{ "threat_severity" : "Moderate", "public_date" : "2015-05-20T00:00:00Z", "bugzilla" : { "description" : "LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks", "id" : "1223211", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1223211" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "3.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-327", "details" : [ "The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the \"Logjam\" issue.", "A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic." ], "statement" : "This issue affects the version of openssl and nss libraries as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7. More information about this flaw is available at: https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c4 and https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c5.\nRed Hat Enterprise Linux 4 is in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 4.", "affected_release" : [ { "product_name" : "Oracle Java for Red Hat Enterprise Linux 5", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1242", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:5", "package" : "java-1.7.0-oracle-1:1.7.0.85-1jpp.1.el5_11" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 5", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1243", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:5", "package" : "java-1.6.0-sun-1:1.6.0.101-1jpp.1.el5_11" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 6", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1241", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6", "package" : "java-1.8.0-oracle-1:1.8.0.51-1jpp.2.el6_6" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 6", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1242", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6", "package" : "java-1.7.0-oracle-1:1.7.0.85-1jpp.2.el6_6" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 6", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1243", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6", "package" : "java-1.6.0-sun-1:1.6.0.101-1jpp.1.el6_6" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 7", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1241", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7", "package" : "java-1.8.0-oracle-1:1.8.0.51-1jpp.2.el7_1" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 7", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1242", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7", "package" : "java-1.7.0-oracle-1:1.7.0.85-1jpp.2.el7_1" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 7", "release_date" : "2015-07-17T00:00:00Z", "advisory" : "RHSA-2015:1243", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7", "package" : "java-1.6.0-sun-1:1.6.0.101-1jpp.1.el7_1" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2015-06-30T00:00:00Z", "advisory" : "RHSA-2015:1197", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "openssl-0:0.9.8e-36.el5_11" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2015-07-15T00:00:00Z", "advisory" : "RHSA-2015:1230", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el5_11" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2015-07-30T00:00:00Z", "advisory" : "RHSA-2015:1526", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "java-1.6.0-openjdk-1:1.6.0.36-1.13.8.1.el5_11" }, { "product_name" : "Red Hat Enterprise Linux 5 Supplementary", "release_date" : "2015-07-22T00:00:00Z", "advisory" : "RHSA-2015:1486", "cpe" : "cpe:/a:redhat:rhel_extras:5", "package" : "java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el5" }, { "product_name" : "Red Hat Enterprise Linux 5 Supplementary", "release_date" : "2015-07-23T00:00:00Z", "advisory" : "RHSA-2015:1488", "cpe" : "cpe:/a:redhat:rhel_extras:5", "package" : "java-1.7.0-ibm-1:1.7.0.9.10-1jpp.2.el5" }, { "product_name" : "Red Hat Enterprise Linux 5 Supplementary", "release_date" : "2015-08-04T00:00:00Z", "advisory" : "RHSA-2015:1544", "cpe" : "cpe:/a:redhat:rhel_extras:5", "package" : "java-1.5.0-ibm-1:1.5.0.16.13-1jpp.3.el5" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-06-04T00:00:00Z", "advisory" : "RHSA-2015:1072", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "openssl-0:1.0.1e-30.el6_6.9" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-06-25T00:00:00Z", "advisory" : "RHSA-2015:1185", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "nss-0:3.19.1-3.el6_6" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-06-25T00:00:00Z", "advisory" : "RHSA-2015:1185", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "nss-util-0:3.19.1-1.el6_6" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-07-15T00:00:00Z", "advisory" : "RHSA-2015:1228", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "java-1.8.0-openjdk-1:1.8.0.51-0.b16.el6_6" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-07-15T00:00:00Z", "advisory" : "RHSA-2015:1229", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el6_6" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-07-30T00:00:00Z", "advisory" : "RHSA-2015:1526", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "java-1.6.0-openjdk-1:1.6.0.36-1.13.8.1.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6 Supplementary", "release_date" : "2015-07-22T00:00:00Z", "advisory" : "RHSA-2015:1485", "cpe" : "cpe:/a:redhat:rhel_extras:6", "package" : "java-1.7.1-ibm-1:1.7.1.3.10-1jpp.3.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6 Supplementary", "release_date" : "2015-07-22T00:00:00Z", "advisory" : "RHSA-2015:1486", "cpe" : "cpe:/a:redhat:rhel_extras:6", "package" : "java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6 Supplementary", "release_date" : "2015-08-04T00:00:00Z", "advisory" : "RHSA-2015:1544", "cpe" : "cpe:/a:redhat:rhel_extras:6", "package" : "java-1.5.0-ibm-1:1.5.0.16.13-1jpp.3.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-06-04T00:00:00Z", "advisory" : "RHSA-2015:1072", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "openssl-1:1.0.1e-42.ael7b_1.6" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-06-25T00:00:00Z", "advisory" : "RHSA-2015:1185", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "nss-0:3.19.1-3.ael7b_1" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-06-25T00:00:00Z", "advisory" : "RHSA-2015:1185", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "nss-util-0:3.19.1-1.ael7b_1" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-07-15T00:00:00Z", "advisory" : "RHSA-2015:1228", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "java-1.8.0-openjdk-1:1.8.0.51-1.b16.ael7b_1" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-07-15T00:00:00Z", "advisory" : "RHSA-2015:1229", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "java-1.7.0-openjdk-1:1.7.0.85-2.6.1.2.ael7b_1" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-07-30T00:00:00Z", "advisory" : "RHSA-2015:1526", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "java-1.6.0-openjdk-1:1.6.0.36-1.13.8.1.el7_1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4", "release_date" : "2016-10-12T00:00:00Z", "advisory" : "RHSA-2016:2056", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6.4", "package" : "openssl" }, { "product_name" : "Red Hat JBoss Web Server 3.0", "release_date" : "2016-08-17T00:00:00Z", "advisory" : "RHSA-2016:1624", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0" }, { "product_name" : "Red Hat Satellite 5.6", "release_date" : "2015-08-12T00:00:00Z", "advisory" : "RHSA-2015:1604", "cpe" : "cpe:/a:redhat:network_satellite:5.6::el5", "package" : "java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el5" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2015-08-12T00:00:00Z", "advisory" : "RHSA-2015:1604", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el6_7" }, { "product_name" : "Supplementary for Red Hat Enterprise Linux 7", "release_date" : "2015-07-22T00:00:00Z", "advisory" : "RHSA-2015:1485", "cpe" : "cpe:/a:redhat:rhel_extras:7", "package" : "java-1.7.1-ibm-1:1.7.1.3.10-1jpp.1.ael7b_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Affected", "package_name" : "nss", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "openssl097a", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1", "fix_state" : "Will not fix", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Affected", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 3", "fix_state" : "Affected", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-4000\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-4000\nhttps://access.redhat.com/articles/1456263\nhttps://weakdh.org/" ], "csaw" : true, "name" : "CVE-2015-4000" }