CVE-2015-3197

CWE-200Information ExposureCWE-31014 documents11 sources
Severity
5.9MEDIUM
EPSS
21.9%
top 4.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Openssl OpensslOracle Exalogic InfrastructureOracle OSS Support Tools+3 more
Timeline
PublishedFeb 15
Latest updateMay 17

Description

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages7 packages

Debianopenssl< 1.0.0c-2+3
NVDopenssl/openssl24 versions+23
NVDoracle/tuxedo12.1.1.0
NVDoracle/oss_support_tools8.11.16.3.8

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
GHSA-7cfp-xp7x-9xqq: ssl/s2_srvr2022-05-17
CVEList
CVE-2015-3197: ssl/s2_srvr2016-02-15
OSV
CVE-2015-3197: ssl/s2_srvr2016-02-15

📋Vendor Advisories

4
BSD
FreeBSD-SA-16:11.openssl: OpenSSL SSLv2 ciphersuite downgrade vulnerability2016-01-30
Cisco
Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products2016-01-29
Red Hat
OpenSSL: SSLv2 doesn't block disabled ciphers2016-01-28
Debian
CVE-2015-3197: openssl - ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not pr...2015

💬Community

5
HackerOne
SSLv2 doesn't block disabled ciphers (CVE-2015-3197)2016-09-21
Bugzilla
CVE-2015-3197 openssl101e: OpenSSL: SSLv2 doesn't block disabled ciphers [epel-5]2016-01-28
Bugzilla
CVE-2015-3197 mingw-openssl: OpenSSL: SSLv2 doesn't block disabled ciphers [fedora-all]2016-01-28
Bugzilla
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers [fedora-all]2016-01-28
Bugzilla
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers2016-01-26