PT-2015-1093 · Oracle+5 · Jrockit+7

Florian Weimer

·

Published

2015-04-14

·

Updated

2024-06-15

·

CVE-2015-0478

CVSS v2.0

4.3

Medium

VectorAV:N/AC:M/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 5.0u81, 6u91, 7u76, and 8u40 JRockit version R28.3.5
Description The issue allows a remote attacker to affect confidentiality via vectors related to the JCE component. It could also allow a remote attacker to downgrade the security of certain SSL/TLS connections, facilitating brute-force decryption of TLS/SSL traffic between vulnerable clients and servers using man-in-the-middle techniques.
Recommendations For Oracle Java SE versions 5.0u81, 6u91, 7u76, and 8u40, update to a version that fixes the issue. For JRockit version R28.3.5, update to a version that fixes the issue. As a temporary workaround, consider restricting the use of the JCE component until a patch is available. Avoid using RSA temporary keys in non-export RSA key exchange ciphersuites to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-17

Related Identifiers

BDU:2015-09959
BDU:2015-09962
CESA-2015_0806
CESA-2015_0808
CESA-2015_0809
CVE-2015-0478
DLA-213-1
DSA-3234-1
DSA-3235-1
DSA-3316-1
MGASA-2015-0158
OPENSUSE-SU-2015_0773-1
OPENSUSE-SU-2015_0774-1
OPENSUSE-SU-2024:10534-1
RHSA-2015:0806
RHSA-2015:0807
RHSA-2015:0808
RHSA-2015:0809
RHSA-2015:0854
RHSA-2015:0857
RHSA-2015:0858
RHSA-2015:1006
RHSA-2015:1007
RHSA-2015:1020
RHSA-2015:1021
RHSA-2015:1091
RHSA-2015_0806
RHSA-2015_0807
RHSA-2015_0808
RHSA-2015_0809
RHSA-2015_0854
RHSA-2015_0857
RHSA-2015_0858
RHSA-2015_1006
RHSA-2015_1020
RHSA-2015_1021
SUSE-SU-2015:0789-1
SUSE-SU-2015:1161-1
SUSE-SU-2015:2166-1
SUSE-SU-2015:2168-1
SUSE-SU-2015:2168-2
SUSE-SU-2015:2182-1
SUSE-SU-2015:2192-1
SUSE-SU-2015:2216-1
USN-2573-1
USN-2574-1

Affected Products

Centos
Ibm Aix
Jrockit
Java Platform
Java Se
Red Hat
Suse
Ubuntu