Main Vulnerability Database Vulnerabilities #VU90

Information disclosure in Oracle products - CVE-2015-2808

Published: July 5, 2016 / Updated: November 22, 2018

Vulnerability identifier: #VU90

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2015-2808

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Hewlett Packard Enterprise Development LP
Oracle

Affected software:
HPE Service Manager
Oracle Communications Policy Management
SPARC Enterprise M3000
SPARC Enterprise M4000
SPARC Enterprise M5000
SPARC Enterprise M8000
SPARC Enterprise M9000

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain potentially sensitive information communicated by target system.

The vulnerability exists due to access control error. A remote unauthenticated attacker can obtain RC4 encrypted data and conduct a brute-force key guessing attack by monitoring TLS network traffic.

Successful exploitation of this vulnerability may result in disclosure of system information.

How to mitigate CVE-2015-2808

Update the versions 9.30, 9.31, 9.32, 9.33, 9.34 at: http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05193347

Information disclosure in Oracle products - CVE-2015-2808

Detailed vulnerability description

How to mitigate CVE-2015-2808

Sources

Please verify you're human