It was discovered that the Invariance Weakness of the RC4 stream cipher could be used to recover plaintext from a TLS connection, when RC4 encryption is used. "The Invariance Weakness is an L-shape key pattern in RC4 keys, which once it exists in an RC4 key, preserves part of the state permutation intact throughout the initialization process. This intact part includes the least significant bits of the permutation, when processed by the PRGA algorithm, determines the least significant bits of the allegedly pseudo-random output stream along a long prefix of the stream." This can lead to significant leakage of plaintext bytes from the ciphertext. External Reference: http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf
Statement: This flaw is related to the design of the RC4 protocol and not its implementation. Therefore there are no plans to correct this issue in Red Hat Enterprise Linux 5, 6 and 7. Future updates may disable the use of RC4 in various components.
CVE has been assigned to this issue: Name: CVE-2015-2808 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808 Reference: https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
IBM Java security alerts page lists this issue as fixed in "IBM Security Update May 2015" in IBM JDK versions 5.0 SR16-FP10, 6 SR16-FP4, 6R1 SR8-FP4, 7 SR9, 7R1 SR3 and 8 SR1. http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_June_2015 The flaw was addressed by disabling all RC4 SSL/TLS cipher suites. The following changes were applied: - SSL/TLS cipher suites that use RC4 are no longer enabled by default. - IBM Java versions 7 and later also add RC4 to the jdk.tls.disabledAlgorithms security property set in java.security file. This change was not applied to IBM Java 5.0 and 6, where the jdk.tls.disabledAlgorithms property can only be used to disable SSL/TLS protocol versions, but can not be used to disable specific algorithms. In deployments where RC4 support is still needed, the following changes has to be done to re-enable RC4: - RC4 needs to be removed from the jdk.tls.disabledAlgorithms. This can be done globally by changing the java.security file (located in the jre/lib/security sub-directory of the JDK main installation directory under /usr/lib/jvm), or by re-defining the default disabledAlgorithms setting for specific application (refer to bug 1152789 comment 82 for an example of overriding security property defined in java.security for a specific JVM invocation). This step is not needed for IBM Java 5.0 and 6. - Application needs to explicitly enable required RC4 cipher suites. This can be achieved using the setEnabledCipherSuites() method of SSLSocket and SSLServerSocket classes. Applications may already provide configuration options allowing users to customize the set of enabled cipher suites without requiring further application modifications.
The jdk.tls.disabledAlgorithms security property can be used to disable RC4 in the current versions of OpenJDK 6, 7, and 8, and the current versions of Oracle JDK 7 and 8 (but not 6, for the same reason described in comment 4 above for IBM JDK 5.0 and 6). The default value defined in java.security file for those JDKs is: jdk.tls.disabledAlgorithms=SSLv3 (with the exception of OpenJDK 8, where EC algorithms are also disabled) Adding RC4 to the value disables RC4 algorithm. The new value should look like: jdk.tls.disabledAlgorithms=SSLv3, RC4 This change was already applied in OpenJDK 8 upstream, and hence is likely to appear in the future Oracle JDK and OpenJDK updates: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6a24fc5e32a3
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2015:1007 https://rhn.redhat.com/errata/RHSA-2015-1007.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2015:1006 https://rhn.redhat.com/errata/RHSA-2015-1006.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2015:1021 https://rhn.redhat.com/errata/RHSA-2015-1021.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2015:1020 https://rhn.redhat.com/errata/RHSA-2015-1020.html
This issue has been addressed in the following products: Red Hat Satellite Server v 5.6 Red Hat Satellite Server v 5.7 Via RHSA-2015:1091 https://rhn.redhat.com/errata/RHSA-2015-1091.html
