National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2015-4000 Detail

Description

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

Source:  MITRE
Description Last Modified:  05/20/2015

Impact

CVSS v3.0 Severity and Metrics:

Base Score: 3.7 LOW
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (V3 legend)
Impact Score: 1.4
Exploitability Score: 2.2


Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None

CVSS v2.0 Severity and Metrics:

Base Score: 4.3 MEDIUM
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6


Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional Information:
Allows unauthorized modification

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
http://aix.software.ibm.com/aix/efixes/security/sendmail_advisory2.asc
http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04876402
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04949778
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10681
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727
http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159314.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159351.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160117.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00023.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00024.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00040.html
http://lists.opensuse.org/opensuse-updates/2015-07/msg00016.html
http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00094.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00097.html
http://marc.info/?l=bugtraq&m=143506486712441&w=2
http://marc.info/?l=bugtraq&m=143557934009303&w=2
http://marc.info/?l=bugtraq&m=143558092609708&w=2
http://marc.info/?l=bugtraq&m=143628304012255&w=2
http://marc.info/?l=bugtraq&m=143637549705650&w=2
http://marc.info/?l=bugtraq&m=143655800220052&w=2
http://marc.info/?l=bugtraq&m=143880121627664&w=2
http://marc.info/?l=bugtraq&m=144043644216842&w=2
http://marc.info/?l=bugtraq&m=144050121701297&w=2
http://marc.info/?l=bugtraq&m=144060576831314&w=2
http://marc.info/?l=bugtraq&m=144060606031437&w=2
http://marc.info/?l=bugtraq&m=144061542602287&w=2
http://marc.info/?l=bugtraq&m=144069189622016&w=2
http://marc.info/?l=bugtraq&m=144102017024820&w=2
http://marc.info/?l=bugtraq&m=144104533800819&w=2
http://marc.info/?l=bugtraq&m=144493176821532&w=2
http://marc.info/?l=bugtraq&m=145409266329539&w=2
http://openwall.com/lists/oss-security/2015/05/20/8
http://rhn.redhat.com/errata/RHSA-2015-1072.html
http://rhn.redhat.com/errata/RHSA-2015-1185.html
http://rhn.redhat.com/errata/RHSA-2015-1197.html
http://rhn.redhat.com/errata/RHSA-2015-1228.html
http://rhn.redhat.com/errata/RHSA-2015-1229.html
http://rhn.redhat.com/errata/RHSA-2015-1230.html
http://rhn.redhat.com/errata/RHSA-2015-1241.html
http://rhn.redhat.com/errata/RHSA-2015-1242.html
http://rhn.redhat.com/errata/RHSA-2015-1243.html
http://rhn.redhat.com/errata/RHSA-2015-1485.html
http://rhn.redhat.com/errata/RHSA-2015-1486.html
http://rhn.redhat.com/errata/RHSA-2015-1488.html
http://rhn.redhat.com/errata/RHSA-2015-1526.html
http://rhn.redhat.com/errata/RHSA-2015-1544.html
http://rhn.redhat.com/errata/RHSA-2015-1604.html
http://rhn.redhat.com/errata/RHSA-2016-1624.html
http://rhn.redhat.com/errata/RHSA-2016-2056.html
http://support.apple.com/kb/HT204941
http://support.apple.com/kb/HT204942
http://support.citrix.com/article/CTX201114
http://www.debian.org/security/2015/dsa-3287
http://www.debian.org/security/2015/dsa-3300
http://www.debian.org/security/2015/dsa-3316
http://www.debian.org/security/2015/dsa-3324
http://www.debian.org/security/2015/dsa-3339
http://www.debian.org/security/2016/dsa-3688
http://www.fortiguard.com/advisory/2015-05-20-logjam-attack
http://www.mozilla.org/security/announce/2015/mfsa2015-70.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/bid/74733
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1032474
http://www.securitytracker.com/id/1032475
http://www.securitytracker.com/id/1032476
http://www.securitytracker.com/id/1032637
http://www.securitytracker.com/id/1032645
http://www.securitytracker.com/id/1032647
http://www.securitytracker.com/id/1032648
http://www.securitytracker.com/id/1032649
http://www.securitytracker.com/id/1032650
http://www.securitytracker.com/id/1032651
http://www.securitytracker.com/id/1032652
http://www.securitytracker.com/id/1032653
http://www.securitytracker.com/id/1032654
http://www.securitytracker.com/id/1032655
http://www.securitytracker.com/id/1032656
http://www.securitytracker.com/id/1032688
http://www.securitytracker.com/id/1032699
http://www.securitytracker.com/id/1032702
http://www.securitytracker.com/id/1032727
http://www.securitytracker.com/id/1032759
http://www.securitytracker.com/id/1032777
http://www.securitytracker.com/id/1032778
http://www.securitytracker.com/id/1032783
http://www.securitytracker.com/id/1032784
http://www.securitytracker.com/id/1032856
http://www.securitytracker.com/id/1032864
http://www.securitytracker.com/id/1032865
http://www.securitytracker.com/id/1032871
http://www.securitytracker.com/id/1032884
http://www.securitytracker.com/id/1032910
http://www.securitytracker.com/id/1032932
http://www.securitytracker.com/id/1032960
http://www.securitytracker.com/id/1033019
http://www.securitytracker.com/id/1033064
http://www.securitytracker.com/id/1033065
http://www.securitytracker.com/id/1033067
http://www.securitytracker.com/id/1033208
http://www.securitytracker.com/id/1033209
http://www.securitytracker.com/id/1033210
http://www.securitytracker.com/id/1033222
http://www.securitytracker.com/id/1033341
http://www.securitytracker.com/id/1033385
http://www.securitytracker.com/id/1033416
http://www.securitytracker.com/id/1033430
http://www.securitytracker.com/id/1033433
http://www.securitytracker.com/id/1033513
http://www.securitytracker.com/id/1033760
http://www.securitytracker.com/id/1033891
http://www.securitytracker.com/id/1033991
http://www.securitytracker.com/id/1034087
http://www.securitytracker.com/id/1034728
http://www.securitytracker.com/id/1034884
http://www.securitytracker.com/id/1036218
http://www.securitytracker.com/id/1040630
http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm
http://www.ubuntu.com/usn/USN-2656-1
http://www.ubuntu.com/usn/USN-2656-2
http://www.ubuntu.com/usn/USN-2673-1
http://www.ubuntu.com/usn/USN-2696-1
http://www.ubuntu.com/usn/USN-2706-1
http://www-01.ibm.com/support/docview.wss?uid=swg21959111
http://www-01.ibm.com/support/docview.wss?uid=swg21959195
http://www-01.ibm.com/support/docview.wss?uid=swg21959325
http://www-01.ibm.com/support/docview.wss?uid=swg21959453
http://www-01.ibm.com/support/docview.wss?uid=swg21959481
http://www-01.ibm.com/support/docview.wss?uid=swg21959517
http://www-01.ibm.com/support/docview.wss?uid=swg21959530
http://www-01.ibm.com/support/docview.wss?uid=swg21959539
http://www-01.ibm.com/support/docview.wss?uid=swg21959636
http://www-01.ibm.com/support/docview.wss?uid=swg21959812
http://www-01.ibm.com/support/docview.wss?uid=swg21960191
http://www-01.ibm.com/support/docview.wss?uid=swg21961717
http://www-01.ibm.com/support/docview.wss?uid=swg21962455
http://www-01.ibm.com/support/docview.wss?uid=swg21962739
http://www-304.ibm.com/support/docview.wss?uid=swg21958984
http://www-304.ibm.com/support/docview.wss?uid=swg21959132
http://www-304.ibm.com/support/docview.wss?uid=swg21960041
http://www-304.ibm.com/support/docview.wss?uid=swg21960194
http://www-304.ibm.com/support/docview.wss?uid=swg21960380
http://www-304.ibm.com/support/docview.wss?uid=swg21960418
http://www-304.ibm.com/support/docview.wss?uid=swg21962816
http://www-304.ibm.com/support/docview.wss?uid=swg21967893
https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/
https://bto.bluecoat.com/security-advisory/sa98
https://bugzilla.mozilla.org/show_bug.cgi?id=1138554
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04718196
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04770140
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04772190
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773119
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04918839
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04923929
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04740527
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04953655
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05128722
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05193083
https://kc.mcafee.com/corporate/index?page=content&id=SB10122
https://openssl.org/news/secadv/20150611.txt
https://puppet.com/security/cve/CVE-2015-4000
https://security.gentoo.org/glsa/201506-02
https://security.gentoo.org/glsa/201512-10
https://security.gentoo.org/glsa/201603-11
https://security.gentoo.org/glsa/201701-46
https://security.netapp.com/advisory/ntap-20150619-0001/
https://support.citrix.com/article/CTX216642
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03831en_us
https://weakdh.org/
https://weakdh.org/imperfect-forward-secrecy.pdf Vendor Advisory
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
https://www.openssl.org/news/secadv_20150611.txt Vendor Advisory
https://www.suse.com/security/cve/CVE-2015-4000.html
https://www-304.ibm.com/support/docview.wss?uid=swg21959745
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098403

