CVE-2015-2808

low

Published 2015-04-01 · Modified 2026-05-28

CVSS v3

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2

5.0

VIR risk

3.7

Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Predictions

Exploit likelihood

47%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-2808

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2015-2808.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	7.0	affected
debian	8.0	affected
rhel	5.0	affected
rhel	6.0	affected
rhel	7.0	affected
rhel	6.6	affected
rhel	7.1	affected
rhel	7.2	affected
rhel	7.3	affected
rhel	7.4	affected
suse	13.1	affected
suse	13.2	affected
suse	11	affected
suse	12	affected
suse	10	affected
ubuntu	12.04	affected
ubuntu	14.04	affected
ubuntu	15.04	affected
rhel	7.5	affected
rhel	7.6	affected
rhel	7.7	affected
debian	sid	fixed	`8u66-b01-1`

Application impact

Vendor	Product	Versions	Fixed
oracle	communications_application_session_controller	`{"startIncluding":"3.0.0","endIncluding":"3.9.0"}`
oracle	communications_policy_management	`{"endExcluding":"9.9.2"}`	`9.9.2`
oracle	http_server	`11.1.1.7.0`
oracle	http_server	`11.1.1.9.0`
oracle	http_server	`12.1.3.0.0`
oracle	http_server	`12.2.1.1.0`
oracle	http_server	`12.2.1.2.0`
redhat	satellite	`5.7`
suse	linux_enterprise_debuginfo	`11`
suse	manager	`1.7`
redhat	satellite	`5.6`
huawei	oceanstor_replicationdirector	`v100r003c00`
huawei	policy_center	`v100r003c00`
huawei	policy_center	`v100r003c10`
huawei	smc2.0	`v100r002c01`
huawei	smc2.0	`v100r002c02`
huawei	smc2.0	`v100r002c03`
huawei	smc2.0	`v100r002c04`
huawei	ultravr	`v100r003c00`
ibm	cognos_metrics_manager	`10.1`
ibm	cognos_metrics_manager	`10.1.1`
ibm	cognos_metrics_manager	`10.2`
ibm	cognos_metrics_manager	`10.2.1`
ibm	cognos_metrics_manager	`10.2.2`
fujitsu	sparc_enterprise_m3000	`-`
fujitsu	sparc_enterprise_m4000	`-`
fujitsu	sparc_enterprise_m5000	`-`
fujitsu	sparc_enterprise_m8000	`-`
fujitsu	sparc_enterprise_m9000	`-`
huawei	e6000	`-`
huawei	e9000	`-`
huawei	oceanstor_18500	`-`
huawei	oceanstor_18800	`-`
huawei	oceanstor_18800f	`-`
huawei	oceanstor_9000	`-`
huawei	oceanstor_cse	`-`
huawei	oceanstor_hvs85t	`-`
huawei	oceanstor_s2600t	`-`
huawei	oceanstor_s5500t	`-`
huawei	oceanstor_s5600t	`-`
huawei	oceanstor_s5800t	`-`
huawei	oceanstor_s6800t	`-`
huawei	oceanstor_vis6600t	`-`
huawei	quidway_s9300	`-`
huawei	s7700	`-`
huawei	9700	`-`
huawei	s12700	`-`
huawei	s2700	`-`
huawei	s3700	`-`
huawei	s5700ei	`-`
huawei	s5700hi	`-`
huawei	s5700si	`-`
huawei	s5710ei	`-`
huawei	s5710hi	`-`
huawei	s6700	`-`
huawei	s2750	`-`
huawei	s5700li	`-`
huawei	s5700s-li	`-`
huawei	s5720hi	`-`
huawei	s5720ei	`-`
huawei	te60	`-`

References

CWEs

CWE-327

Verify integrity in audit chain (admin only). AS-IS.