Oracle Critical Patch Update Advisory - July 2015 lists this issue as fixed in Oracle JDK 6u101, 7u85, and 8u51: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA The flaw was addressed by removing all RC4 SSL/TLS cipher suites form the set of cipher suites enabled by default. It is still possible to re-enable them using the setEnabledCipherSuites() method of SSLEngine, SSLSocket and SSLServerSocket classes. Applications may already provide configuration options allowing users to customize the set of enabled cipher suites without requiring further application modifications. This change is described in Oracle JDK release notes: Area: security-libs/javax.net.ssl Synopsis: Prohibit RC4 cipher suites RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods. See JDK-8077109 (not public). http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html http://www.oracle.com/technetwork/java/javase/7u85-relnotes-2587591.html http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html Unlike IBM JDK updates released in May 2015 (see comment 4), or unlike upstream OpenJDK 8 repositories (see comment 5), RC4 has not yet been added to the jdk.tls.disabledAlgorithms security property. System administrators may choose to add it to the jdk.tls.disabledAlgorithms to prevent it from being enabled via setEnabledCipherSuites(). Additional related change was done in July 2015 CPU. A new security property jdk.tls.legacyAlgorithms was introduced, and RC4 was added to this list of legacy algorithms. This property is used by the TLS/SSL server implementation. When some legacy algorithm is enabled (e.g. when cipher suites using RC4 are enabled using setEnabledCipherSuites()), server prefers cipher suites using non-legacy algorithms even when client indicates cipher suites with legacy algorithms as preferred. The aim of this change it to make it possible to leave RC4 enabled on the server side for compatibility with clients that do not support any other stronger cipher suite, while ensuring it is not used with clients that do support stronger ciphers. Oracle JDK release notes entry for this changes: Area: security-libs/javax.net.ssl Synopsis: Deprecate RC4 in SunJSSE provider RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list. See JDK-8074006 (not public). OpenJDK updates released for the July 2015 CPU also implement these changes.
RFC 7465 was published that prohibits the use of RC4 ciphers suites TLS/SSL because of various known weaknesses of RC4: https://tools.ietf.org/html/rfc7465
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:1230 https://rhn.redhat.com/errata/RHSA-2015-1230.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:1229 https://rhn.redhat.com/errata/RHSA-2015-1229.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:1228 https://rhn.redhat.com/errata/RHSA-2015-1228.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2015:1243 https://rhn.redhat.com/errata/RHSA-2015-1243.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2015:1242 https://rhn.redhat.com/errata/RHSA-2015-1242.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2015:1241 https://rhn.redhat.com/errata/RHSA-2015-1241.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:1526 https://rhn.redhat.com/errata/RHSA-2015-1526.html
(In reply to Tomas Hoger from comment #11) > OpenJDK updates released for the July 2015 CPU also implement these changes. These are related OpenJDK8 upstream commit which disable RC4 by default and add it to jdk.tls.legacyAlgorithms: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/9890d5500183 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/cc75137936f9
Updated java-1.8.0-openjdk packages released via RHEA-2015:1796 (for Red Hat Enterprise Linux 7) and RHSA-2015:1919 (for Red Hat Enterprise Linux 6), as well as updated java-1.8.0-oracle packages released via RHSA-2015:1926 now include RC4 in the list of disabled algorithms defined via the jdk.tls.disabledAlgorithms security property. If RC4 needs to be used with those JDKs, RC4 both needs to be removed from jdk.tls.disabledAlgorithms and ciphers using it explicitly enabled using setEnabledCipherSuites(). Refer to comment 4 above for further details.
Satellite 6.x uses Qpid for internal communications. The Qpid server currently supports RC4 making it potentially vulnerable to the Bar Mitzvah (CVE-2015-2808). Please note that actual exploitation of the Bar Mitzvah attack requires that the attacker be able to monitor the SSL session, as Qpid is used locally this would require the attacker to have administrative access on the server in order to sniff the traffic which greatly constrains exploitation of this vulnerability. Red Hat may address this issue in a future update of Qpid in Satellite 6.x.
Oracle JDK 7u101 and 6u115 add new system property that can be used to re-enable RC4 cipher suites. Quoting from the Oracle JDK release notes: New system property to control re-enabling of RC4-based ciphersuites in 7u101, 6u115 releases Setting -Djdk.tls.enableRC4CipherSuites=true adds the following RC4 based ciphersuites back to the default enabled JSSE ciphersuite list: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 This system property will only have impact from the JDK 7u101 and JDK 6u115 releases. By default, RC4-based ciphersuites are not in the default enabled list. They were removed in the JDK 6u101 and JDK 7u85 releases. See JDK-8141050. http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_101 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_115 https://bugs.openjdk.java.net/browse/JDK-8141050