CVE-2015-4000

Impact:
Moderate
Public Date:
2015-05-20
CWE:
CWE-327
Bugzilla:
1223211: CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic.

Find out more about CVE-2015-4000 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the version of openssl and nss libraries as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7. More information about this flaw is available at: https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c4 and https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c5. Red Hat Enterprise Linux 4 is in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 4.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

CVSS v3 metrics

CVSS3 Base Score 3.7
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact Low
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (nss) RHSA-2015:1185 2015-06-25
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2016:2056 2016-10-12
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2015:1486 2015-07-22
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm) RHSA-2015:1485 2015-07-22
Red Hat Enterprise Linux 7 (nss) RHSA-2015:1185 2015-06-25
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2015:1544 2015-08-04
Red Hat Enterprise Linux 6 (openssl) RHSA-2015:1072 2015-06-04
Red Hat Enterprise Linux 6 (java-1.8.0-openjdk) RHSA-2015:1228 2015-07-15
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) RHSA-2015:1526 2015-07-30
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.5.0-ibm) RHSA-2015:1544 2015-08-04
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2015:1486 2015-07-22
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm) RHSA-2015:1485 2015-07-22
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) RHSA-2015:1488 2015-07-23
Red Hat JBoss Web Server 3.0 RHSA-2016:1624 2016-08-17
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2015:1526 2015-07-30
Red Hat Enterprise Linux 6 (java-1.7.0-openjdk) RHSA-2015:1229 2015-07-15
Red Hat Satellite 5.6 (RHEL v.6) (java-1.6.0-ibm) RHSA-2015:1604 2015-08-12
Red Hat Enterprise Linux 5 (java-1.7.0-openjdk) RHSA-2015:1230 2015-07-15
Red Hat Enterprise Linux 7 (openssl) RHSA-2015:1072 2015-06-04
Red Hat Enterprise Linux 7 (java-1.6.0-openjdk) RHSA-2015:1526 2015-07-30
Red Hat Satellite 5.7 (RHEL v.6) (java-1.6.0-ibm) RHSA-2015:1604 2015-08-12
Red Hat Satellite 5.6 (RHEL v.5) (java-1.6.0-ibm) RHSA-2015:1604 2015-08-12
Red Hat Enterprise Linux 5 (openssl) RHSA-2015:1197 2015-06-30
Red Hat Enterprise Linux 7 (java-1.8.0-openjdk) RHSA-2015:1228 2015-07-15
Red Hat Enterprise Linux 7 (java-1.7.0-openjdk) RHSA-2015:1229 2015-07-15

Affected Packages State

Platform Package State
Red Hat JBoss EWS 2 openssl Affected
Red Hat JBoss EWS 1 openssl Will not fix
Red Hat Enterprise Linux 7 java-1.8.0-oracle Affected
Red Hat Enterprise Linux 7 java-1.7.0-oracle Affected
Red Hat Enterprise Linux 7 java-1.6.0-sun Affected
Red Hat Enterprise Linux 7 openssl098e Will not fix
Red Hat Enterprise Linux 6 java-1.8.0-oracle Affected
Red Hat Enterprise Linux 6 java-1.7.0-oracle Affected
Red Hat Enterprise Linux 6 java-1.6.0-sun Affected
Red Hat Enterprise Linux 6 openssl098e Will not fix
Red Hat Enterprise Linux 5 java-1.6.0-sun Affected
Red Hat Enterprise Linux 5 openssl097a Will not fix
Red Hat Enterprise Linux 5 nss Affected
Red Hat Enterprise Linux 5 java-1.7.0-oracle Affected

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.