Bug 1207101 (CVE-2015-2808) - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
Summary: CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-2808
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1207107 1209063
TreeView+ depends on / blocked
 
Reported: 2015-03-30 08:56 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-12-15 15:49 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-24 21:10:44 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1006 0 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2015-05-13 17:34:08 UTC
Red Hat Product Errata RHSA-2015:1007 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2015-05-13 17:33:04 UTC
Red Hat Product Errata RHSA-2015:1020 0 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2015-05-20 23:05:51 UTC
Red Hat Product Errata RHSA-2015:1021 0 normal SHIPPED_LIVE Important: java-1.5.0-ibm security update 2015-05-20 22:36:22 UTC
Red Hat Product Errata RHSA-2015:1091 0 normal SHIPPED_LIVE Low: Red Hat Satellite IBM Java Runtime security update 2015-06-11 17:21:29 UTC
Red Hat Product Errata RHSA-2015:1228 0 normal SHIPPED_LIVE Important: java-1.8.0-openjdk security update 2015-07-15 16:37:01 UTC
Red Hat Product Errata RHSA-2015:1229 0 normal SHIPPED_LIVE Critical: java-1.7.0-openjdk security update 2015-07-15 16:35:48 UTC
Red Hat Product Errata RHSA-2015:1230 0 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2015-07-15 16:01:10 UTC
Red Hat Product Errata RHSA-2015:1241 0 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-15 15:34:28 UTC
Red Hat Product Errata RHSA-2015:1242 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-15 15:31:57 UTC
Red Hat Product Errata RHSA-2015:1243 0 normal SHIPPED_LIVE Important: java-1.6.0-sun security update 2017-12-15 15:34:18 UTC
Red Hat Product Errata RHSA-2015:1526 0 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2015-07-30 21:14:52 UTC

Description Huzaifa S. Sidhpurwala 2015-03-30 08:56:01 UTC
It was discovered that the Invariance Weakness of the RC4 stream cipher could be used to recover plaintext from a TLS connection, when RC4 encryption is used.

"The Invariance Weakness is an L-shape key pattern in RC4 keys, which once it exists in an RC4 key, preserves part of the state permutation intact throughout the initialization process. This intact part includes the least significant bits of the permutation, when processed by the PRGA algorithm, determines the least significant bits of the allegedly pseudo-random output stream along a long prefix of the stream."

This can lead to significant leakage of plaintext bytes from the ciphertext.

External Reference:

http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Comment 1 Huzaifa S. Sidhpurwala 2015-03-30 08:58:18 UTC
Statement:

This flaw is related to the design of the RC4 protocol and not its implementation. Therefore there are no plans to correct this issue in Red Hat Enterprise Linux 5, 6 and 7. Future updates may disable the use of RC4 in various components.

Comment 3 Vasyl Kaigorodov 2015-04-01 10:01:27 UTC
CVE has been assigned to this issue:

Name: CVE-2015-2808
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
Reference: https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does
not properly combine state data with key data during the
initialization phase, which makes it easier for remote attackers to
conduct plaintext-recovery attacks against the initial bytes of a
stream by sniffing network traffic that occasionally relies on keys
affected by the Invariance Weakness, and then using a brute-force
approach involving LSB values, aka the "Bar Mitzvah" issue.

Comment 4 Tomas Hoger 2015-05-07 20:51:53 UTC
IBM Java security alerts page lists this issue as fixed in "IBM Security Update May 2015" in IBM JDK versions 5.0 SR16-FP10, 6 SR16-FP4, 6R1 SR8-FP4, 7 SR9, 7R1 SR3 and 8 SR1.

http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_June_2015

The flaw was addressed by disabling all RC4 SSL/TLS cipher suites.  The following changes were applied:

- SSL/TLS cipher suites that use RC4 are no longer enabled by default.

- IBM Java versions 7 and later also add RC4 to the jdk.tls.disabledAlgorithms security property set in java.security file.  This change was not applied to IBM Java 5.0 and 6, where the jdk.tls.disabledAlgorithms property can only be used to disable SSL/TLS protocol versions, but can not be used to disable specific algorithms.

