CVE-2015-2808

Publication date 31 March 2015

Last updated 6 June 2026

Ubuntu priority

Cvss 3 Severity Score

Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openjdk-6	15.10 wily	Not affected
	15.04 vivid	Fixed 6b36-1.13.8-0ubuntu1~15.04.1
	14.10 utopic	Ignored end of life
	14.04 LTS trusty	Fixed 6b36-1.13.8-0ubuntu1~14.04
	12.04 LTS precise	Fixed 6b36-1.13.8-0ubuntu1~12.04
openjdk-8	15.10 wily	Fixed 8u66-b17-1
	15.04 vivid	Ignored end of life
	14.10 utopic	Ignored end of life
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
openjdk-7	15.10 wily	Not affected
	15.04 vivid	Fixed 7u79-2.5.6-0ubuntu1.15.04.1
	14.10 utopic	Ignored end of life
	14.04 LTS trusty	Fixed 7u79-2.5.6-0ubuntu1.14.04.1
	12.04 LTS precise	Fixed 7u79-2.5.6-0ubuntu1.12.04.1

Notes

tyhicks

This is an RC4 protocol flaw and it is not specific to an Ubuntu package

Severity score breakdown

Parameter	Value
Base score	3.7 · Low
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

2696-1
OpenJDK 7 vulnerabilities
30 July 2015

USN-2706-1
OpenJDK 6 vulnerabilities
6 August 2015

USN-2696-1
OpenJDK 7 vulnerabilities
30 July 2015