Home

Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

PUBLISHED Reserved 2015-03-31 | Published 2015-04-01 | Updated 2026-05-28 | Assigner mitre

References

marc.info/?l=bugtraq&m=143818140118771&w=2 (SSRT102127) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1243.html (RHSA-2015:1243) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1007.html (RHSA-2015:1007) vendor-advisory

marc.info/?l=bugtraq&m=143817899717054&w=2 (HPSBGN03367) vendor-advisory

marc.info/?l=bugtraq&m=144493176821532&w=2 (HPSBUX03512) vendor-advisory

www.oracle.com/...rk/topics/security/cpujul2015-2367936.html

rhn.redhat.com/errata/RHSA-2015-1006.html (RHSA-2015:1006) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04773256

kb.juniper.net/JSA10783

www.securitytracker.com/id/1033737 (1033737) vdb-entry

lists.opensuse.org/...ecurity-announce/2015-12/msg00004.html (SUSE-SU-2015:2192) vendor-advisory

marc.info/?l=bugtraq&m=144060576831314&w=2 (HPSBGN03399) vendor-advisory

www.oracle.com/.../security-advisory/cpujan2018-3236628.html

www.securitytracker.com/id/1036222 (1036222) vdb-entry

h20564.www2.hpe.com/...public/display?docId=emr_na-c04779034

marc.info/?l=bugtraq&m=143817899717054&w=2 (SSRT102129) vendor-advisory

www-304.ibm.com/support/docview.wss?uid=swg21960769

security.gentoo.org/glsa/201512-10 (GLSA-201512-10) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1229.html (RHSA-2015:1229) vendor-advisory

h20566.www2.hpe.com/...public/display?docId=emr_na-c04708650

www.securitytracker.com/id/1032600 (1032600) vdb-entry

www.securitytracker.com/id/1032910 (1032910) vdb-entry

www.ubuntu.com/usn/USN-2706-1 (USN-2706-1) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1526.html (RHSA-2015:1526) vendor-advisory

marc.info/?l=bugtraq&m=143817021313142&w=2 (SSRT102133) vendor-advisory

www.oracle.com/.../security-advisory/cpujul2016-2881720.html

www.securitytracker.com/id/1032599 (1032599) vdb-entry

marc.info/?l=bugtraq&m=144104533800819&w=2 (HPSBMU03401) vendor-advisory

www-304.ibm.com/support/docview.wss?uid=swg21903565

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04772190

h20566.www2.hpe.com/...public/display?docId=emr_na-c04711380

kc.mcafee.com/corporate/index?page=content&id=SB10163

marc.info/?l=bugtraq&m=144043644216842&w=2 (HPSBMU03345) vendor-advisory

www.securitytracker.com/id/1032734 (1032734) vdb-entry

www-01.ibm.com/support/docview.wss?uid=swg1IV71892 (IV71892) vendor-advisory

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05193347

www.securitytracker.com/id/1033769 (1033769) vdb-entry

www.securitytracker.com/id/1032707 (1032707) vdb-entry

lists.opensuse.org/...ecurity-announce/2015-07/msg00040.html (openSUSE-SU-2015:1289) vendor-advisory

marc.info/?l=bugtraq&m=143817021313142&w=2 (HPSBGN03372) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1091.html (RHSA-2015:1091) vendor-advisory

marc.info/?l=bugtraq&m=144069189622016&w=2 (HPSBGN03402) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg1IV71888 (IV71888) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1228.html (RHSA-2015:1228) vendor-advisory

marc.info/?l=bugtraq&m=144060606031437&w=2 (HPSBGN03405) vendor-advisory

www.securitytracker.com/id/1032708 (1032708) vdb-entry

www.huawei.com/en/psirt/security-advisories/hw-454055

www.debian.org/security/2015/dsa-3316 (DSA-3316) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-12/msg00000.html (SUSE-SU-2015:2166) vendor-advisory

