CVE - CVE-2015-4000

CVE-ID
CVE-2015-4000	Learn more at National Vulnerability Database (NVD) • Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20150520 CVE-2015-4000 - TLS does not properly convey server's ciphersuite choice URL:http://openwall.com/lists/oss-security/2015/05/20/8 MISC:https://weakdh.org/ MISC:https://weakdh.org/imperfect-forward-secrecy.pdf MISC:https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/ CONFIRM:https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ CONFIRM:https://www.suse.com/security/cve/CVE-2015-4000.html CONFIRM:https://www.openssl.org/news/secadv_20150611.txt CONFIRM:http://support.apple.com/kb/HT204941 CONFIRM:http://support.apple.com/kb/HT204942 CONFIRM:http://www.mozilla.org/security/announce/2015/mfsa2015-70.html CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 CONFIRM:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21962455 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html CONFIRM:http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05128722 CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763 CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05193083 CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04740527 CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04953655 CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html CONFIRM:http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery CONFIRM:http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727 CONFIRM:https://openssl.org/news/secadv/20150611.txt CONFIRM:http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04949778 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04918839 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04923929 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21967893 CONFIRM:http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04876402 CONFIRM:https://bto.bluecoat.com/security-advisory/sa98 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21960041 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246 CONFIRM:http://support.citrix.com/article/CTX201114 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959111 CONFIRM:http://www.fortiguard.com/advisory/2015-05-20-logjam-attack CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04770140 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04772190 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773119 CONFIRM:http://aix.software.ibm.com/aix/efixes/security/sendmail_advisory2.asc CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21960191 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21962739 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21962816 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959195 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959325 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959453 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959481 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959517 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959530 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959539 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959636 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21959812 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21958984 CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10122 CONFIRM:https://www-304.ibm.com/support/docview.wss?uid=swg21959745 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21960380 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21960418 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21961717 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21959132 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21960194 CONFIRM:https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098403 CONFIRM:http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10681 CONFIRM:https://security.netapp.com/advisory/ntap-20150619-0001/ CONFIRM:https://support.citrix.com/article/CTX216642 CONFIRM:https://puppet.com/security/cve/CVE-2015-4000 APPLE:APPLE-SA-2015-06-30-1 URL:http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.html APPLE:APPLE-SA-2015-06-30-2 URL:http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html DEBIAN:DSA-3324 URL:http://www.debian.org/security/2015/dsa-3324 DEBIAN:DSA-3339 URL:http://www.debian.org/security/2015/dsa-3339 DEBIAN:DSA-3300 URL:http://www.debian.org/security/2015/dsa-3300 DEBIAN:DSA-3287 URL:http://www.debian.org/security/2015/dsa-3287 DEBIAN:DSA-3316 URL:http://www.debian.org/security/2015/dsa-3316 