IBM05EA0613CCDE54EFA5261A92BB8AD85AC9483C1FF44BBFC007A754DD1DA033F1Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-7575, CVE-2015-4872)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
Summary
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6 and Version 7 that are used by IBM Rational Directory Server (Tivoli) and IBM Rational Directory Administrator. New iFixes do not include the JRE. Install new iFixes and updated JRE to resolve these issues.
Vulnerability Details
Rational Directory Server is affected by the following vulnerabilities:
CVEID: CVE-2015-2613**
DESCRIPTION**: An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.**
CVSS Base Score**: 5**
CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for the current score CVSS Environmental Score:* Undefined**
CVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **
CVEID**: CVE-2015-2601**
DESCRIPTION**: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.**
CVSS Base Score**: 5**
CVSS Temporal Score**: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>_ for the current score CVSS Environmental Score:* Undefined**
CVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **
CVEID**: CVE-2015-2625**
DESCRIPTION**: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.**
CVSS Base Score**: 2.6**
CVSS Temporal Score**: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104743 for the current score CVSS Environmental Score:* Undefined**
CVSS Vector**: (AV:N/AC:H/Au:N/C:P/I:N/A:N) **
CVEID**: CVE-2015-1931**
DESCRIPTION**: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.**
CVSS Base Score**: 2.1**
CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score CVSS Environmental Score:* Undefined**
CVSS Vector**: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVEID: CVE-2015-4872**
DESCRIPTION**: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.**
CVSS Base Score**: 5**
CVSS Temporal Score**: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/_107361 for the current score CVSS Environmental Score:* Undefined**
CVSS Vector**: (AV:N/AC:L/Au:N/C:N/I;P/A:N)
Affected Products and Versions
Rational Directory Server (Tivoli) v5.2.0.2 iFix 3 and earlier
Rational Directory Server (Tivoli) v5.2.1 iFix 8 and earlier
Rational Directory Administrator v6.0.0.2 iFix 3 and earlier
Remediation/Fixes
Upgrade to Rational Directory Server (Tivoli) v5.2.1 iFix 9 or v5.2.0.2 iFix 5, and Rational Directory Administrator v6.0.0.2 iFix 4, which do not include Java. Before installing the new iFixes, install the Java Runtime Environment version 6.0.16.21 or 7.0.9.31, or subsequent versions.
To obtain the updated version of the IBM JRE, contact IBM Support. Support can help identify the latest JRE that is compatible with your operating system and platform. Publicly available versions of the Oracle JRE are also supported with Rational Directory Server.
For versions for Rational Directory Server that are earlier than version 5.2.0.2, and Rational Directory Administrator 6.0.0.2, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
| CPE | Name | Operator | Version |
|---|---|---|---|
| rational directory server | eq | 5.2.0.2 | |
| rational directory server | eq | 5.2.1 |
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N