www.oracle.com/.../security-advisory/cpuoct2017-3236626.html

www.securitytracker.com/id/1033415 (1033415) vdb-entry

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04832246

marc.info/?l=bugtraq&m=143818140118771&w=2 (HPSBGN03366) vendor-advisory

www-947.ibm.com/...ry/portal/docdisplay?lndocid=MIGR-5098709

marc.info/?l=bugtraq&m=144104565600964&w=2 (HPSBGN03403) vendor-advisory

marc.info/?l=bugtraq&m=144493176821532&w=2 (SSRT102254) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21883640

marc.info/?l=bugtraq&m=144102017024820&w=2 (HPSBGN03407) vendor-advisory

www.securitytracker.com/id/1033432 (1033432) vdb-entry

marc.info/?l=bugtraq&m=143629696317098&w=2 (HPSBGN03354) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-06/msg00022.html (SUSE-SU-2015:1138) vendor-advisory

www.securitytracker.com/id/1032858 (1032858) vdb-entry

h20564.www2.hp.com/...c/kb/docDisplay?docId=emr_na-c04687922 (SSRT102073) vendor-advisory

www.securitytracker.com/id/1032788 (1032788) vdb-entry

www.ubuntu.com/usn/USN-2696-1 (USN-2696-1) vendor-advisory

www.blackhat.com/...SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

www.debian.org/security/2015/dsa-3339 (DSA-3339) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1020.html (RHSA-2015:1020) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1242.html (RHSA-2015:1242) vendor-advisory

kb.juniper.net/InfoCenter/index?page=content&id=JSA10727

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04773241

lists.opensuse.org/...ecurity-announce/2015-06/msg00015.html (SUSE-SU-2015:1086) vendor-advisory

www.securitytracker.com/id/1033431 (1033431) vdb-entry

www1.huawei.com/...lletins/security-advisories/hw-454055.htm

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05085988

www.securitytracker.com/id/1032868 (1032868) vdb-entry

marc.info/?l=bugtraq&m=144059703728085&w=2 (HPSBGN03415) vendor-advisory

www.oracle.com/...ecurity-advisory/cpuapr2016v3-2985753.html

www.securityfocus.com/bid/91787 (91787) vdb-entry

lists.opensuse.org/...ecurity-announce/2015-07/msg00046.html (SUSE-SU-2015:1319) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-07/msg00047.html (SUSE-SU-2015:1320) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-07/msg00039.html (openSUSE-SU-2015:1288) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1241.html (RHSA-2015:1241) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04770140

kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

rhn.redhat.com/errata/RHSA-2015-1230.html (RHSA-2015:1230) vendor-advisory

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05336888

marc.info/?l=bugtraq&m=143456209711959&w=2 (HPSBGN03338) vendor-advisory

www.securitytracker.com/id/1033386 (1033386) vdb-entry

marc.info/?l=bugtraq&m=143741441012338&w=2 (HPSBMU03377) vendor-advisory

www.securitytracker.com/id/1033072 (1033072) vdb-entry

marc.info/?l=bugtraq&m=143741441012338&w=2 (SSRT102150) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04926789

lists.opensuse.org/...ecurity-announce/2015-06/msg00014.html (SUSE-SU-2015:1085) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04773119

rhn.redhat.com/errata/RHSA-2015-1021.html (RHSA-2015:1021) vendor-advisory

www-304.ibm.com/support/docview.wss?uid=swg21960015

lists.opensuse.org/...ecurity-announce/2015-06/msg00013.html (SUSE-SU-2015:1073) vendor-advisory

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05289935

lists.opensuse.org/...ecurity-announce/2015-06/msg00031.html (SUSE-SU-2015:1161) vendor-advisory

marc.info/?l=bugtraq&m=144059660127919&w=2 (HPSBGN03414) vendor-advisory

www.securityfocus.com/bid/73684 (73684) vdb-entry

www.securitytracker.com/id/1032990 (1032990) vdb-entry

www.securitytracker.com/id/1033071 (1033071) vdb-entry

lists.opensuse.org/...ecurity-announce/2016-01/msg00005.html (SUSE-SU-2016:0113) vendor-advisory

www.secpod.com/...cve-2015-2808-bar-mitzvah-attack-in-rc4-2/

marc.info/?l=bugtraq&m=143818140118771&w=2 (SSRT102127) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1243.html (RHSA-2015:1243) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1007.html (RHSA-2015:1007) vendor-advisory

