CVE-2015-2808

Severity CVSS v4.0:

Pending analysis

Type:

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Publication date:

01/04/2015

Last modified:

12/04/2025

Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Impact

Vector 2.0

AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS v2.0 Severity and Metrics:

Base Score: 5.00 MEDIUM
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): None
Availability (A): None

Base Score 2.0

5.00

Severity 2.0

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:oracle:communications_application_session_controller::::::::	3.0.0 (including)	3.9.0 (including)
cpe:2.3:a:oracle:communications_policy_management::::::::		9.9.2 (excluding)
cpe:2.3:a:oracle:http_server:11.1.1.7.0:::::::*
cpe:2.3:a:oracle:http_server:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:http_server:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:http_server:12.2.1.1.0:::::::*
cpe:2.3:a:oracle:http_server:12.2.1.2.0:::::::*
cpe:2.3:o:oracle:integrated_lights_out_manager_firmware::::::::	3.0.0 (including)	3.2.11 (including)
cpe:2.3:o:oracle:integrated_lights_out_manager_firmware::::::::	4.0.0 (including)	4.0.4 (including)
cpe:2.3:o:debian:debian_linux:7.0:::::::*
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:a:redhat:satellite:5.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*

To consult the complete list of CPE names with products and versions, see this page

CPE	From	Up to
cpe:2.3:a:oracle:communications_application_session_controller::::::::	3.0.0 (including)	3.9.0 (including)
cpe:2.3:a:oracle:communications_policy_management::::::::		9.9.2 (excluding)
cpe:2.3:a:oracle:http_server:11.1.1.7.0:::::::*
cpe:2.3:a:oracle:http_server:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:http_server:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:http_server:12.2.1.1.0:::::::*
cpe:2.3:a:oracle:http_server:12.2.1.2.0:::::::*
cpe:2.3:o:oracle:integrated_lights_out_manager_firmware::::::::	3.0.0 (including)	3.2.11 (including)
cpe:2.3:o:oracle:integrated_lights_out_manager_firmware::::::::	4.0.0 (including)	4.0.4 (including)
cpe:2.3:o:debian:debian_linux:7.0:::::::*
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:a:redhat:satellite:5.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*

CVE-2015-2808

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools