CVE-2015-4000
A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic.
Find out more about CVE-2015-4000 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the version of openssl and nss libraries as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7. More information about this flaw is available at: https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c4 and https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c5.
Red Hat Enterprise Linux 4 is in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 4.
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
CVSS v3 metrics
| CVSS3 Base Score | 3.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Oracle Java for Red Hat Enterprise Linux 6 (java-1.8.0-oracle) | RHSA-2015:1241 | 2015-07-17 |
| Red Hat Enterprise Linux 6 (nss) | RHSA-2015:1185 | 2015-06-25 |
| Oracle Java for Red Hat Enterprise Linux 6 (java-1.6.0-sun) | RHSA-2015:1243 | 2015-07-17 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2016:2056 | 2016-10-12 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) | RHSA-2015:1486 | 2015-07-22 |
| Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm) | RHSA-2015:1485 | 2015-07-22 |
| Oracle Java for Red Hat Enterprise Linux 7 (java-1.7.0-oracle) | RHSA-2015:1242 | 2015-07-17 |
| Oracle Java for Red Hat Enterprise Linux 7 (java-1.6.0-sun) | RHSA-2015:1243 | 2015-07-17 |
| Red Hat Enterprise Linux 7 (nss) | RHSA-2015:1185 | 2015-06-25 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) | RHSA-2015:1544 | 2015-08-04 |
| Oracle Java for Red Hat Enterprise Linux 6 (java-1.7.0-oracle) | RHSA-2015:1242 | 2015-07-17 |
| Red Hat Enterprise Linux 6 (openssl) | RHSA-2015:1072 | 2015-06-04 |
| Red Hat Enterprise Linux 6 (java-1.8.0-openjdk) | RHSA-2015:1228 | 2015-07-15 |
| Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) | RHSA-2015:1526 | 2015-07-30 |
| Red Hat Enterprise Linux Supplementary (v. 6) (java-1.5.0-ibm) | RHSA-2015:1544 | 2015-08-04 |
| Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) | RHSA-2015:1486 | 2015-07-22 |
| Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm) | RHSA-2015:1485 | 2015-07-22 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) | RHSA-2015:1488 | 2015-07-23 |
| Red Hat JBoss Web Server 3.0 | RHSA-2016:1624 | 2016-08-17 |
| Oracle Java for Red Hat Enterprise Linux 7 (java-1.8.0-oracle) | RHSA-2015:1241 | 2015-07-17 |
| Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) | RHSA-2015:1526 | 2015-07-30 |
| Red Hat Enterprise Linux 6 (java-1.7.0-openjdk) | RHSA-2015:1229 | 2015-07-15 |
| Red Hat Satellite 5.6 (RHEL v.6) (java-1.6.0-ibm) | RHSA-2015:1604 | 2015-08-12 |
| Red Hat Enterprise Linux 5 (java-1.7.0-openjdk) | RHSA-2015:1230 | 2015-07-15 |
| Red Hat Enterprise Linux 7 (openssl) | RHSA-2015:1072 | 2015-06-04 |
| Red Hat Enterprise Linux 7 (java-1.6.0-openjdk) | RHSA-2015:1526 | 2015-07-30 |
| Red Hat Satellite 5.7 (RHEL v.6) (java-1.6.0-ibm) | RHSA-2015:1604 | 2015-08-12 |
| Red Hat Satellite 5.6 (RHEL v.5) (java-1.6.0-ibm) | RHSA-2015:1604 | 2015-08-12 |
| Red Hat Enterprise Linux 5 (openssl) | RHSA-2015:1197 | 2015-06-30 |
| Oracle Java for Red Hat Enterprise Linux 5 (java-1.7.0-oracle) | RHSA-2015:1242 | 2015-07-17 |
| Oracle Java for Red Hat Enterprise Linux 5 (java-1.6.0-sun) | RHSA-2015:1243 | 2015-07-17 |
| Red Hat Enterprise Linux 7 (java-1.8.0-openjdk) | RHSA-2015:1228 | 2015-07-15 |
| Red Hat Enterprise Linux 7 (java-1.7.0-openjdk) | RHSA-2015:1229 | 2015-07-15 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EWS 2 | openssl | Will not fix |
| Red Hat JBoss EWS 1 | openssl | Will not fix |
| Red Hat Enterprise Linux 7 | openssl098e | Will not fix |
| Red Hat Enterprise Linux 6 | openssl098e | Will not fix |
| Red Hat Enterprise Linux 5 | openssl097a | Will not fix |
| Red Hat Enterprise Linux 5 | nss | Will not fix |