New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 6.5
SynopsisA programming platform installed on the remote Windows host is affected by multiple vulnerabilities.
DescriptionThe version of Oracle JRockit installed on the remote Windows host is R28 prior to R28.3.7. It is, therefore, affected by multiple vulnerabilities :
- An unspecified flaw exists in the JCE component that allows a remote attacker to gain access to sensitive information. (CVE-2015-2601)
- An unspecified flaw exists in the JSSE component when handling the SSL/TLS protocol. A remote attacker can exploit this to gain access to sensitive information.
- A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808)
- A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000)
- An unspecified flaw exists in the Security component when handling the Online Certificate Status Protocol (OCSP). A remote attacker can exploit this to execute arbitrary code. (CVE-2015-4748)
- An unspecified flaw exists in the JNDI component that allows a remote attacker to cause a denial of service.
SolutionUpgrade to Oracle JRockit version R28.3.7 or later as referenced in the July 2015 Oracle Critical Patch Update advisory.