Информационная безопасность
[RU] switch to English


CVECVE-2015-4000
СтатусCandidate
ОписаниеThe TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Важность
Medium
CVSS score4,3
CVSS vector(AV:N/AC:M/Au:N/C:N/I:P/A:N)
PhaseAssigned (15.05.2015)
NVD:http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4000
ReferencesSECTRACK : 1033064
 BID : 74733
 APPLE : APPLE-SA-2015-06-30-1
 APPLE : APPLE-SA-2015-06-30-2
 DEBIAN : DSA-3324
 HP : HPSBUX03388
 CONFIRM : http://support.apple.com/kb/HT204941
 CONFIRM : http://support.apple.com/kb/HT204942
 CONFIRM : http://www-01.ibm.com/support/docview.wss?uid=swg2...
 CONFIRM : http://www.mozilla.org/security/announce/2015/mfsa...
 CONFIRM : http://www.oracle.com/technetwork/topics/security/...
 CONFIRM : http://www.oracle.com/technetwork/topics/security/...
 MISC : https://blog.cloudflare.com/logjam-the-latest-tls-...
 CONFIRM : https://bugzilla.mozilla.org/show_bug.cgi?id=1138554
 CONFIRM : https://developer.mozilla.org/en-US/docs/Mozilla/P...
 MISC : https://weakdh.org/
 MISC : https://weakdh.org/imperfect-forward-secrecy.pdf
 CONFIRM : https://www.openssl.org/blog/blog/2015/05/20/logja...
 CONFIRM : https://www.openssl.org/news/secadv_20150611.txt
 CONFIRM : https://www.suse.com/security/cve/CVE-2015-4000.html
 HP : SSRT102180
 SUSE : SUSE-SU-2015:1268
 SUSE : SUSE-SU-2015:1269
 UBUNTU : USN-2673-1
 MLIST : [oss-security] 20150520 CVE-2015-4000 - TLS does not properly convey server's ciphersuite choice
SecurityVulns:Многочисленные уязвимости безопасности в Apple iOS
 Многочисленные уязвимости безопасности в Apple Mac OS X / EFI
 Многочисленные уязвимости безопасности в Mozilla Firefox / Thunderbird / Seamonkey
 Многочисленные уязвимости безопасности в Oracle / Sun / PeopleSoft / MySQL
 Многочисленные уязвимости безопасности в Oracle / Sun / PeopleSoft / MySQL
О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород