Attacker Value

Moderate

Oracle Java JRE AES Intrinsics Remote Denial of Service

Attacker Value

Moderate

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

Oracle Java JRE AES Intrinsics Remote Denial of Service

Disclosure Date: July 16, 2015 •

CVE-2015-2659

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Unspecified vulnerability in Oracle Java SE 8u45 and Java SE Embedded 8u33 allows remote attackers to affect availability via unknown vectors related to Security.

Add Assessment

jcran (12)

November 14, 2019 9:43pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Medium

Exploitability

Very High

Technical Analysis

Causes a hard crash for the web application server (for example, Tomcat) which directly handles web requests by simply posting 4097 characters to an affected server using the AES GCM cipher (where that server has the requisite CPU extensions enabled, which is most modern processors). Super easy to exploit; can just use curl.

See the blog post I wrote about it:
https://blog.rapid7.com/2015/07/16/r7-2015-09-oracle-java-jre-aes-intrinsics-remote-denial-of-service-cve-2015-2659/

See More &1 replySee Less

busterb (317) November 14, 2019 10:19pm UTC (5 years ago)•Edited 5 years ago

I wonder what the exposure of this version is 4 years later. Probably fairly low for an opportunistic public attack at least: https://w3techs.com/technologies/details/ws-tomcat/all/all

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

oracle

Products

jdk 1.8.0,
jre 1.8.0

References

Canonical

CVE-2015-2659 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2659)

BID-75877 (http://www.securityfocus.com/bid/75877)

Advisory

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

SECTRACK-1032910 (http://www.securitytracker.com/id/1032910)

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html

http://rhn.redhat.com/errata/RHSA-2015-1228.html

GLSA-201603-11 (https://security.gentoo.org/glsa/201603-11)

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727

http://rhn.redhat.com/errata/RHSA-2015-1241.html

Rapid7

Moderate