In deployments where RC4 support is still needed, the following changes has to be done to re-enable RC4:

- RC4 needs to be removed from the jdk.tls.disabledAlgorithms.  This can be done globally by changing the java.security file (located in the jre/lib/security sub-directory of the JDK main installation directory under /usr/lib/jvm), or by re-defining the default disabledAlgorithms setting for specific application (refer to bug 1152789 comment 82 for an example of overriding security property defined in java.security for a specific JVM invocation).  This step is not needed for IBM Java 5.0 and 6.

- Application needs to explicitly enable required RC4 cipher suites.  This can be achieved using the setEnabledCipherSuites() method of SSLSocket and SSLServerSocket classes.  Applications may already provide configuration options allowing users to customize the set of enabled cipher suites without requiring further application modifications.

Comment 5 Tomas Hoger 2015-05-07 21:13:19 UTC
The jdk.tls.disabledAlgorithms security property can be used to disable RC4 in the current versions of OpenJDK 6, 7, and 8, and the current versions of Oracle JDK 7 and 8 (but not 6, for the same reason described in comment 4 above for IBM JDK 5.0 and 6).  The default value defined in java.security file for those JDKs is:

  jdk.tls.disabledAlgorithms=SSLv3

(with the exception of OpenJDK 8, where EC algorithms are also disabled)

Adding RC4 to the value disables RC4 algorithm.  The new value should look like:

  jdk.tls.disabledAlgorithms=SSLv3, RC4

This change was already applied in OpenJDK 8 upstream, and hence is likely to appear in the future Oracle JDK and OpenJDK updates:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6a24fc5e32a3

Comment 6 errata-xmlrpc 2015-05-13 13:33:27 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1007 https://rhn.redhat.com/errata/RHSA-2015-1007.html

Comment 7 errata-xmlrpc 2015-05-13 13:35:27 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1006 https://rhn.redhat.com/errata/RHSA-2015-1006.html

Comment 8 errata-xmlrpc 2015-05-20 18:36:39 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1021 https://rhn.redhat.com/errata/RHSA-2015-1021.html

Comment 9 errata-xmlrpc 2015-05-20 19:06:12 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2015:1020 https://rhn.redhat.com/errata/RHSA-2015-1020.html

Comment 10 errata-xmlrpc 2015-06-11 13:21:49 UTC
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6
  Red Hat Satellite Server v 5.7

Via RHSA-2015:1091 https://rhn.redhat.com/errata/RHSA-2015-1091.html

Comment 11 Tomas Hoger 2015-07-13 13:11:36 UTC
Oracle Critical Patch Update Advisory - July 2015 lists this issue as fixed in Oracle JDK 6u101, 7u85, and 8u51:

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA


The flaw was addressed by removing all RC4 SSL/TLS cipher suites form the set of cipher suites enabled by default.  It is still possible to re-enable them using the setEnabledCipherSuites() method of SSLEngine, SSLSocket and SSLServerSocket classes.  Applications may already provide configuration options allowing users to customize the set of enabled cipher suites without requiring further application modifications.

This change is described in Oracle JDK release notes:

Area: security-libs/javax.net.ssl
Synopsis: Prohibit RC4 cipher suites

RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods.

See JDK-8077109 (not public).

http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html
http://www.oracle.com/technetwork/java/javase/7u85-relnotes-2587591.html
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html


Unlike IBM JDK updates released in May 2015 (see comment 4), or unlike upstream OpenJDK 8 repositories (see comment 5), RC4 has not yet been added to the jdk.tls.disabledAlgorithms security property.  System administrators may choose to add it to the jdk.tls.disabledAlgorithms to prevent it from being enabled via setEnabledCipherSuites().


Additional related change was done in July 2015 CPU.  A new security property jdk.tls.legacyAlgorithms was introduced, and RC4 was added to this list of legacy algorithms.  This property is used by the TLS/SSL server implementation.  When some legacy algorithm is enabled (e.g. when cipher suites using RC4 are enabled using setEnabledCipherSuites()), server prefers cipher suites using non-legacy algorithms even when client indicates cipher suites with legacy algorithms as preferred.

The aim of this change it to make it possible to leave RC4 enabled on the server side for compatibility with clients that do not support any other stronger cipher suite, while ensuring it is not used with clients that do support stronger ciphers.

Oracle JDK release notes entry for this changes:

Area: security-libs/javax.net.ssl
Synopsis: Deprecate RC4 in SunJSSE provider

RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list.

