CVE-2015-0478

Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 5.0u81, 6u91, 7u76, and 8u40 JRockit version R28.3.5

Description The issue allows a remote attacker to affect confidentiality via vectors related to the JCE component. It could also allow a remote attacker to downgrade the security of certain SSL/TLS connections, facilitating brute-force decryption of TLS/SSL traffic between vulnerable clients and servers using man-in-the-middle techniques.

Recommendations For Oracle Java SE versions 5.0u81, 6u91, 7u76, and 8u40, update to a version that fixes the issue. For JRockit version R28.3.5, update to a version that fixes the issue. As a temporary workaround, consider restricting the use of the JCE component until a patch is available. Avoid using RSA temporary keys in non-export RSA key exchange ciphersuites to minimize the risk of exploitation.