PT-2015-1090 · Oracle+5 · Jrockit+7

Published

2015-04-14

·

Updated

2024-06-15

·

CVE-2015-0488

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:N/I:N/A:P
Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 5.0u81, 6u91, 7u76, and 8u40 JRockit version R28.3.5
Description The issue allows remote attackers to affect availability via vectors related to JSSE, potentially disrupting data access. It is also related to a vulnerability that could allow a remote attacker to downgrade the security of certain SSL/TLS connections, facilitating brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
Recommendations For Oracle Java SE versions 5.0u81, 6u91, 7u76, and 8u40, consider disabling the JSSE component until a patch is available. For JRockit version R28.3.5, restrict access to the JSSE component to minimize the risk of exploitation. As a temporary workaround, consider configuring SSL/TLS connections to reject the use of RSA temporary keys in non-export RSA key exchange ciphersuites.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-17

Related Identifiers

BDU:2015-09956
BDU:2015-09961
CESA-2015_0806
CESA-2015_0808
CESA-2015_0809
CVE-2015-0488
DLA-213-1
DSA-3234-1
DSA-3235-1
DSA-3316-1
MGASA-2015-0158
OPENSUSE-SU-2015_0773-1
OPENSUSE-SU-2015_0774-1
OPENSUSE-SU-2024:10534-1
RHSA-2015:0806
RHSA-2015:0807
RHSA-2015:0808
RHSA-2015:0809
RHSA-2015:0854
RHSA-2015:0857
RHSA-2015:0858
RHSA-2015:1006
RHSA-2015:1007
RHSA-2015:1020
RHSA-2015:1021
RHSA-2015:1091
RHSA-2015_0806
RHSA-2015_0807
RHSA-2015_0808
RHSA-2015_0809
RHSA-2015_0854
RHSA-2015_0857
RHSA-2015_0858
RHSA-2015_1006
RHSA-2015_1020
RHSA-2015_1021
SUSE-SU-2015:0789-1
SUSE-SU-2015:1161-1
SUSE-SU-2015:2166-1
SUSE-SU-2015:2168-1
SUSE-SU-2015:2168-2
SUSE-SU-2015:2182-1
SUSE-SU-2015:2192-1
SUSE-SU-2015:2216-1
USN-2573-1
USN-2574-1

Affected Products

Centos
Ibm Aix
Jrockit
Java Platform
Java Se
Red Hat
Suse
Ubuntu