CVE-2015-2613
First published: Mon Jul 13 2015(Updated: )
It was discovered that the Elliptic Curve (EC) cryptography code as used in Mozilla NSS (Network Security Services) library and OpenJDK JCE (Java Cryptography Extension) component failed to properly validate EC parameters as used in ECDH_Derive() function, which performs ECDH (Elliptic Curve Diffie-Hellman) key derivation. A remote attacker could use this flaw to disclose sensitive information. The OpenJDK packages as shipped with Red Hat Enterprise Linux 5, 6 and 7 do not build the affected EC code and are therefore not directly affected. Future versions may provide EC support via NSS, see e.g. <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - ECC decode refactoring needed to build OpenJDK SunEC provider for ECC support" href="show_bug.cgi?id=1075702">bug 1075702</a>.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.7.0-update75 | |
| Oracle JDK | =1.7.0-update80 | |
| Oracle JDK | =1.8.0-update_33 | |
| Oracle JDK | =1.8.0-update45 | |
| Oracle JRE | =1.7.0-update_75 | |
| Oracle JRE | =1.7.0-update_80 | |
| Oracle JRE | =1.8.0-update_33 | |
| Oracle JRE | =1.8.0-update_45 | |
| debian/openjdk-8 | 8u432-b06-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1075702
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1051378&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1051378&action=edit
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
- https://bugzilla.mozilla.org/show_bug.cgi?id=380351
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dcc75a75d3a3
- https://rhn.redhat.com/errata/RHSA-2015-1242.html
- https://rhn.redhat.com/errata/RHSA-2015-1241.html
- https://rhn.redhat.com/errata/RHSA-2015-1485.html
- https://rhn.redhat.com/errata/RHSA-2015-1488.html
- https://hg.mozilla.org/projects/nss/rev/a3a37589ba7d
- https://bugzilla.redhat.com/show_bug.cgi?id=1242456
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
- http://rhn.redhat.com/errata/RHSA-2015-1241.html
- http://rhn.redhat.com/errata/RHSA-2015-1242.html
- http://rhn.redhat.com/errata/RHSA-2015-1485.html
- http://rhn.redhat.com/errata/RHSA-2015-1488.html
- http://www.debian.org/security/2015/dsa-3316
- http://www.debian.org/security/2015/dsa-3339
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/75871
- http://www.securitytracker.com/id/1032910
- http://www.ubuntu.com/usn/USN-2696-1
- http://www.ubuntu.com/usn/USN-2706-1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10139
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727
- https://kc.mcafee.com/corporate/index?page=content&id=SB10139
- https://launchpad.net/bugs/cve/CVE-2015-2613
- https://security-tracker.debian.org/tracker/CVE-2015-2613
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2613
- https://nvd.nist.gov/vuln/detail/CVE-2015-2613
- https://ubuntu.com/security/CVE-2015-2613
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2015-2613.
What software versions are affected?
Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 are affected.
How can a remote attacker exploit this vulnerability?
A remote attacker can exploit this vulnerability to affect confidentiality via vectors related to JCE.
What is the severity level of CVE-2015-2613?
The severity level of CVE-2015-2613 is medium.
Are there any recommended fixes for this vulnerability?
Yes, there are recommended fixes available for this vulnerability. Please refer to the provided references for more information.
- collector/redhat-bugzilla
- alias/CVE-2015-2613
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/description
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.7.0-update75
- version/oracle jdk/1.7.0-update80
- version/oracle jdk/1.8.0-update_33
- version/oracle jdk/1.8.0-update45
- canonical/oracle jre
- version/oracle jre/1.7.0-update_75
- version/oracle jre/1.7.0-update_80
- version/oracle jre/1.8.0-update_33
- version/oracle jre/1.8.0-update_45
- package-manager/debian