See JDK-8074006 (not public).


OpenJDK updates released for the July 2015 CPU also implement these changes.

Comment 12 Tomas Hoger 2015-07-13 13:22:24 UTC
RFC 7465 was published that prohibits the use of RC4 ciphers suites TLS/SSL because of various known weaknesses of RC4:

https://tools.ietf.org/html/rfc7465

Comment 13 errata-xmlrpc 2015-07-15 12:01:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:1230 https://rhn.redhat.com/errata/RHSA-2015-1230.html

Comment 14 errata-xmlrpc 2015-07-15 12:36:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:1229 https://rhn.redhat.com/errata/RHSA-2015-1229.html

Comment 15 errata-xmlrpc 2015-07-15 12:37:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:1228 https://rhn.redhat.com/errata/RHSA-2015-1228.html

Comment 16 errata-xmlrpc 2015-07-17 08:03:52 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:1243 https://rhn.redhat.com/errata/RHSA-2015-1243.html

Comment 17 errata-xmlrpc 2015-07-17 08:05:05 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2015:1242 https://rhn.redhat.com/errata/RHSA-2015-1242.html

Comment 18 errata-xmlrpc 2015-07-17 08:08:01 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2015:1241 https://rhn.redhat.com/errata/RHSA-2015-1241.html

Comment 19 errata-xmlrpc 2015-07-30 17:15:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:1526 https://rhn.redhat.com/errata/RHSA-2015-1526.html

Comment 27 Tomas Hoger 2015-10-15 14:23:49 UTC
(In reply to Tomas Hoger from comment #11)
> OpenJDK updates released for the July 2015 CPU also implement these changes.

These are related OpenJDK8 upstream commit which disable RC4 by default and add it to jdk.tls.legacyAlgorithms:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/9890d5500183
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/cc75137936f9

Comment 31 Tomas Hoger 2015-10-22 21:12:16 UTC
Updated java-1.8.0-openjdk packages released via RHEA-2015:1796 (for Red Hat Enterprise Linux 7) and RHSA-2015:1919 (for Red Hat Enterprise Linux 6), as well as updated java-1.8.0-oracle packages released via RHSA-2015:1926 now include RC4 in the list of disabled algorithms defined via the jdk.tls.disabledAlgorithms security property.

If RC4 needs to be used with those JDKs, RC4 both needs to be removed from jdk.tls.disabledAlgorithms and ciphers using it explicitly enabled using setEnabledCipherSuites().  Refer to comment 4 above for further details.

Comment 32 Kurt Seifried 2015-12-23 17:12:45 UTC
Satellite 6.x uses Qpid for internal communications. The Qpid server currently supports RC4 making it potentially vulnerable to the Bar Mitzvah (CVE-2015-2808). Please note that actual exploitation of the Bar Mitzvah attack requires that the attacker be able to monitor the SSL session, as Qpid is used locally this would require the attacker to have administrative access on the server in order to sniff the traffic which greatly constrains exploitation of this vulnerability. Red Hat may address this issue in a future update of Qpid in Satellite 6.x.

Comment 33 Tomas Hoger 2016-04-19 19:48:06 UTC
Oracle JDK 7u101 and 6u115 add new system property that can be used to re-enable RC4 cipher suites.  Quoting from the Oracle JDK release notes:

  New system property to control re-enabling of RC4-based ciphersuites in
  7u101, 6u115 releases

  Setting -Djdk.tls.enableRC4CipherSuites=true adds the following RC4 based
  ciphersuites back to the default enabled JSSE ciphersuite list:

  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  TLS_ECDHE_RSA_WITH_RC4_128_SHA
  TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  TLS_ECDH_RSA_WITH_RC4_128_SHA
  SSL_RSA_WITH_RC4_128_SHA
  SSL_RSA_WITH_RC4_128_MD5

  This system property will only have impact from the JDK 7u101 and JDK 6u115
  releases. By default, RC4-based ciphersuites are not in the default enabled
  list. They were removed in the JDK 6u101 and JDK 7u85 releases.

  See JDK-8141050.

http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_101
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_115
https://bugs.openjdk.java.net/browse/JDK-8141050


Note You need to log in before you can comment on or make changes to this bug.