## Summary
IBM Business Process Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise.
## Vulnerability Details
Review the following security bulletins for IBM Business Process Manager for vulnerability details and information about fixes.
* [Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg21986205>)
* [IBM Security Bulletin: Cross Site Scripting vulnerability in IBM Business Process Manager (CVE-2016-5901)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990852>)
* [IBM Security Bulletin: HTML injection vulnerability in Business Space might affect IBM Business Process Manager (CVE-2016-3056)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990850>)
* [IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-9748, CVE-2016-1669)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990841>)
* [IBM Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990834>)
[](<http://www-01.ibm.com/support/docview.wss?uid=swg21985316>)
* [Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-0254)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985316>)
* [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982559>)
* [Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-0306)](<http://www-01.ibm.com/support/docview.wss?uid=swg21981008>)
* [Security Bulletin: Multiple security vulnerabilities in Business Space affect IBM Business Process Manager and WebSphere Process Server (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)](<http://www-01.ibm.com/support/docview.wss?uid=swg21972005>)
* [Security Bulletin: Cross-Site scripting vulnerability in IBM Business Process Manager document list control (CVE-2016-0227)](<http://www-01.ibm.com/support/docview.wss?uid=swg21978058>)
* [Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager Process Portal (CVE-2015-8524)](<http://www-01.ibm.com/support/docview.wss?uid=swg21974472>) **
**
* [Security Bulletin: IBM Business Process Manager authorization checks for process and task deletion are insufficient (CVE-2015-7463)](<http://www-01.ibm.com/support/docview.wss?uid=swg21973442>)
* [Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977021>)
* [Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-7417)](<http://www.ibm.com/support/docview.wss?uid=swg21975121&myns=swgws&mynp=OCSSFTDH&mynp=OCSSFTBX&mynp=OCSSFTN5&mynp=OCSSFPRP&mynp=OCSSQH9M&mync=E&cm_sp=swgws-_-OCSSFTDH-OCSSFTBX-OCSSFTN5-OCSSFPRP-OCSSQH9M-_-E>)
* [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)](<http://www-01.ibm.com/support/docview.wss?uid=swg21972165>)
* [Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)](<http://www-01.ibm.com/support/docview.wss?uid=swg21974459>)
* [Security Bulletin: Vulnerability in Apache Commons affects IBM Business Process Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21972046>)
* [Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21970332>)
* [Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager dashboards (CVE-2015-4955)](<http://www.ibm.com/support/docview.wss?uid=swg21966010>)
* [Security Bulletin: IBM Business Process Manager (BPM) document store is susceptible to XXE (XML External Entity) attacks. (CVE-2013-5452)](<http://www.ibm.com/support/docview.wss?uid=swg21963014>)[
](<http://www.ibm.com/support/docview.wss?uid=swg21965001>)
* [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1932, CVE-2015-4938, CVE-2015-1946)](<http://www.ibm.com/support/docview.wss?uid=swg21965001>)
* [Security Bulletin: Missing authorization concept for document upload and download in IBM Business Process Manager (BPM) CMIS integration (CVE-2015-1904)](<http://www.ibm.com/support/docview.wss?uid=swg21960293>)
* [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (Java CPU July 2015 - CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)](<http://www.ibm.com/support/docview.wss?uid=swg21962805>)
* [Security Bulletin: Multiple security vulnerabilities in ElasticSearch might affect Process Federation Server (PFS) in IBM Business Process Manager (BPM) - CVE-2015-5531, CVE-2015-5377](<http://www.ibm.com/support/docview.wss?uid=swg21964010>)[
](<http://www.ibm.com/support/docview.wss?uid=swg21697944>)
* [Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) error handling (CVE-2015-0193)](<http://www.ibm.com/support/docview.wss?uid=swg21697944>)[
](<http://www.ibm.com/support/docview.wss?uid=swg21699938>)
* [Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
](<http://www.ibm.com/support/docview.wss?uid=swg21699938>)
* [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1885, CVE-2015-1946, CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21699938>)[
](<http://www.ibm.com/support/docview.wss?uid=swg21903346>)
* [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Process Manager (BPM), WebSphere Process Server (WPS), and WebSphere Lombardi Edition (WLE): CVE-2015-1920](<http://www.ibm.com/support/docview.wss?uid=swg21903346>)
* [Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)](<http://www.ibm.com/support/docview.wss?uid=swg21959306>)
* [Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959097>)
* [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882624>)[
](<http://www.ibm.com/support/docview.wss?uid=swg21699935>)
* [Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-0138 CVE-2014-6593 CVE-2015-0400 CVE-2015-0410)](<http://www.ibm.com/support/docview.wss?uid=swg21699935>)
* [Security Bulletin: Multiple vulnerabilities in IBM SDK for Java Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2014-6512, CVE-2014-6457, CVE-2014-6558, CVE-2014-3566)](<http://www.ibm.com/support/docview.wss?uid=swg21692787>)
* [Security Bulletin: Vulnerability in SSLv3 affects IBM Business Process Manager (CVE-2014-3566)](<http://www.ibm.com/support/docview.wss?uid=swg21689466>)
* [Security Bulletin: TLS padding vulnerability affects IBM HTTP Server shipped with IBM Business Process Manager family products (CVE-2014-8730)](<http://www.ibm.com/support/docview.wss?uid=swg21692582>)
* * Security Bulletin: Cross-Site Scripting vulnerabilities in Dojo affect IBM Business Process Manager (BPM), WebSphere Lombardi Edition (WLE), and WebSphere Process Server (WPS) - CVE-2014-8917
