vulnerabilities
10 Application SUN Glassfish Enterprise Server Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
Apple Safari 1
Google Chrome 1
IBM Websphere Application Server 1
Jboss Jboss Enterprise Application Server 1
Microsoft IE 1
Microsoft IIS 1
Mozilla Firefox 1
Opera Opera Browser 1
Oracle Glassfish 1
SUN Glassfish Enterprise Server 1

- References For CVE-2015-2808

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241 CONFIRM
http://www.securitytracker.com/id/1036222
SECTRACK 1036222
https://security.gentoo.org/glsa/201512-10
GENTOO GLSA-201512-10
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098709 CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935 CONFIRM
http://rhn.redhat.com/errata/RHSA-2015-1091.html
REDHAT RHSA-2015:1091
http://rhn.redhat.com/errata/RHSA-2015-1228.html
REDHAT RHSA-2015:1228
http://rhn.redhat.com/errata/RHSA-2015-1229.html
REDHAT RHSA-2015:1229
http://rhn.redhat.com/errata/RHSA-2015-1230.html
REDHAT RHSA-2015:1230
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04772190 CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05193347 CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988 CONFIRM
https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04711380 CONFIRM
https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04708650 CONFIRM
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789 CONFIRM
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246 CONFIRM
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04687922
HP SSRT102073
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04770140 CONFIRM
https://kb.juniper.net/JSA10783 CONFIRM
https://kc.mcafee.com/corporate/index?page=content&id=SB10163 CONFIRM
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773119 CONFIRM
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773256 CONFIRM
https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf
http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454055.htm CONFIRM
http://www.ubuntu.com/usn/USN-2706-1
UBUNTU USN-2706-1
http://www.securitytracker.com/id/1033737
SECTRACK 1033737
http://www.securitytracker.com/id/1033769
SECTRACK 1033769
http://www.ubuntu.com/usn/USN-2696-1
UBUNTU USN-2696-1
http://www.securitytracker.com/id/1033432
SECTRACK 1033432
http://www.securitytracker.com/id/1033431
SECTRACK 1033431
http://www.securitytracker.com/id/1033415
SECTRACK 1033415
http://www.securitytracker.com/id/1033386
SECTRACK 1033386
http://www.securitytracker.com/id/1033072
SECTRACK 1033072
http://www.securitytracker.com/id/1032910
SECTRACK 1032910
http://www.securitytracker.com/id/1032788
SECTRACK 1032788
http://www.securitytracker.com/id/1032858
SECTRACK 1032858
http://www.securitytracker.com/id/1032868
SECTRACK 1032868
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
SUSE openSUSE-SU-2015:1288
http://www.securitytracker.com/id/1033071
SECTRACK 1033071
http://www.securitytracker.com/id/1032990
SECTRACK 1032990
http://www.securitytracker.com/id/1032734
SECTRACK 1032734
http://www.securitytracker.com/id/1032600
SECTRACK 1032600
http://www-304.ibm.com/support/docview.wss?uid=swg21903565 CONFIRM
http://www-304.ibm.com/support/docview.wss?uid=swg21960015 CONFIRM
http://www-304.ibm.com/support/docview.wss?uid=swg21960769 CONFIRM
http://www.debian.org/security/2015/dsa-3316
DEBIAN DSA-3316
http://www.debian.org/security/2015/dsa-3339
DEBIAN DSA-3339
http://www.huawei.com/en/psirt/security-advisories/hw-454055 CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html CONFIRM
http://www.securityfocus.com/bid/91787
BID 91787 Oracle July 2016 Critical Patch Update Multiple Vulnerabilities Release Date:2018-10-15
http://www.securitytracker.com/id/1032599
SECTRACK 1032599
http://www.securitytracker.com/id/1032707
SECTRACK 1032707
http://www.securitytracker.com/id/1032708
SECTRACK 1032708
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html CONFIRM
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html CONFIRM
http://www.securityfocus.com/bid/73684
BID 73684 SSL/TLS RC4 CVE-2015-2808 Information Disclosure Weakness Release Date:2018-09-26
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html CONFIRM
http://www-01.ibm.com/support/docview.wss?uid=swg1IV71892
AIXAPAR IV71892
http://www-01.ibm.com/support/docview.wss?uid=swg21883640 CONFIRM
http://rhn.redhat.com/errata/RHSA-2015-1526.html
REDHAT RHSA-2015:1526
http://www-01.ibm.com/support/docview.wss?uid=swg1IV71888
AIXAPAR IV71888
http://rhn.redhat.com/errata/RHSA-2015-1241.html
REDHAT RHSA-2015:1241
http://rhn.redhat.com/errata/RHSA-2015-1242.html
REDHAT RHSA-2015:1242
http://rhn.redhat.com/errata/RHSA-2015-1243.html
REDHAT RHSA-2015:1243
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.html
SUSE SUSE-SU-2016:0113
http://marc.info/?l=bugtraq&m=143456209711959&w=2
HP HPSBGN03338
http://marc.info/?l=bugtraq&m=143629696317098&w=2
HP HPSBGN03354
http://marc.info/?l=bugtraq&m=143741441012338&w=2
HP SSRT102150
http://marc.info/?l=bugtraq&m=143817021313142&w=2
HP SSRT102133
http://marc.info/?l=bugtraq&m=143817899717054&w=2
HP SSRT102129
http://marc.info/?l=bugtraq&m=143818140118771&w=2
HP SSRT102127
http://marc.info/?l=bugtraq&m=144043644216842&w=2
HP HPSBMU03345
http://marc.info/?l=bugtraq&m=144059660127919&w=2
HP HPSBGN03414
http://marc.info/?l=bugtraq&m=144059703728085&w=2
HP HPSBGN03415
http://marc.info/?l=bugtraq&m=144104565600964&w=2
HP HPSBGN03403
http://marc.info/?l=bugtraq&m=144493176821532&w=2
HP SSRT102254
http://rhn.redhat.com/errata/RHSA-2015-1021.html
REDHAT RHSA-2015:1021
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034 CONFIRM
http://rhn.redhat.com/errata/RHSA-2015-1020.html
REDHAT RHSA-2015:1020
http://rhn.redhat.com/errata/RHSA-2015-1007.html
REDHAT RHSA-2015:1007
http://rhn.redhat.com/errata/RHSA-2015-1006.html
REDHAT RHSA-2015:1006
http://marc.info/?l=bugtraq&m=144104533800819&w=2
HP HPSBMU03401
http://marc.info/?l=bugtraq&m=144060576831314&w=2
HP HPSBGN03399
http://marc.info/?l=bugtraq&m=144060606031437&w=2
HP HPSBGN03405
http://marc.info/?l=bugtraq&m=144102017024820&w=2
HP HPSBGN03407
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html
SUSE SUSE-SU-2015:2192
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html
SUSE SUSE-SU-2015:2166
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
SUSE SUSE-SU-2015:1320
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
SUSE SUSE-SU-2015:1319
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
SUSE openSUSE-SU-2015:1289
http://marc.info/?l=bugtraq&m=144069189622016&w=2
HP HPSBGN03402
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html
SUSE SUSE-SU-2015:1086
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.html
SUSE SUSE-SU-2015:1161
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.html
SUSE SUSE-SU-2015:1138
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html
SUSE SUSE-SU-2015:1073
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html
SUSE SUSE-SU-2015:1085
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727 CONFIRM
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888 CONFIRM

- Metasploit Modules Related To CVE-2015-2808

There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information)


CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.