DEBIAN:DSA-3688 URL:http://www.debian.org/security/2016/dsa-3688 FEDORA:FEDORA-2015-9048 URL:http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159351.html FEDORA:FEDORA-2015-9130 URL:http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159314.html FEDORA:FEDORA-2015-9161 URL:http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160117.html GENTOO:GLSA-201603-11 URL:https://security.gentoo.org/glsa/201603-11 GENTOO:GLSA-201512-10 URL:https://security.gentoo.org/glsa/201512-10 GENTOO:GLSA-201506-02 URL:https://security.gentoo.org/glsa/201506-02 GENTOO:GLSA-201701-46 URL:https://security.gentoo.org/glsa/201701-46 HP:HPSBUX03388 URL:http://marc.info/?l=bugtraq&m=143880121627664&w=2 HP:SSRT102180 URL:http://marc.info/?l=bugtraq&m=143880121627664&w=2 HP:HPSBGN03533 URL:http://marc.info/?l=bugtraq&m=145409266329539&w=2 HP:HPSBGN03351 URL:http://marc.info/?l=bugtraq&m=143557934009303&w=2 HP:HPSBGN03361 URL:http://marc.info/?l=bugtraq&m=143628304012255&w=2 HP:HPSBGN03362 URL:http://marc.info/?l=bugtraq&m=143558092609708&w=2 HP:HPSBGN03373 URL:http://marc.info/?l=bugtraq&m=143655800220052&w=2 HP:HPSBGN03399 URL:http://marc.info/?l=bugtraq&m=144060576831314&w=2 HP:HPSBGN03402 URL:http://marc.info/?l=bugtraq&m=144069189622016&w=2 HP:HPSBGN03404 URL:http://marc.info/?l=bugtraq&m=144050121701297&w=2 HP:HPSBGN03405 URL:http://marc.info/?l=bugtraq&m=144060606031437&w=2 HP:HPSBGN03407 URL:http://marc.info/?l=bugtraq&m=144102017024820&w=2 HP:HPSBGN03411 URL:http://marc.info/?l=bugtraq&m=144061542602287&w=2 HP:HPSBMU03345 URL:http://marc.info/?l=bugtraq&m=144043644216842&w=2 HP:HPSBMU03356 URL:http://marc.info/?l=bugtraq&m=143506486712441&w=2 HP:HPSBMU03401 URL:http://marc.info/?l=bugtraq&m=144104533800819&w=2 HP:HPSBUX03363 URL:http://marc.info/?l=bugtraq&m=143637549705650&w=2 HP:HPSBUX03512 URL:http://marc.info/?l=bugtraq&m=144493176821532&w=2 HP:SSRT102254 URL:http://marc.info/?l=bugtraq&m=144493176821532&w=2 HP:SSRT102112 URL:https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04718196 NETBSD:NetBSD-SA2015-008 URL:http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc REDHAT:RHSA-2015:1526 URL:http://rhn.redhat.com/errata/RHSA-2015-1526.html REDHAT:RHSA-2015:1072 URL:http://rhn.redhat.com/errata/RHSA-2015-1072.html REDHAT:RHSA-2015:1197 URL:http://rhn.redhat.com/errata/RHSA-2015-1197.html SUSE:SUSE-SU-2015:1268 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html SUSE:SUSE-SU-2015:1269 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html SUSE:openSUSE-SU-2016:0478 URL:http://lists.opensuse.org/opensuse-updates/2016-02/msg00094.html SUSE:openSUSE-SU-2016:0483 URL:http://lists.opensuse.org/opensuse-updates/2016-02/msg00097.html SUSE:SUSE-SU-2016:0224 URL:http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00031.html SUSE:openSUSE-SU-2016:0226 URL:http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00032.html SUSE:SUSE-SU-2016:0262 URL:http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00040.html SUSE:openSUSE-SU-2016:0255 URL:http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00037.html SUSE:openSUSE-SU-2016:0261 URL:http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00039.html SUSE:SUSE-SU-2015:1663 URL:http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00001.html SUSE:openSUSE-SU-2015:1684 URL:http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html SUSE:SUSE-SU-2015:1449 URL:http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html SUSE:SUSE-SU-2015:1581 URL:http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html SUSE:openSUSE-SU-2015:1266 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html SUSE:openSUSE-SU-2015:1277 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html SUSE:SUSE-SU-2015:1319 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html SUSE:SUSE-SU-2015:1320 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html SUSE:openSUSE-SU-2015:1288 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html SUSE:openSUSE-SU-2015:1289 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html SUSE:SUSE-SU-2015:1143 URL:http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00024.html SUSE:SUSE-SU-2015:1150 URL:http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00026.html SUSE:SUSE-SU-2015:1177 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00001.html SUSE:SUSE-SU-2015:1181 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00003.html SUSE:SUSE-SU-2015:1182 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00004.html SUSE:SUSE-SU-2015:1183 