CVE-2015-2808

low

Published 2015-04-01 · Modified 2026-05-28

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

3.7

Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Predictions

Exploit likelihood

47%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

Red Hat Affected 11 releases

Version	Status	Fixed in
7.7	Affected	—
7.6	Affected	—
7.5	Affected	—
7.4	Affected	—
7.3	Affected	—
7.2	Affected	—
7.1	Affected	—
7.0	Affected	—
6.6	Affected	—
6.0	Affected	—
5.0	Affected	—

SUSE Affected 6 releases

Version	Status	Fixed in
13.2	Affected	—
13.1	Affected	—
12	Affected	—
11	Affected	—
10	Affected	—
—	Affected	—

Ubuntu Affected 3 releases

Version	Status	Fixed in
15.04	Affected	—
14.04	Affected	—
12.04	Affected	—

Debian Mixed 3 releases

Version	Status	Fixed in
sid	Fixed	`8u66-b01-1`
8.0	Affected	—
7.0	Affected	—

Application impact

Vendor	Product	Versions	Fixed
oracle	communications_application_session_controller	`{"startIncluding":"3.0.0","endIncluding":"3.9.0"}`
oracle	communications_policy_management	`{"endExcluding":"9.9.2"}`	`9.9.2`
oracle	http_server	`11.1.1.7.0`
oracle	http_server	`11.1.1.9.0`
oracle	http_server	`12.1.3.0.0`
oracle	http_server	`12.2.1.1.0`
oracle	http_server	`12.2.1.2.0`
redhat	satellite	`5.7`
suse	linux_enterprise_debuginfo	`11`
suse	manager	`1.7`
redhat	satellite	`5.6`
huawei	oceanstor_replicationdirector	`v100r003c00`
huawei	policy_center	`v100r003c00`
huawei	policy_center	`v100r003c10`
huawei	smc2.0	`v100r002c01`
huawei	smc2.0	`v100r002c02`
huawei	smc2.0	`v100r002c03`
huawei	smc2.0	`v100r002c04`
huawei	ultravr	`v100r003c00`
ibm	cognos_metrics_manager	`10.1`
ibm	cognos_metrics_manager	`10.1.1`
ibm	cognos_metrics_manager	`10.2`
ibm	cognos_metrics_manager	`10.2.1`
ibm	cognos_metrics_manager	`10.2.2`
fujitsu	sparc_enterprise_m3000	`-`
fujitsu	sparc_enterprise_m4000	`-`
fujitsu	sparc_enterprise_m5000	`-`
fujitsu	sparc_enterprise_m8000	`-`
fujitsu	sparc_enterprise_m9000	`-`
huawei	e6000	`-`
huawei	e9000	`-`
huawei	oceanstor_18500	`-`
huawei	oceanstor_18800	`-`
huawei	oceanstor_18800f	`-`
huawei	oceanstor_9000	`-`
huawei	oceanstor_cse	`-`
huawei	oceanstor_hvs85t	`-`
huawei	oceanstor_s2600t	`-`
huawei	oceanstor_s5500t	`-`
huawei	oceanstor_s5600t	`-`
huawei	oceanstor_s5800t	`-`
huawei	oceanstor_s6800t	`-`
huawei	oceanstor_vis6600t	`-`
huawei	quidway_s9300	`-`
huawei	s7700	`-`
huawei	9700	`-`
huawei	s12700	`-`
huawei	s2700	`-`
huawei	s3700	`-`
huawei	s5700ei	`-`
huawei	s5700hi	`-`
huawei	s5700si	`-`
huawei	s5710ei	`-`
huawei	s5710hi	`-`
huawei	s6700	`-`
huawei	s2750	`-`
huawei	s5700li	`-`
huawei	s5700s-li	`-`
huawei	s5720hi	`-`
huawei	s5720ei	`-`
huawei	te60	`-`

References

CWEs

CWE-327

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.