## Affected Products and Versions
** Principal Product and Version**
| ** Affected Supporting Product and Version**
---|---
IBM Cloud Orchestrator 2.5, 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2
IBM Cloud Orchestrator Enterprise 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2| IBM Business Process Manager Standard 8.5.6
IBM Cloud Orchestrator 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3
IBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3
| IBM Business Process Manager Standard 8.5.0.1
IBM SmartCloud Orchestrator 2.3 and 2.3.0.1
IBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1
| IBM Business Process Manager Standard 8.5
##
{"ibm": [{"lastseen": "2023-02-21T05:38:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.7.0 that is used by Sterling Connect:Direct Browser User Interface. These issues were disclosed as part of the IBM Java SDK updates in April 2015 and July 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability, the RC4 Bar Mitzvah Attack for SSL/TLS vulnerability, and the Logjam Diffie-Hellman (DH) key exchange vulnerability.\n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>) \n**DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct Browser 1.5.0 through 1.5.0.2 iFix 12 \n\nIBM Sterling Connect:Direct Browser 1.4.0 through 1.4.11.0 iFix 3 \n\n\n## Remediation/Fixes\n\nSterling Connect:Direct Browser\n\n| 1.5.0.2| iFix 13| [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+Browser+User+Interface&release=1.5.0.2&platform=All&function=all>) \n---|---|---|--- \nSterling Connect:Direct Browser| 1.4.11.0| iFix 4| Contact Support and request the fix package be published for you on the ECuRep server. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:49:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Connect:Direct Browser User Interface", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2020-07-24T22:49:37", "id": "CB1B87BF4874E8E4FDFF0C5D0245F1B8EA7AF72E1648F87D112407D83AC6BFA1", "href": "https://www.ibm.com/support/pages/node/536483", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:44:46", "description": "## Summary\n\nMultiple vulnerabilities have been identified in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and in supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.\n\n## Vulnerability Details\n\nThis security bulletin covers multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. It addresses other vulnerabilities including the IBM SDK, Java Technology Edition July 2015. \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Principal Product and Version**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.4, 2.4.0.1 and 2.4.0.2 \n \n| IBM Business Process Manager Standard 8.5.0.1 \nIBM Tivoli System Automation Application Manager 4.1 \nIBM Tivoli System Automation for Multiplatforms 4.1 \nIBM Endpoint Manager for Patch Management 9.1 \nIBM DB2 Enterprise Server Edition 10.5.0.2 \nIBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1 and 2.4.0.2| IBM Business Process Manager Standard 8.5.0.1 \nIBM Tivoli System Automation Application Manager 4.1 \nIBM Tivoli System Automation for Multiplatforms 4.1 \nIBM Endpoint Manager for Patch Management 9.1 \nIBM DB2 Enterprise Server Edition 10.5.0.2 \nIBM SmartCloud Cost Management 2.1.0.4 \nIBM Tivoli Monitoring 6.3.0.2 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available. \n \n**If you are running IBM Cloud Orchestrator 2.4, 2.4.0.1 or 2.4.0.2** , [](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+SmartCloud+Orchestrator&release=2.4.0&platform=All&function=all>)[upgrade to IBM Cloud Orchestrator 2.4.0.2 Interim Fix 1](<http://www.ibm.com/support/docview.wss?uid=swg24040617>)or later. \n \nFor affected supporting products shipped with IBM Cloud Orchestrator, consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment. \n\n**Affected Supporting Product**| \n\n**Version**\n\n| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager | \n\n8.5.0.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator __(__CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000__) _](<http://www.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000 )_](<http://www.ibm.com/support/docview.wss?uid=swg21882528>) \nIBM Tivoli System Automation for Multiplatforms| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21882549>) \nIBM DB2 Enterprise Server Edition | \n\n10.5.0.2\n\n| [Security Bulletin: Multiple vulnerabilities in IBM DB2 Enterprise Server Edition shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (_CVE-2015-4000_)](<http://www.ibm.com/support/docview.wss?uid=swg21882724>) \n \nIBM Endpoint Manager for Patch Management| \n\n9.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Endpoint Manager for Patch Management shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21882824>) \n \n \n**If you are running IBM Cloud Orchestrator Enterprise 2.4,**** 2.4.0.1 or 2.4.0.2, **[upgrade to IBM Cloud Orchestrator 2.4.0.2 Interim Fix 1](<http://www.ibm.com/support/docview.wss?uid=swg24040617>) or later. \n \nFor affected supporting products shipped with IBM Cloud Orchestrator Enterprise, consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment. **Affected Supporting Product**| \n\n**Version**\n\n| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager | \n\n8.5.0.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000) _](<http://www.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000 )_](<http://www.ibm.com/support/docview.wss?uid=swg21882528>) \nIBM Tivoli System Automation for Multiplatforms| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21882549>) \nIBM Endpoint Manager for Patch Management| \n\n9.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Endpoint Manager for Patch Management shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-4000 and others)_](<http://www.ibm.com/support/docview.wss?uid=swg21882824>) \nIBM DB2 Enterprise Server Edition | \n\n10.5.0.2\n\n| [Security Bulletin: Multiple vulnerabilities in IBM DB2 Enterprise Server Edition shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (_CVE-2015-4000_)](<http://www.ibm.com/support/docview.wss?uid=swg21882724>) \nIBM SmartCloud Cost Management| \n\n2.1.0.4\n\n| [_Security Bulletin: A security vulnerability in IBM SmartCloud Cost Management shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-1927, CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21883102>) \nIBM Tivoli Monitoring| \n\n6.3.0.2\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise (CVE-2015-1920, CVE-2015-1885, CVE-2015-4000 )_](<http://www.ibm.com/support/docview.wss?uid=swg21883331>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:30:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1946", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T22:30:52", "id": "A8FCA8838CF049BF62AAB68408FB18EF0F19EB760464B7DCA7B268D4FDEBB1D1", "href": "https://www.ibm.com/support/pages/node/266527", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:57:31", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7 that is used by IBM Operational Decision Manager (ODM), IBM ILOG JRules and IBM WebSphere Business Events (WBE). These issues were disclosed as part of the IBM Java SDK updates in April 2015 and July 2015. \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID**: [CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [CVE-2015-0478](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID**: [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \n****DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID**: [CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * IBM WebSphere Business Events 7.0\n * IBM WebSphere ILOG JRules v7.1\n * IBM WebSphere Operational Decision Management v7.5 \n * IBM Operational Decision Manager v8.0 \n * IBM Operational Decision Manager v8.5\n * IBM Operational Decision Manager v8.6\n * IBM Operational Decision Manager v8.7\n\n## Remediation/Fixes\n\n \nIBM WebSphere ILOG JRules V7.1: \nInterim fix 48 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **7.1.1.5-WS-BRMS_JDK-WIN-IF048** \n \nIBM WebSphere Business Event 7.0: \nInterim fix RS01752 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **7.0.1.1-WS-BE-<OS>-RS02133** \n \nIBM WebSphere Operational Decision Management v7.5: \nInterim fix 45 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **7.5.0.4-WS-ODM_JDK-<OS>-****IF045** \n\n\nIBM Operational Decision Manager v8.0: \n\n \nInterim fix 47 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): ** 8.0.1.2-WS-ODM_JDK-<OS>-****IF047** \n\n\nIBM Operational Decision Manager v8.5:\n\n \nInterim fix 51 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **8.5.1.2-WS-ODM_JDK-<OS>-****IF051** \n\n\nIBM Operational Decision Manager v8.6:\n\n \nInterim fix 22 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **8.6.0.2-WS-ODM_JDK-<OS>-****IF022** \n\n\nIBM Operational Decision Manager v8.7:\n\n \nInterim fix 22 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **8.7.0.0-WS-ODM_JDK-<OS>-****IF022**\n\n## Workarounds and Mitigations\n\nnone known, apply fix\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:32", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Operational Decision Manager, WebSphere ILOG JRules and WebSphere Business Events:", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4749"], "modified": "2018-06-15T07:03:32", "id": "60CE35DF934D73BFA400DF2649EEEC2388306C311088649B9FF31932969DCD56", "href": "https://www.ibm.com/support/pages/node/535947", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:11:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by IBM Control Center. These issues were disclosed as part of the IBM Java SDK updates in April and July 2015. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2015-0478_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0488_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2808_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n \nIBM Control Center 6.0.0.1 \nIBM Control Center 6.0.0.0 through 6.0.0.0 iFix02 \nIBM Sterling Control Center 5.4.2 through 5.4.2.1 iFix04 \nIBM Sterling Control Center 5.4.1 through 5.4.1.0 iFix03 \nIBM Sterling Control Center 5.4.0 through 5.4.0.1 iFix04 \nIBM Sterling Control Center 5.3.0 through 5.3.0.4 iFix02 \nIBM Sterling Control Center 5.2.0 through 5.2.12\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Fix**| **How to acquire fix** \n---|---|---|--- \nControl Center| 6.0.0.1| iFix01| [Fix Central - 6.0.0.1](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.1&platform=All&function=all>) \nControl Center| 6.0.0.0| iFix03| [Fix Central - 6.0.0.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.0&platform=All&function=all>) \nControl Center| 5.4.2.1| iFix05 | [Fix Central - 5.4.2.1](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.2.1&platform=All&function=all>) \nControl Center| 5.4.1.0| APAR IT10907| [Fix Central - 5.4.1.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.1.0&platform=All&function=all>) \nControl Center| 5.4.0.1| APAR IT10907| [Fix Central - 5.4.1.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.1.0&platform=All&function=all>) \nControl Center| 5.3.0.4| APAR IT10907 | [Fix Central - 5.4.1.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.1.0&platform=All&function=all>) \nControl Center| 5.2.11| APAR IT10907| Contact Support and request the fix package to be published for you on the ECuRep server. \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[IBM Java SDK Security Bulletin April 2015](<https://www-304.ibm.com/support/docview.wss?uid=swg21883640>) \n[IBM Java SDK Security Bulletin July 2015](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nCVE-2015-1916 was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA\n\n## Change History\n\n10 September 2015 - Original Version Published \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.0.1;6.0;5.4.2.1;5.4.1;5.4;5.3;5.