CVE-2015-4000

Impact:: Moderate
Public Date:: 2015-05-20
CWE:: CWE-327

Bugzilla:: 1223211: CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks

A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic.

Find out more about CVE-2015-4000 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the version of openssl and nss libraries as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7. More information about this flaw is available at: https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c4 and https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c5.

Red Hat Enterprise Linux 4 is in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 4.

CVSS v2 metrics

Base Score	4.3
Base Metrics	AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	None
Availability Impact	None

CVSS v3 metrics

CVSS3 Base Score	3.7
CVSS3 Base Metrics	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	None
Integrity Impact	Low
Availability Impact	None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform	Errata	Release Date
Oracle Java for Red Hat Enterprise Linux 6 (java-1.8.0-oracle)	RHSA-2015:1241	2015-07-17
Red Hat Enterprise Linux 6 (nss)	RHSA-2015:1185	2015-06-25
Oracle Java for Red Hat Enterprise Linux 6 (java-1.6.0-sun)	RHSA-2015:1243	2015-07-17
Red Hat JBoss Enterprise Application Platform 6.4	RHSA-2016:2056	2016-10-12
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm)	RHSA-2015:1486	2015-07-22
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm)	RHSA-2015:1485	2015-07-22
Oracle Java for Red Hat Enterprise Linux 7 (java-1.7.0-oracle)	RHSA-2015:1242	2015-07-17
Oracle Java for Red Hat Enterprise Linux 7 (java-1.6.0-sun)	RHSA-2015:1243	2015-07-17
Red Hat Enterprise Linux 7 (nss)	RHSA-2015:1185	2015-06-25
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm)	RHSA-2015:1544	2015-08-04
Oracle Java for Red Hat Enterprise Linux 6 (java-1.7.0-oracle)	RHSA-2015:1242	2015-07-17
Red Hat Enterprise Linux 6 (openssl)	RHSA-2015:1072	2015-06-04
Red Hat Enterprise Linux 6 (java-1.8.0-openjdk)	RHSA-2015:1228	2015-07-15
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk)	RHSA-2015:1526	2015-07-30
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.5.0-ibm)	RHSA-2015:1544	2015-08-04
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm)	RHSA-2015:1486	2015-07-22
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm)	RHSA-2015:1485	2015-07-22
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm)	RHSA-2015:1488	2015-07-23
Red Hat JBoss Web Server 3.0	RHSA-2016:1624	2016-08-17
Oracle Java for Red Hat Enterprise Linux 7 (java-1.8.0-oracle)	RHSA-2015:1241	2015-07-17
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk)	RHSA-2015:1526	2015-07-30
Red Hat Enterprise Linux 6 (java-1.7.0-openjdk)	RHSA-2015:1229	2015-07-15
Red Hat Satellite 5.6 (RHEL v.6) (java-1.6.0-ibm)	RHSA-2015:1604	2015-08-12
Red Hat Enterprise Linux 5 (java-1.7.0-openjdk)	RHSA-2015:1230	2015-07-15
Red Hat Enterprise Linux 7 (openssl)	RHSA-2015:1072	2015-06-04
Red Hat Enterprise Linux 7 (java-1.6.0-openjdk)	RHSA-2015:1526	2015-07-30
Red Hat Satellite 5.7 (RHEL v.6) (java-1.6.0-ibm)	RHSA-2015:1604	2015-08-12
Red Hat Satellite 5.6 (RHEL v.5) (java-1.6.0-ibm)	RHSA-2015:1604	2015-08-12
Red Hat Enterprise Linux 5 (openssl)	RHSA-2015:1197	2015-06-30
Oracle Java for Red Hat Enterprise Linux 5 (java-1.7.0-oracle)	RHSA-2015:1242	2015-07-17
Oracle Java for Red Hat Enterprise Linux 5 (java-1.6.0-sun)	RHSA-2015:1243	2015-07-17
Red Hat Enterprise Linux 7 (java-1.8.0-openjdk)	RHSA-2015:1228	2015-07-15
Red Hat Enterprise Linux 7 (java-1.7.0-openjdk)	RHSA-2015:1229	2015-07-15

Affected Packages State

Platform	Package	State
Red Hat JBoss EWS 2	openssl	Affected
Red Hat JBoss EWS 1	openssl	Will not fix
Red Hat Enterprise Linux 7	openssl098e	Will not fix
Red Hat Enterprise Linux 6	openssl098e	Will not fix
Red Hat Enterprise Linux 5	openssl097a	Will not fix
Red Hat Enterprise Linux 5	nss	Affected

External References

Last Modified 2017-12-15T12:47:39+00:00

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Red Hat Customer Portal Labs

Additional Tools

Red Hat Insights

Red Hat Product Security Center

Spectre & Meltdown Detector

Security Updates

Resources

Customer Portal Community

Customer Events

Stories