Inadequate RC4 Implementation in TLS/SSL Protocols by Various Vendors
CVE-2015-2808

Currently unrated

Key Information:

Vendor

Oracle
Status
Http Server
Integrated Lights Out Manager Firmware
Communications Application Session Controller
Communications Policy Management
Vendor
CVE Published:
1 April 2015

What is CVE-2015-2808?

The RC4 cipher, utilized within TLS and SSL protocols, suffers from a serious flaw that improperly initializes state and key data. This weakness allows attackers to potentially recover plaintext by conducting targeted sniffing of network traffic. By exploiting this vulnerability, often referred to as the 'Bar Mitzvah' issue, attackers can leverage a brute-force approach on specific byte sequences, endangering the confidentiality of sensitive information transmitted over affected connections.

References

http://marc.info/?l=bugtraq&m=143818140118771&w=2
vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-1243.html
vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-1007.html
vendor-advisory

EPSS Score

48% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.