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {}, "published": "2019-12-17T22:47:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Control Center", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2019-12-17T22:47:42", "id": "25D2B9C0FA0BC7D57BDB77AFAA062F9B600D1BCD47833017C2B0950C9718A7EF", "href": "https://www.ibm.com/support/pages/node/536543", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:54:44", "description": "## Summary\n\nMultiple security vulnerabilities exist in the IBM Java Runtime Environment component of IBM WebSphere MQ Internet Pass-Thru (MQIPT). Patches for these are available in IBM SDK, Java\u2122 Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 (7.0.9.10)\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [CVE-2015-0478](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n \n**CVEID:** [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104733> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SDK, Java\u2122 Technology Edition, Version 7 (maintenance levels older than service refresh 9 fix pack 10 (7.0.9.10)) provided by WebSphere MQIPT 2.1 on all platforms.\n\n## Remediation/Fixes\n\nUpdate the JRE component following the instructions contained in this link:[http://www.ibm.com/support/docview.wss?uid=swg21678663](<http://www-01.ibm.com/support/docview.wss?uid=swg21678663>) \n \nUpdated JREs for MQIPT can be downloaded from the[ MS81: WebSphere MQ Internet Pass-Thru](<http://www.ibm.com/support/docview.wss?uid=swg24006386>) SupportPac page, via the Download package link, in the '**WebSphere MQ Internet Pass-Thru JREs**' section.\n\n## Workarounds and Mitigations\n\nNone Known\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:42", "type": "ibm", "title": "Security Bulletin: IBM MQIPT is affected by multiple vulnerabilities in IBM SDK, Java\u2122 Technology Edition, Version 7 (CVE-2015-0488, CVE-2015-0478. CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, CVE-2015-1931, CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2018-06-15T07:03:42", "id": "3403EBD13C171A5D7444399BA5A9F94E5CCA875C8E3E0629AEA983CD163BAD0D", "href": "https://www.ibm.com/support/pages/node/267755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-04T03:12:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). These issues were disclosed as part of the IBM\u00ae Java SDK updates in April and July 2015. \n\n## Vulnerability Details\n\nIBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the IBM\u00ae Java SDK updates in April and July 2015: \n \n**April 2015 vulnerabilities:** \n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\" \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**July 2015 vulnerabilities:**\n\n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0\n\n## Remediation/Fixes\n\nIf your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions: \n[_ __Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2015 CPU_](<https://www.ibm.com/support/docview.wss?uid=swg21962931>) \n \nThe July 2015 update contains all of the corrections from the April 2015 update. The April update is listed here for convenience, but upgrade to the July 2015 update to get all the corrections. \n[_ __Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU_](<https://www.ibm.com/support/docview.wss?uid=swg21902260>) \n \n**Otherwise:** \n_Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades._ \nUpgrade your products to version **3.0.1.6 or 4.0.7** or **5.0.2** or **6.0**, apply the latest ifix, and then perform the following upgrades. Request the July 2015 CPU update for the IBM_\u00ae_ Java SDK: \n \n[_How to update the IBM SDK for Java of IBM Rational products based on version 3.0.1.6 or later of IBM's Jazz technology_](<http://www.ibm.com/support/docview.wss?uid=swg21674139>)\n\n * * For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, if you cannot upgrade to 4.0.7 or 5.0 or 6.0, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for guidance.\n * For the 2.x releases, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for additional details on the fix. \n\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, etc.)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2021-04-28T18:35:50", "id": "8A73AC94075E067E0D2956EB222BBF00ACEC293AF298E2B41F4893F9FB9B6259", "href": "https://www.ibm.com/support/pages/node/535421", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:49:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6.0.16.2 that is used by RLKS Administration and Reporting Tool.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)\n\n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)\n\n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.\n\n \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**Description**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n** \n**CVSS Base Score: 5.0** \n**CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>_ for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \nFor more details, refer the technote at [1702789](<http://www-01.ibm.com/support/docview.wss?uid=swg21702789>) \n \n \n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n \n \nFor more details, refer the technote at [1959284](<http://www-01.ibm.com/support/docview.wss?uid=swg21959284>) \n \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n \nFor more details, refer the technote at [1700073](<http://www-01.ibm.com/support/docview.wss?uid=swg21700073>)\n\n## Affected Products and Versions\n\nThese vulnerabilities impact following components and their releases: \n\n\n * RLKS Administration and Reporting Tool version 8.1.4 \n * RLKS Administration and Reporting Tool version 8.1.4.2 \n * RLKS Administration and Reporting Tool version 8.1.4.3 \n * RLKS Administration and Reporting Tool version 8.1.4.4 \n * RLKS Administration and Reporting Tool version 8.1.4.5\n * RLKS Administration and Reporting Tool version 8.1.4.6\n * RLKS Administration and Reporting Tool version 8.1.4.7\n * RLKS Administration and Reporting Tool version 8.1.4.8\n * RLKS Administration and Reporting Tool version 8.1.4.9\n * RLKS Administration Agent version 8.1.4 \n * RLKS Administration Agent version 8.1.4.2 \n * RLKS Administration Agent version 8.1.4.3 \n * RLKS Administration Agent version 8.1.4.4 \n * RLKS Administration Agent version 8.1.4.5\n * RLKS Administration Agent version 8.1.4.6\n * RLKS Administration Agent version 8.1.4.7\n * RLKS Administration Agent version 8.1.4.8 [Affected only by [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>), [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>), [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>), [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) and [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)]\n\n## Remediation/Fixes\n\nReplace the JRE used in IBM RLKS Administration and Reporting Tool and IBM RLKS Administration Agent. \n\n**_Steps to replace the JRE in IBM RLKS Administration and Reporting Tool (All Versions)_**\n\n \n \n1\\. Go to [_Fix Central_](<http://www.ibm.com/support/fixcentral>) \n \n2\\. On the **Find product** tab, enter _Rational Common Licensing_ in the **Product Selector** field and hit enter. \n \n3\\. Select the **Installed Version** and hit continue button. \n \n4\\. Select the platform of the machine where RLKS Administration and Reporting Tool is installed and hit continue button. \n \n5\\. On the **Identify fixes** page, select **Browse for fixes** and select **Show fixes that apply to this version** and hit continue button. \n \n6\\. Download the Java runtime iFix for RLKS Administration and Reporting Tool. \n** \nNote:** Although the name of the iFix is **RLKS_Administration_And_Reporting_Tool_8148_Admin_iFix_1_<Platform>_<Architecture>**, the same ifix is applicable to all previous RLKS Administration and Reporting Tool versions. \n \n7\\. Shutdown RLKS Administration and Reporting Tool. \n \n8\\. Go to the installation location of RLKS Administration and Reporting Tool. \n \n9\\. Rename <install location>/server/jre folder to **<install location>/server/jre_back**. \nThis step backs up the existing JRE. \n \n10\\. Extract the downloaded JRE into <install location>/server/ folder \n \nExample: <install location>/server/jre \n \n11\\. Startup RLKS Administration and Reporting Tool. \n \n12\\. Login to the tool using rcladmin user and verify that you see the configured license servers under 'Server' tab. \n\n**_How to fix these vulnerabilities in IBM RLKS Administration Agent (All Versions)?_**\n\nUpgrade to the IBM RLKS Administration Agent version 8.1.4.9\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:04:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect RLKS Administration and Reporting Tool (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-2808, CVE-2015-4000, CVE-2015-1916, CVE-2015-0488, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-17T05:04:34", "id": "34CFE8125A8881CC719C7F836804991085EA547A7871860AB1BFE0DB8E83422D", "href": "https://www.ibm.com/support/pages/node/533949", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:19", "description": "## Summary\n\nFixes of Cognos Business Intelligence is provided as part of Tivoli Common Reporting fixes. \n \nThere are multiple vulnerability in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015. \n \nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Cognos Business Intelligence . Cognos Business Intelligence is vulnerable to CVE 2014-0204 (FREAK) in versions 8.4.1 - 10.2.0 only. \n \nAn IBM Dojo toolkit vulnerability was disclosed on Dec 8, 2014. The IBM Dojo toolkit is included with IBM Cognos Business Intelligence. IBM Cognos Business Intelligence has addressed the vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**CVEID:** [_CVE-2014-8917_](<https://vulners.com/cve/CVE-2014-8917>)** \nDESCRIPTION:** IBM Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99303>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVE-ID:** [_CVE-2014-9495_](<https://vulners.com/cve/CVE-2014-9495>)** \nDESCRIPTION**: libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_combine_row function when decompressing the IDAT_data. A remote attacker could exploit this vulnerability using a \"very wide interlaced\" PNG image to overflow a buffer and execute arbitrary code on the system or cause a denial of service.** \nCVSS:** \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99699> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n** \nCVE-ID: **[_CVE-2015-0973_](<https://vulners.com/cve/CVE-2015-0973>)** \nDESCRIPTION:** Libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_read_IDAT_data() function. A remote attacker could exploit this vulnerability using IDAT data with a large width to overflow a buffer and execute arbitrary code on the system or cause a denial of service.** \nCVSS:** \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100239> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n** \nCVE-ID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>)** \nDESCRIPTION**: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.** \nCVSS:** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n** \nCVE-ID:** [_CVE-2014-6457_](<https://vulners.com/cve/CVE-2014-6457>)** \nDESCRIPTION**: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.** \nCVSS:** \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97148> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n** \nCVE-ID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability in Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service.** \nCVSS:** \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \n****CVE-ID**: [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.** \nCVSS:** \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \nCVE-ID**: [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.** \nCVSS:** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n** \nCVE-ID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \nDESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.** \nCVSS:** \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99710>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n** \nCVE-ID: **[_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS: \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \nCVE-ID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \nDESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.** \nCVSS:** \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99705>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n** \nCVE-ID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \nDESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.** \nCVSS:** \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n** \nCVE-ID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>)** \nDESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.