CVE-2015-4000

Public on 2015-05-21

Modified on 2015-08-24

Description

A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic.

Severity

Medium

See what this means

CVSS v3 Base Score

3.7

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	java-1.6.0-openjdk	2015-08-24 22:26	ALAS-2015-586
Amazon Linux 1	java-1.7.0-openjdk	2015-07-22 10:00	ALAS-2015-570
Amazon Linux 1	java-1.8.0-openjdk	2015-07-22 10:00	ALAS-2015-571
Amazon Linux 1	nss	2015-07-22 10:00	ALAS-2015-569
Amazon Linux 1	nss-util	2015-07-22 10:00	ALAS-2015-569
Amazon Linux 1	openssl	2015-06-16 11:29	ALAS-2015-550

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv2	4.3	AV:N/AC:M/Au:N/C:P/I:N/A:N
Amazon Linux	CVSSv3	3.7	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD	CVSSv2	4.3	AV:N/AC:M/Au:N/C:N/I:P/A:N
NVD	CVSSv3	3.7	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Red Hat: CVE-2015-4000 Mitre: CVE-2015-4000 FAQs regarding Amazon Linux ALAS/CVE Severity