marc.info/?l=bugtraq&m=143817899717054&w=2 (HPSBGN03367) vendor-advisory

marc.info/?l=bugtraq&m=144493176821532&w=2 (HPSBUX03512) vendor-advisory

www.oracle.com/...rk/topics/security/cpujul2015-2367936.html

rhn.redhat.com/errata/RHSA-2015-1006.html (RHSA-2015:1006) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04773256

kb.juniper.net/JSA10783

www.securitytracker.com/id/1033737 (1033737) vdb-entry

lists.opensuse.org/...ecurity-announce/2015-12/msg00004.html (SUSE-SU-2015:2192) vendor-advisory

marc.info/?l=bugtraq&m=144060576831314&w=2 (HPSBGN03399) vendor-advisory

www.oracle.com/.../security-advisory/cpujan2018-3236628.html

www.securitytracker.com/id/1036222 (1036222) vdb-entry

h20564.www2.hpe.com/...public/display?docId=emr_na-c04779034

marc.info/?l=bugtraq&m=143817899717054&w=2 (SSRT102129) vendor-advisory

www-304.ibm.com/support/docview.wss?uid=swg21960769

security.gentoo.org/glsa/201512-10 (GLSA-201512-10) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1229.html (RHSA-2015:1229) vendor-advisory

h20566.www2.hpe.com/...public/display?docId=emr_na-c04708650

www.securitytracker.com/id/1032600 (1032600) vdb-entry

www.securitytracker.com/id/1032910 (1032910) vdb-entry

www.ubuntu.com/usn/USN-2706-1 (USN-2706-1) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1526.html (RHSA-2015:1526) vendor-advisory

marc.info/?l=bugtraq&m=143817021313142&w=2 (SSRT102133) vendor-advisory

www.oracle.com/.../security-advisory/cpujul2016-2881720.html

www.securitytracker.com/id/1032599 (1032599) vdb-entry

marc.info/?l=bugtraq&m=144104533800819&w=2 (HPSBMU03401) vendor-advisory

www-304.ibm.com/support/docview.wss?uid=swg21903565

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04772190

h20566.www2.hpe.com/...public/display?docId=emr_na-c04711380

kc.mcafee.com/corporate/index?page=content&id=SB10163

marc.info/?l=bugtraq&m=144043644216842&w=2 (HPSBMU03345) vendor-advisory

www.securitytracker.com/id/1032734 (1032734) vdb-entry

www-01.ibm.com/support/docview.wss?uid=swg1IV71892 (IV71892) vendor-advisory

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05193347

www.securitytracker.com/id/1033769 (1033769) vdb-entry

www.securitytracker.com/id/1032707 (1032707) vdb-entry

lists.opensuse.org/...ecurity-announce/2015-07/msg00040.html (openSUSE-SU-2015:1289) vendor-advisory

marc.info/?l=bugtraq&m=143817021313142&w=2 (HPSBGN03372) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1091.html (RHSA-2015:1091) vendor-advisory

marc.info/?l=bugtraq&m=144069189622016&w=2 (HPSBGN03402) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg1IV71888 (IV71888) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1228.html (RHSA-2015:1228) vendor-advisory

marc.info/?l=bugtraq&m=144060606031437&w=2 (HPSBGN03405) vendor-advisory

www.securitytracker.com/id/1032708 (1032708) vdb-entry

www.huawei.com/en/psirt/security-advisories/hw-454055

www.debian.org/security/2015/dsa-3316 (DSA-3316) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-12/msg00000.html (SUSE-SU-2015:2166) vendor-advisory

www.oracle.com/.../security-advisory/cpuoct2017-3236626.html

www.securitytracker.com/id/1033415 (1033415) vdb-entry

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04832246

marc.info/?l=bugtraq&m=143818140118771&w=2 (HPSBGN03366) vendor-advisory

www-947.ibm.com/...ry/portal/docdisplay?lndocid=MIGR-5098709

marc.info/?l=bugtraq&m=144104565600964&w=2 (HPSBGN03403) vendor-advisory

marc.info/?l=bugtraq&m=144493176821532&w=2 (SSRT102254) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21883640

