CVE-2014-6593
JSSE - SKIP-TLS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
Vulnerabilidad no especificada en Oracle Java SE 5.0u75, 6u85, 7u72, y 8u25; Java SE Embedded 7u71 y 8u6; y JRockit 27.8.4 y 28.3.4 permite a atacantes remotos afectar la confidencialidad e integridad a través de vectores relacionados con JSSE.
It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-09-17 CVE Reserved
- 2015-01-21 CVE Published
- 2015-08-12 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-372: Incomplete Internal State Distinction
CAPEC
References (33)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/134251/Java-Secure-Socket-Extension-JSSE-SKIP-TLS.html | X_refsource_misc |
|
| http://www.securityfocus.com/bid/72169 | Vdb Entry | |
| http://www.securitytracker.com/id/1031580 | Vdb Entry | |
| http://www.vmware.com/security/advisories/VMSA-2015-0003.html | X_refsource_confirm | |
| https://kc.mcafee.com/corporate/index?page=content&id=SB10104 | X_refsource_confirm | |
| https://www-304.ibm.com/support/docview.wss?uid=swg21695474 | X_refsource_confirm | |
| https://www.smacktls.com/#skip | ||
| https://www.smacktls.com/smack.pdf |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/133054 | 2015-08-12 | |
| https://packetstorm.news/files/id/134251 | 2015-11-06 | |
| https://www.exploit-db.com/exploits/38641 | 2024-08-06 |
| URL | Date | SRC |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html | 2015-01-20 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Jrockit Search vendor "Oracle" for product "Jrockit" | r27.8.4 Search vendor "Oracle" for product "Jrockit" and version "r27.8.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jrockit Search vendor "Oracle" for product "Jrockit" | r28.3.4 Search vendor "Oracle" for product "Jrockit" and version "r28.3.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0" | update75 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0" | update85 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0" | update71 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0" | update72 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.8.0 Search vendor "Oracle" for product "Jdk" and version "1.8.0" | update25 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.8.0 Search vendor "Oracle" for product "Jdk" and version "1.8.0" | update6 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.5.0 Search vendor "Oracle" for product "Jre" and version "1.5.0" | update75 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.6.0 Search vendor "Oracle" for product "Jre" and version "1.6.0" | update85 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0" | update71 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0" | update72 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.8.0 Search vendor "Oracle" for product "Jre" and version "1.8.0" | update25 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.8.0 Search vendor "Oracle" for product "Jre" and version "1.8.0" | update6 |
Affected
| ||||||