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*    versions up to (including) 1.0.1m
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*    versions up to (including) 1.0.2a
Configuration 2
OR
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
Configuration 3
AND
OR
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*    versions up to (including) 1.0.1m
OR
cpe:2.3:o:hp:hp-ux:b.11.31:*:*:*:*:*:*:*
Configuration 4
OR
cpe:2.3:a:ibm:content_manager:8.5:*:*:*:*:enterprise:*:*
Configuration 5
OR
cpe:2.3:a:oracle:jrockit:r28.3.6:*:*:*:*:*:*:*
Configuration 6
OR
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Configuration 7
OR
cpe:2.3:a:oracle:jdk:1.6.0:update_95:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update_75:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update_80:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update_33:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update_45:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update_95:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update_75:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update_80:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update_33:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update_45:*:*:*:*:*:*
Configuration 8
OR
cpe:2.3:o:suse:linux_enterprise_desktop:12:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11.0:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:12:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:*:*:*:*:*:*:*
Configuration 9
OR
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*    versions up to (including) 8.3
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*    versions up to (including) 10.10.3
Configuration 10
OR
cpe:2.3:a:mozilla:network_security_services:3.19:*:*:*:*:*:*:*
Configuration 11
OR
cpe:2.3:a:oracle:sparc-opl_service_processor:*:*:*:*:*:*:*:*    versions up to (including) 1121
Configuration 12
OR
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:ie:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:opera:opera_browser:-:*:*:*:*:*:*:*
Configuration 13
OR
cpe:2.3:a:mozilla:firefox:39.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:31.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.1.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:2.35:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:31.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:38.1:*:*:*:*:*:*:*
cpe:2.3:o:mozilla:firefox_os:2.2:*:*:*:*:*:*:*

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

49 change records found - show changes

Quick Info

CVE Dictionary Entry:
CVE-2015-4000
NVD Published Date:
05/20/2015
NVD Last Modified:
05/09/2018