** \nCVSS:** \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n** \nCVE-ID**: [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>)** \nDESCRIPTION**: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources** \nCVSS:** \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nTivoli Common Reporting 2.1 \n\nTivoli Common Reporting 2.1.1\n\nTivoli Common Reporting 2.1.1.2\n\nTivoli Common Reporting 3.1\n\nTivoli Common Reporting 3.1.0.1\n\nTivoli Common Reporting 3.1.0.2\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n \n\n\n**Tivoli Common reporting release**| **Remediation ** \n---|--- \n2.1| [Install Interim Fix 11](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Common+Reporting&release=2.1.0.0&platform=All&function=all>) \n2.1.1| [Install Interim Fix 19 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Common+Reporting&release=2.1.1.0&platform=All&function=all>) \n2.1.1.2| [Install Interim Fix 6](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Common+Reporting&release=2.1.1.2&platform=All&function=all>) \n3.1.0.0 through 3.1.0.2| [Install Interim Fix 5](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=1.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-17T15:02:16", "type": "ibm", "title": "Security Bulletin: Multiple vulnerability in Product IBM Tivoli Common Reporting( CVE-2015-0138, CVE-2014-9495,CVE-2014-8917,CVE-2015-0973 ,CVE-2014-3566 ,CVE-2014-6457 ,CVE-2014-6593,CVE-2015-0410,CVE-2014-3569,CVE-2015-0204,CVE-2014-3570)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-6457", "CVE-2014-6593", "CVE-2014-8275", "CVE-2014-8917", "CVE-2014-9495", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206", "CVE-2015-0410", "CVE-2015-0973"], "modified": "2018-06-17T15:02:16", "id": "876891B543E663981BBDB1C50F7E5948B40E8F74F942B713B9EC008438EB3C65", "href": "https://www.ibm.com/support/pages/node/264795", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:07", "description": "## Summary\n\nSeveral previously released versions of IBM QRadar SIEM, and IBM QRadar Incident Forensics are affected by multiple vulnerabilities reported in the IBM SDK Java Technology Edition Version 6 and 7.\n\n## Vulnerability Details\n\n**CVE-ID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \n \n**Description:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:M/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \n \n**Description:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:N/I:N/A:P \n \n \n**CVE-ID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n \n**Description:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:N/I:N/A:P \n \n \n**CVE-ID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n \n**Description:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n \n**Description:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>) \n \n**Description:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:M/Au:N/C:N/I:N/A:P \n \n \n**CVE-ID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n \n**Description:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 2.6 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:H/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n \n**Description:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \n \n**CVSS Base Score:** 2.1 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:L/AC:L/Au:N/C:P/I:N/A:N\n\n## Affected Products and Versions\n\n\u00b7 IBM QRadar SIEM 7.2.5 Patch 3 and earlier versions. \n\n\u00b7 IBM QRadar SIEM 7.1 MR2 Patch 11 Interim Fix 01 and earlier versions.\n\n\u00b7 IBM QRadar Incident Forensics 7.2.5 Patch 3 and earlier versions\n\n## Remediation/Fixes\n\n[\u00b7 _IBM QRadar/QRM/QVM/QRIF 7.2.5 Patch 3 Interim Fix 01_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.5-QRADAR-QRSIEM-20150722144420INT%3Ahidden&includeSupersedes=0&source=>)\n\n[\u00b7 _IBM QRadar SIEM 7.1 MR2 Patch 11 Interim Fix 02_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.1.0&platform=Linux&function=fixId&fixids=7.1.0-QRADAR-QRSIEM-1104233INT&includeSupersedes=0&source=fc>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:26:04", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM can be affected by Multiple Vulnerabilities in the IBM Java Runtime Environment. (CVE-2015-0478, CVE-2015-0488, CVE-2015-1916, CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-16T21:26:04", "id": "0BA3D00F2A4E161ACE7CE229FBCCA7601D73B67AF80161C317B48754F1EC9FB8", "href": "https://www.ibm.com/support/pages/node/533523", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:51:33", "description": "## Summary\n\nVulnerabilities in OpenSSL (including the \u201cFREAK\u201d attack) affect IBM Tealeaf Customer Experience.\n\n## Vulnerability Details\n\nCVEID: [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \nCVEID: [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>) \nDESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \nCVEID: [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \nCVEID: [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>) \nDESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \nCVEID:[ CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>) \nDESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \nCVEID: [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>) \nDESCRIPTION: OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \nCVEID: [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \nCVEID: [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) \nDESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Tealeaf Customer Experience: v8.0-v9.0.1\n\n## Remediation/Fixes\n\nProduct \n\n| \n\nVRMF \n\n| \n\nRemediation/First Fix \n \n---|---|--- \n \nIBM Tealeaf Customer Experience\n\n| \n\n9.0.1A \n\n| PCA: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1A_IBMTealeaf_PCA-3724-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1A_IBMTealeaf_PCA-3724-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.5091_9.0.1A_IBMTealeaf_CXUpgrade_FixPack4`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.5091_9.0.1A_IBMTealeaf_CXUpgrade_FixPack4>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n9.0.1\n\n| `PCA: `[`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1_IBMTealeaf_PCA-3673-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1_IBMTealeaf_PCA-3673-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.1097_IBMTealeaf_CXUpgrade_FixPack4`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.1097_IBMTealeaf_CXUpgrade_FixPack4>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n9.0.0, 9.0.0A \n\n| You can contact the [_Technical Support_](<http://www.ibm.com/software/marketing-solutions/tealeaf/support>) team for guidance. \n \nIBM Tealeaf Customer Experience \n\n| \n\n8.8 \n\n| `PCA: `[`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8_IBMTealeaf_PCA-3625-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8_IBMTealeaf_PCA-3625-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8.0.9034_IBMTealeaf_CXUpgrade_FixPack8`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8.0.9034_IBMTealeaf_CXUpgrade_FixPack8>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n8.7 \n\n| `PCA: `[`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7_IBMTealeaf_PCA-3615-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7_IBMTealeaf_PCA-3615-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7.1.8830_IBMTealeaf_CXUpgrade_FixPack9`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7.1.8830_IBMTealeaf_CXUpgrade_FixPack9>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n8.6 and earlier \n\n| You can contact the [_Technical Support_](<http://www.ibm.com/software/marketing-solutions/tealeaf/support>) team for guidance. \nFor v9.0.0, 9.0.0A, and versions before v8.7, IBM recommends upgrading to a later supported version of the product. \n\n## Workarounds and Mitigations\n\nFor the PCA, a workaround is available: disable the web console and use the command line instead. No workaround is available for the Windows servers.\n\n## ", "cvss3": {}, "published": "2018-06-16T19:44:46", "type": "ibm", "title": "Security Bulletin: IBM Tealeaf Customer Experience is affected by vulnerabilities in OpenSSL", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-16T19:44:46", "id": "5EFA61D3F8993C31C0477A0F2B01971CB094CF8BC7EED89CA86652040865EA39", "href": "https://www.ibm.com/support/pages/node/264889", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:52:27", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware. IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware. IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware have addressed the applicable CVEs.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99703> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99704> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99708> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected products and versions\n\n * IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware versions 9.1.0.xx, 9.1.1.xx, 9.1.2.xx, and 9.1.3.xx.\n\n## Remediation/Fixes:\n\nFirmware updates are available at IBM Fix Central - <http://www.ibm.com/support/fixcentral/> .\n\nIt is recommended to apply the following fix for IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware: \nqlgc_fw_flex_9.1.5.03.00_anyos_noarch version 9.1.5.03.00 (or a later version).\n\n## Workarounds and Mitigations:\n\nNone known\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n[Subscribe to Security Bulletins](<http://www.ibm.com/support/mynotifications/>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n5 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2019-01-31T01:55:01", "id": "27429FD98ECDD9177285F700AB3368E1A2EBE81472EDEAD4DE2A87D7C8D6C827", "href": "https://www.ibm.com/support/pages/node/867426", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-10-01T01:50:27", "description": "## Summary\n\nOpenSSL in Power Hardware Management Console contains multiple vulnerabilities ( \nCVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)\n\n## Vulnerability Details\n\nCVEID: CVE-2014-3569\n\n \nDescription: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \nCVSS Base Score: 5.000 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99706> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \nCVEID: CVE-2014-3570 \nDescription: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.600 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99710> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \nCVEID: CVE-2014-3571 \nDescription: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5.000 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99703> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \nCVEID: CVE-2014-3572 \nDescription: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.200 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99705> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \nCVEID: CVE-2014-8275 \nDescription: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.200 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99709> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \nCVEID: CVE-2015-0204 \nDescription: OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.200 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99707> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \nCVEID: CVE-2015-0205 \nDescription: OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.100 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99708> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \nCVEID: CVE-2015-0206 \nDescription: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources. \nCVSS Base Score: 5.000 \nCVSS Temporal Score: <http://xforce.iss.net/xforce/xfdb/99704> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nPower HMC V7.7.3.0 \nPower HMC V7.7.7.0 \nPower HMC V7.7.8.0 \nPower HMC V7.7.9.0 \nPower HMC V8.8.1.0 \nPower HMC V8.8.2.0\n\n## Remediation/Fixes\n\nThe Following fixes are available on IBM Fix Central at <http://www-933.ibm.com/support/fixcentral/>\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nPower HMC| V7.7.3.0 SP7| MB03891| Apply eFix MH01503 \nPower HMC| V7.7.7.0 SP4| MB03904| Apply eFix MH01516 \nPower HMC| V7.7.8.0 SP2| MB03892| Apply eFix MH01504 \nPower HMC| V7.7.9.0 SP2| MB03893| Apply