Inadequate RC4 Implementation in TLS/SSL Protocols by Various Vendors
CVE-2015-2808

Currently unrated

Key Information:

Vendor: Oracle
Status: Http Server; Integrated Lights Out Manager Firmware; Communications Application Session Controller; Communications Policy Management
Vendor: CVE Published:; 1 April 2015

Summary

The RC4 cipher, utilized within TLS and SSL protocols, suffers from a serious flaw that improperly initializes state and key data. This weakness allows attackers to potentially recover plaintext by conducting targeted sniffing of network traffic. By exploiting this vulnerability, often referred to as the 'Bar Mitzvah' issue, attackers can leverage a brute-force approach on specific byte sequences, endangering the confidentiality of sensitive information transmitted over affected connections.

References

http://marc.info/?l=bugtraq&m=143818140118771&w=2

vendor-advisory

http://rhn.redhat.com/errata/RHSA-2015-1243.html

vendor-advisory

http://rhn.redhat.com/errata/RHSA-2015-1007.html

vendor-advisory

EPSS Score

48% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Apr 1, 2015
Vulnerability Reserved
Mar 31, 2015