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00005.html SUSE:SUSE-SU-2015:1184 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00006.html SUSE:openSUSE-SU-2015:1139 URL:http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00023.html SUSE:SUSE-SU-2015:1185 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00007.html SUSE:openSUSE-SU-2015:1209 URL:http://lists.opensuse.org/opensuse-updates/2015-07/msg00016.html SUSE:openSUSE-SU-2015:1229 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html UBUNTU:USN-2673-1 URL:http://www.ubuntu.com/usn/USN-2673-1 UBUNTU:USN-2696-1 URL:http://www.ubuntu.com/usn/USN-2696-1 UBUNTU:USN-2706-1 URL:http://www.ubuntu.com/usn/USN-2706-1 UBUNTU:USN-2656-1 URL:http://www.ubuntu.com/usn/USN-2656-1 UBUNTU:USN-2656-2 URL:http://www.ubuntu.com/usn/USN-2656-2 BID:74733 URL:http://www.securityfocus.com/bid/74733 BID:91787 URL:http://www.securityfocus.com/bid/91787 SECTRACK:1033064 URL:http://www.securitytracker.com/id/1033064 SECTRACK:1034884 URL:http://www.securitytracker.com/id/1034884 SECTRACK:1034728 URL:http://www.securitytracker.com/id/1034728 SECTRACK:1033991 URL:http://www.securitytracker.com/id/1033991 SECTRACK:1034087 URL:http://www.securitytracker.com/id/1034087 SECTRACK:1033760 URL:http://www.securitytracker.com/id/1033760 SECTRACK:1033385 URL:http://www.securitytracker.com/id/1033385 SECTRACK:1033416 URL:http://www.securitytracker.com/id/1033416 SECTRACK:1033430 URL:http://www.securitytracker.com/id/1033430 SECTRACK:1033433 URL:http://www.securitytracker.com/id/1033433 SECTRACK:1033513 URL:http://www.securitytracker.com/id/1033513 SECTRACK:1033208 URL:http://www.securitytracker.com/id/1033208 SECTRACK:1033209 URL:http://www.securitytracker.com/id/1033209 SECTRACK:1033210 URL:http://www.securitytracker.com/id/1033210 SECTRACK:1033222 URL:http://www.securitytracker.com/id/1033222 SECTRACK:1033341 URL:http://www.securitytracker.com/id/1033341 SECTRACK:1033891 URL:http://www.securitytracker.com/id/1033891 SECTRACK:1032637 URL:http://www.securitytracker.com/id/1032637 SECTRACK:1032645 URL:http://www.securitytracker.com/id/1032645 SECTRACK:1032647 URL:http://www.securitytracker.com/id/1032647 SECTRACK:1032648 URL:http://www.securitytracker.com/id/1032648 SECTRACK:1032649 URL:http://www.securitytracker.com/id/1032649 SECTRACK:1032650 URL:http://www.securitytracker.com/id/1032650 SECTRACK:1032651 URL:http://www.securitytracker.com/id/1032651 SECTRACK:1032652 URL:http://www.securitytracker.com/id/1032652 SECTRACK:1032653 URL:http://www.securitytracker.com/id/1032653 SECTRACK:1032654 URL:http://www.securitytracker.com/id/1032654 SECTRACK:1032655 URL:http://www.securitytracker.com/id/1032655 SECTRACK:1032656 URL:http://www.securitytracker.com/id/1032656 SECTRACK:1032688 URL:http://www.securitytracker.com/id/1032688 SECTRACK:1032699 URL:http://www.securitytracker.com/id/1032699 SECTRACK:1032702 URL:http://www.securitytracker.com/id/1032702 SECTRACK:1032727 URL:http://www.securitytracker.com/id/1032727 SECTRACK:1032759 URL:http://www.securitytracker.com/id/1032759 SECTRACK:1032777 URL:http://www.securitytracker.com/id/1032777 SECTRACK:1032778 URL:http://www.securitytracker.com/id/1032778 SECTRACK:1032783 URL:http://www.securitytracker.com/id/1032783 SECTRACK:1032784 URL:http://www.securitytracker.com/id/1032784 SECTRACK:1032856 URL:http://www.securitytracker.com/id/1032856 SECTRACK:1032864 URL:http://www.securitytracker.com/id/1032864 SECTRACK:1032865 URL:http://www.securitytracker.com/id/1032865 SECTRACK:1032871 URL:http://www.securitytracker.com/id/1032871 SECTRACK:1032884 URL:http://www.securitytracker.com/id/1032884 SECTRACK:1032474 URL:http://www.securitytracker.com/id/1032474 SECTRACK:1032475 URL:http://www.securitytracker.com/id/1032475 SECTRACK:1032476 URL:http://www.securitytracker.com/id/1032476 SECTRACK:1036218 URL:http://www.securitytracker.com/id/1036218 SECTRACK:1033019 URL:http://www.securitytracker.com/id/1033019 SECTRACK:1033065 URL:http://www.securitytracker.com/id/1033065 SECTRACK:1033067 URL:http://www.securitytracker.com/id/1033067 SECTRACK:1032910 URL:http://www.securitytracker.com/id/1032910 SECTRACK:1032932 URL:http://www.securitytracker.com/id/1032932 SECTRACK:1032960 URL:http://www.securitytracker.com/id/1032960
Assigning CNA
N/A
Date Entry Created
20150515	Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20150515)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE list, which standardizes names for security problems.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org