marc.info/?l=bugtraq&m=144102017024820&w=2 (HPSBGN03407) vendor-advisory

www.securitytracker.com/id/1033432 (1033432) vdb-entry

marc.info/?l=bugtraq&m=143629696317098&w=2 (HPSBGN03354) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-06/msg00022.html (SUSE-SU-2015:1138) vendor-advisory

www.securitytracker.com/id/1032858 (1032858) vdb-entry

h20564.www2.hp.com/...c/kb/docDisplay?docId=emr_na-c04687922 (SSRT102073) vendor-advisory

www.securitytracker.com/id/1032788 (1032788) vdb-entry

www.ubuntu.com/usn/USN-2696-1 (USN-2696-1) vendor-advisory

www.blackhat.com/...SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

www.debian.org/security/2015/dsa-3339 (DSA-3339) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1020.html (RHSA-2015:1020) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1242.html (RHSA-2015:1242) vendor-advisory

kb.juniper.net/InfoCenter/index?page=content&id=JSA10727

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04773241

lists.opensuse.org/...ecurity-announce/2015-06/msg00015.html (SUSE-SU-2015:1086) vendor-advisory

www.securitytracker.com/id/1033431 (1033431) vdb-entry

www1.huawei.com/...lletins/security-advisories/hw-454055.htm

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05085988

www.securitytracker.com/id/1032868 (1032868) vdb-entry

marc.info/?l=bugtraq&m=144059703728085&w=2 (HPSBGN03415) vendor-advisory

www.oracle.com/...ecurity-advisory/cpuapr2016v3-2985753.html

www.securityfocus.com/bid/91787 (91787) vdb-entry

lists.opensuse.org/...ecurity-announce/2015-07/msg00046.html (SUSE-SU-2015:1319) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-07/msg00047.html (SUSE-SU-2015:1320) vendor-advisory

lists.opensuse.org/...ecurity-announce/2015-07/msg00039.html (openSUSE-SU-2015:1288) vendor-advisory

rhn.redhat.com/errata/RHSA-2015-1241.html (RHSA-2015:1241) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04770140

kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

rhn.redhat.com/errata/RHSA-2015-1230.html (RHSA-2015:1230) vendor-advisory

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05336888

marc.info/?l=bugtraq&m=143456209711959&w=2 (HPSBGN03338) vendor-advisory

www.securitytracker.com/id/1033386 (1033386) vdb-entry

marc.info/?l=bugtraq&m=143741441012338&w=2 (HPSBMU03377) vendor-advisory

www.securitytracker.com/id/1033072 (1033072) vdb-entry

marc.info/?l=bugtraq&m=143741441012338&w=2 (SSRT102150) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04926789

lists.opensuse.org/...ecurity-announce/2015-06/msg00014.html (SUSE-SU-2015:1085) vendor-advisory

h20564.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c04773119

rhn.redhat.com/errata/RHSA-2015-1021.html (RHSA-2015:1021) vendor-advisory

www-304.ibm.com/support/docview.wss?uid=swg21960015

lists.opensuse.org/...ecurity-announce/2015-06/msg00013.html (SUSE-SU-2015:1073) vendor-advisory

h20566.www2.hpe.com/.../kb/docDisplay?docId=emr_na-c05289935

lists.opensuse.org/...ecurity-announce/2015-06/msg00031.html (SUSE-SU-2015:1161) vendor-advisory

marc.info/?l=bugtraq&m=144059660127919&w=2 (HPSBGN03414) vendor-advisory

www.securityfocus.com/bid/73684 (73684) vdb-entry

www.securitytracker.com/id/1032990 (1032990) vdb-entry

www.securitytracker.com/id/1033071 (1033071) vdb-entry

lists.opensuse.org/...ecurity-announce/2016-01/msg00005.html (SUSE-SU-2016:0113) vendor-advisory

www.secpod.com/...cve-2015-2808-bar-mitzvah-attack-in-rc4-2/

cve.org (CVE-2015-2808)

nvd.nist.gov (CVE-2015-2808)

Download JSON