CVE-2015-4000

LOW

Openssl < 1.0.1m - Cryptographic Issue

Title source: rule

Description

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

Exploits (1)

nomisec WRITEUP 6 stars
by fatlan · poc
https://github.com/fatlan/HAProxy-Keepalived-Sec-HighLoads

References (217)

... and 197 more

Scores

CVSS v3 3.7
EPSS 0.9390
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE
CWE-310
Status draft

Affected Products (40)

openssl/openssl < 1.0.1m
canonical/ubuntu_linux
canonical/ubuntu_linux
canonical/ubuntu_linux
canonical/ubuntu_linux
hp/hp-ux
ibm/content_manager
oracle/jrockit
debian/debian_linux
debian/debian_linux
oracle/jdk
oracle/jdk
oracle/jdk
oracle/jdk
oracle/jdk
... and 25 more

Timeline

Published May 21, 2015
Tracked Since Feb 18, 2026