Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2015-4000

Published: 20 May 2015

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

Notes

AuthorNote
mdeslaur
USN-2624-1 disables export ciphers completely in openssl
USN-2625-1 disables export ciphers in apache2 in precise
seth-arnold
USN-2639-1 disables <768 bit dh parameters in openssl
mdeslaur
USN-2672-1 disables <768 bit dh parameters in nss
sbeattie
USN-2696-1 disables <768 bit dh parameters in openjdk-7
mdeslaur
gnutls isn't vulnerable to this issue and rejects small dh
keys by default. On precise and trusty, the gnutls-cli tool
unfortunately sets the minimum dh size to 512 using
gnutls_dh_set_prime_bits(), so that must be disabled to test
using the command line tool.

Priority

Medium

Cvss 3 Severity Score

3.7

Score breakdown

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
artful Not vulnerable

bionic Not vulnerable

cosmic Not vulnerable

disco Not vulnerable

precise
Released (2.2.22-1ubuntu1.9)
trusty Not vulnerable
(2.4.7-1ubuntu4.4)
upstream Needs triage

utopic Not vulnerable

vivid Not vulnerable

wily Not vulnerable

xenial Not vulnerable

yakkety Not vulnerable

zesty Not vulnerable

firefox
Launchpad, Ubuntu, Debian
artful
Released (39.0+build5-0ubuntu1)
bionic
Released (39.0+build5-0ubuntu1)
cosmic
Released (39.0+build5-0ubuntu1)
disco
Released (39.0+build5-0ubuntu1)
upstream
Released (39.0)
utopic
Released (39.0+build5-0ubuntu0.14.10.1)
vivid
Released (39.0+build5-0ubuntu0.15.04.1)
wily
Released (39.0+build5-0ubuntu1)
xenial
Released (39.0+build5-0ubuntu1)
yakkety
Released (39.0+build5-0ubuntu1)
zesty
Released (39.0+build5-0ubuntu1)
precise
Released (39.0+build5-0ubuntu0.12.04.2)
trusty
Released (39.0+build5-0ubuntu0.14.04.1)
gnutls26
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Not vulnerable

trusty Not vulnerable

upstream Needs triage

utopic Not vulnerable

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

gnutls28
Launchpad, Ubuntu, Debian
artful Not vulnerable

bionic Not vulnerable

cosmic Not vulnerable

disco Not vulnerable

trusty Does not exist
(trusty was not-affected)
upstream Needs triage

utopic Not vulnerable

vivid Not vulnerable

wily Not vulnerable

xenial Not vulnerable

yakkety Not vulnerable

zesty Not vulnerable

precise Not vulnerable

nss
Launchpad, Ubuntu, Debian
artful
Released (2:3.19.2-1ubuntu1)
bionic
Released (2:3.19.2-1ubuntu1)
cosmic
Released (2:3.19.2-1ubuntu1)
disco
Released (2:3.19.2-1ubuntu1)
precise
Released (3.19.2-0ubuntu0.12.04.1)
trusty
Released (2:3.19.2-0ubuntu0.14.04.1)
upstream Needs triage

utopic
Released (2:3.19.2-0ubuntu0.14.10.1)
vivid
Released (2:3.19.2-0ubuntu15.04.1)
wily
Released (2:3.19.2-1ubuntu1)
xenial
Released (2:3.19.2-1ubuntu1)
yakkety
Released (2:3.19.2-1ubuntu1)
zesty
Released (2:3.19.2-1ubuntu1)
openjdk-6
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

upstream Needs triage

utopic Ignored
(end of life)
vivid
Released (6b36-1.13.8-0ubuntu1~15.04.1)
wily Not vulnerable
(6b36-1.13.8-0ubuntu1)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

precise
Released (6b36-1.13.8-0ubuntu1~12.04)
trusty
Released (6b36-1.13.8-0ubuntu1~14.04)
openjdk-7
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

upstream Needs triage

utopic Ignored
(end of life)
vivid
Released (7u79-2.5.6-0ubuntu1.15.04.1)
wily Not vulnerable
(7u79-2.5.6-1)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

precise
Released (7u79-2.5.6-0ubuntu1.12.04.1)
trusty
Released (7u79-2.5.6-0ubuntu1.14.04.1)
openjdk-8
Launchpad, Ubuntu, Debian
artful Not vulnerable
(8u66-b17-1)
bionic Not vulnerable
(8u66-b17-1)
cosmic Not vulnerable
(8u66-b17-1)
disco Not vulnerable
(8u66-b17-1)
precise Does not exist

trusty Does not exist

upstream Needs triage

utopic Ignored
(end of life)
vivid Ignored
(end of life)
wily
Released (8u66-b17-1)
xenial Not vulnerable
(8u66-b17-1)
yakkety Not vulnerable
(8u66-b17-1)
zesty Not vulnerable
(8u66-b17-1)
openssl
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.0.2a-1ubuntu1)
bionic Not vulnerable
(1.0.2a-1ubuntu1)
cosmic Not vulnerable
(1.0.2a-1ubuntu1)
disco Not vulnerable
(1.0.2a-1ubuntu1)
precise
Released (1.0.1-4ubuntu5.28)
trusty
Released (1.0.1f-1ubuntu2.12)
upstream Needs triage

utopic
Released (1.0.1f-1ubuntu9.5)
vivid
Released (1.0.1f-1ubuntu11.1)
wily Not vulnerable
(1.0.2a-1ubuntu1)
xenial Not vulnerable
(1.0.2a-1ubuntu1)
yakkety Not vulnerable
(1.0.2a-1ubuntu1)
zesty Not vulnerable
(1.0.2a-1ubuntu1)
openssl098
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

trusty Does not exist
(trusty was needed)
upstream Needs triage

utopic Ignored
(end of life)
vivid Ignored
(end of life)
wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

precise Ignored
(end of life)
thunderbird
Launchpad, Ubuntu, Debian
artful
Released (1:31.8.0+build1-0ubuntu1)
bionic
Released (1:31.8.0+build1-0ubuntu1)
cosmic
Released (1:31.8.0+build1-0ubuntu1)
disco
Released (1:31.8.0+build1-0ubuntu1)
precise
Released (1:31.8.0+build1-0ubuntu0.12.04.1)
trusty
Released (1:31.8.0+build1-0ubuntu0.14.04.1)
upstream
Released (31.8)
utopic
Released (1:31.8.0+build1-0ubuntu0.14.10.1)
vivid
Released (1:31.8.0+build1-0ubuntu0.15.04.1)
wily
Released (1:31.8.0+build1-0ubuntu1)
xenial
Released (1:31.8.0+build1-0ubuntu1)
yakkety
Released (1:31.8.0+build1-0ubuntu1)
zesty
Released (1:31.8.0+build1-0ubuntu1)

Severity score breakdown

Parameter Value
Base score 3.7
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N