Inadequate RC4 Implementation in TLS/SSL Protocols by Various Vendors
CVE-2015-2808

3.7LOW

Key Information:

Vendor

Oracle
Status
Http Server
Integrated Lights Out Manager Firmware
Communications Application Session Controller
Communications Policy Management
Vendor
CVE Published:
1 April 2015

What is CVE-2015-2808?

The RC4 cipher, utilized within TLS and SSL protocols, suffers from a serious flaw that improperly initializes state and key data. This weakness allows attackers to potentially recover plaintext by conducting targeted sniffing of network traffic. By exploiting this vulnerability, often referred to as the 'Bar Mitzvah' issue, attackers can leverage a brute-force approach on specific byte sequences, endangering the confidentiality of sensitive information transmitted over affected connections.

References

http://marc.info/?l=bugtraq&m=143818140118771&w=2
vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-1243.html
vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-1007.html
vendor-advisory

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.