CVE-2015-7575

Impact:
Moderate
Public Date:
2016-01-06
Bugzilla:
1289841: CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.

Find out more about CVE-2015-7575 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Enterprise Linux 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss EWS 1:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Web Server 3.0:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

CVSS v2 metrics

Base Score 5.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (nss) RHSA-2016:0007 2016-01-07
Red Hat Enterprise Linux 7 (java-1.8.0-openjdk) RHSA-2016:0049 2016-01-20
Red Hat Enterprise Linux 7 (nss) RHSA-2016:0007 2016-01-07
Red Hat Enterprise Linux 7 (openssl) RHSA-2016:0008 2016-01-08
Red Hat Enterprise Linux 6 (openssl) RHSA-2016:0008 2016-01-08
Red Hat Enterprise Linux 5 (java-1.7.0-openjdk) RHSA-2016:0054 2016-01-21
Red Hat Satellite 5.7 (RHEL v.6) (java-1.7.1-ibm) RHSA-2016:1430 2016-07-18
Oracle Java for Red Hat Enterprise Linux 7 (java-1.8.0-oracle) RHSA-2016:0055 2016-01-21
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm) RHSA-2016:0099 2016-02-02
Oracle Java for Red Hat Enterprise Linux 5 (java-1.7.0-oracle) RHSA-2016:0056 2016-01-21
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) RHSA-2016:0100 2016-02-02
Oracle Java for Red Hat Enterprise Linux 7 (java-1.7.0-oracle) RHSA-2016:0056 2016-01-21
Red Hat Satellite 5.6 (RHEL v.5) (java-1.7.0-ibm) RHSA-2016:1430 2016-07-18
Red Hat Enterprise Linux 7 (gnutls) RHSA-2016:0012 2016-01-08
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2016:0101 2016-02-02
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2016:0101 2016-02-02
Red Hat Enterprise Linux 6 (gnutls) RHSA-2016:0012 2016-01-08
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm) RHSA-2016:0099 2016-02-02
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.8.0-ibm) RHSA-2016:0098 2016-02-02
Red Hat Enterprise Linux 7 (java-1.7.0-openjdk) RHSA-2016:0054 2016-01-21
Oracle Java for Red Hat Enterprise Linux 6 (java-1.7.0-oracle) RHSA-2016:0056 2016-01-21
Oracle Java for Red Hat Enterprise Linux 6 (java-1.8.0-oracle) RHSA-2016:0055 2016-01-21
Red Hat Satellite 5.6 (RHEL v.6) (java-1.7.1-ibm) RHSA-2016:1430 2016-07-18
Red Hat Enterprise Linux 6 (java-1.8.0-openjdk) RHSA-2016:0050 2016-01-20
Red Hat Enterprise Linux 6 (java-1.7.0-openjdk) RHSA-2016:0053 2016-01-21

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3.0 openssl Will not fix
Red Hat JBoss EWS 2 openssl Not affected
Red Hat JBoss EWS 1 openssl Will not fix
Red Hat JBoss EAP 6 openssl Not affected
Red Hat Enterprise Linux 7 openssl098e Not affected
Red Hat Enterprise Linux 7 java-1.6.0-sun Not affected
Red Hat Enterprise Linux 6 java-1.6.0-sun Not affected
Red Hat Enterprise Linux 6 openssl098e Not affected
Red Hat Enterprise Linux 5 openssl Not affected
Red Hat Enterprise Linux 5 java-1.6.0-sun Not affected
Red Hat Enterprise Linux 5 openssl097a Not affected
Red Hat Enterprise Linux 5 nss Will not fix
Red Hat Enterprise Linux 5 gnutls Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified