CVE-2014-6593

JSSE - SKIP-TLS

Severity Score

4.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

Vulnerabilidad no especificada en Oracle Java SE 5.0u75, 6u85, 7u72, y 8u25; Java SE Embedded 7u71 y 8u6; y JRockit 27.8.4 y 28.3.4 permite a atacantes remotos afectar la confidencialidad e integridad a través de vectores relacionados con JSSE.

It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled.

*Credits: N/A

CVSS Scores

NISTv2 4.0

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-09-17 CVE Reserved
2015-01-21 CVE Published
2024-02-15 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-372: Incomplete Internal State Distinction

CAPEC

References (31)

URL	Tag	Source
http://packetstormsecurity.com/files/134251/Java-Secure-Socket-Extension-JSSE-SKIP-TLS.html	X_refsource_misc
http://www.securityfocus.com/bid/72169	Vdb Entry
http://www.securitytracker.com/id/1031580	Vdb Entry
http://www.vmware.com/security/advisories/VMSA-2015-0003.html	X_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10104	X_refsource_confirm
https://www-304.ibm.com/support/docview.wss?uid=swg21695474	X_refsource_confirm
https://www.smacktls.com/#skip
https://www.smacktls.com/smack.pdf

URL	Date	SRC
https://www.exploit-db.com/exploits/38641	2024-08-06

URL	Date	SRC
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html	2015-01-20

URL	Date	SRC
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04583581	2022-05-13
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00001.html	2022-05-13
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00024.html	2022-05-13
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00018.html	2022-05-13
http://marc.info/?l=bugtraq&m=142496355704097&w=2	2022-05-13
http://marc.info/?l=bugtraq&m=142607790919348&w=2	2022-05-13
http://rhn.redhat.com/errata/RHSA-2015-0068.html	2022-05-13
http://rhn.redhat.com/errata/RHSA-2015-0079.html	2022-05-13
http://rhn.redhat.com/errata/RHSA-2015-0080.html	2022-05-13
http://rhn.redhat.com/errata/RHSA-2015-0085.html	2022-05-13
http://rhn.redhat.com/errata/RHSA-2015-0086.html	2022-05-13
http://rhn.redhat.com/errata/RHSA-2015-0136.html	2022-05-13
http://rhn.redhat.com/errata/RHSA-2015-0264.html	2022-05-13
http://www.debian.org/security/2015/dsa-3144	2022-05-13
http://www.debian.org/security/2015/dsa-3147	2022-05-13
http://www.ubuntu.com/usn/USN-2486-1	2022-05-13
http://www.ubuntu.com/usn/USN-2487-1	2022-05-13
https://security.gentoo.org/glsa/201507-14	2022-05-13
https://security.gentoo.org/glsa/201603-14	2022-05-13
https://access.redhat.com/security/cve/CVE-2014-6593	2015-02-24
https://bugzilla.redhat.com/show_bug.cgi?id=1183049	2015-02-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Jrockit Search vendor "Oracle" for product "Jrockit"				r27.8.4 Search vendor "Oracle" for product "Jrockit" and version "r27.8.4"		-		Affected
Oracle Search vendor "Oracle"		Jrockit Search vendor "Oracle" for product "Jrockit"				r28.3.4 Search vendor "Oracle" for product "Jrockit" and version "r28.3.4"		-		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update75		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update85		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update71		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update72		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.8.0 Search vendor "Oracle" for product "Jdk" and version "1.8.0"		update25		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.8.0 Search vendor "Oracle" for product "Jdk" and version "1.8.0"		update6		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.5.0 Search vendor "Oracle" for product "Jre" and version "1.5.0"		update75		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.6.0 Search vendor "Oracle" for product "Jre" and version "1.6.0"		update85		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update71		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update72		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.8.0 Search vendor "Oracle" for product "Jre" and version "1.8.0"		update25		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.8.0 Search vendor "Oracle" for product "Jre" and version "1.8.0"		update6		Affected