eFix MH01505 \nPower HMC| V8.8.1.0 SP1| MB03894| Apply eFix MH01506 \nPower HMC| V8.8.2.0 SP1| MB03895| Apply eFix MH01507 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n06-Apr-2015 : Original Copy Published \n\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Internal Use Only\n\nPower HMC\n\n| V7.7.3.0 SP7| MB03891| Apply eFix MH01503 \n---|---|---|--- \n \n[{\"Product\":{\"code\":\"SSB6AA\",\"label\":\"Power System Hardware Management Console Physical Appliance\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"HMC\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB08\",\"label\":\"Cognitive Systems\"}}]", "cvss3": {}, "published": "2021-09-23T01:31:39", "type": "ibm", "title": "Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2021-09-23T01:31:39", "id": "8B2DED0C68ECC00A46CE2034FAB93BA0EEB7F806C221A4FD33002EBA16C90F98", "href": "https://www.ibm.com/support/pages/node/646197", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T21:42:51", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM i. IBM i has addressed the applicable CVEs provided by OpenSSL.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99706_](<http://xforce.iss.net/xforce/xfdb/99706>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n\n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99710_](<http://xforce.iss.net/xforce/xfdb/99710>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99703_](<http://xforce.iss.net/xforce/xfdb/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n \n \n \n\n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99705_](<http://xforce.iss.net/xforce/xfdb/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99709_](<http://xforce.iss.net/xforce/xfdb/99709>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99707_](<http://xforce.iss.net/xforce/xfdb/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99708_](<http://xforce.iss.net/xforce/xfdb/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99704_](<http://xforce.iss.net/xforce/xfdb/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nReleases V5R3, V5R4, 6.1, 7.1 and 7.2 of IBM i are affected.\n\n## Remediation/Fixes\n\nThe issue can be fixed by applying a PTF to the IBM i Operating System. \n \nReleases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed. Releases V5R3 and V5R4 are unsupported and will not be fixed. \n \nThe IBM i PTF numbers are: \n \n**Release 6.1 \u2013 SI56063** \n**Release 7.1 \u2013 SI55950** \n**Release 7.2 \u2013 SI55951** \n \n**_Important note: _**_IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._\n\n## Workarounds and Mitigations\n\nNone known\n\n## ", "cvss3": {}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: IBM i is affected by several OpenSSL vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2019-12-18T14:26:38", "id": "8C9587F7869864B7CD3E6A14F5A82A1980553CACD4F24ED3FEEFB284B9586E16", "href": "https://www.ibm.com/support/pages/node/646053", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:51:40", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware and QLogic 8Gb FC Switch Module Firmware. IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware and QLogic 8Gb FC Switch Module Firmware have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware and QLogic 8Gb FC Switch Module Firmware. IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware and QLogic 8Gb FC Switch Module Firmware have addressed the applicable CVEs.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99703> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate to bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99704> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99708> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nProduct | Affected Version | Fix Version \n---|---|--- \nIBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru \n(qlgc_fw_flex_9.1.5.03.00_anyos_noarch) | 9.1.0.xx, 9.1.1.xx, 9.1.2.xx, and 9.1.3.xx | 9.1.5.03.00 \nQLogic 8Gb FC Switch Module Firmware \n(qlgc_fw_bcsw_7.10.1.35_anyos_noarch) | 7.10.1.34.00 | 7.10.1.35.00 \n \n## Remediation/Fixes:\n\nFirmware updates are available at IBM Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nIt is recommended to apply the fix versions for the products listed above (or a later version).\n\n## Workarounds and Mitigations:\n\nNone.\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Subscribe to Security Bulletins](<http://www.ibm.com/support/mynotifications/>)\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n18 February 2016: Original version published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware and QLogic 8Gb FC Switch Module Firmware", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2019-01-31T02:25:02", "id": "0605FD787540122AD2849575BC1ADAC8E131947D04B7A26E71551E12B9A939E2", "href": "https://www.ibm.com/support/pages/node/868438", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:52:00", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes FREAK: Factoring Attack on RSA-EXPORT keys TLS/SSL client and server vulnerability. OpenSSL is used by FSM. FSM has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes FREAK: Factoring Attack on RSA-EXPORT keys TLS/SSL client and server vulnerability. OpenSSL is used by FSM. FSM has addressed the applicable CVEs.\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected products and versions\n\n * Flex System Manager 1.1.x.x\n * Flex System Manager 1.2.0.x\n * Flex System Manager 1.2.1.x\n * Flex System Manager 1.3.0.x\n * Flex System Manager 1.3.1.x\n * Flex System Manager 1.3.2.x\n * Flex System Manager 1.3.3.x\n\n## Remediation/Fixes\n\nYou should verify applying this fix does not cause any compatibility issues.\n\nProduct | VRMF | APAR | Remediation \n---|---|---|--- \nFlex System Manager | 1.3.3.x | IT05287 | The fix for these vulnerabilities is packaged with fixes that require agent updates. \n \nNavigate to the [Support Portal](<http://www-947.ibm.com/support/entry/portal/support/>) and search for technote [ 736218441](<http://www.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>) for instructions on installing updates for the FSM and Agents. \nFlex System Manager | 1.3.2.x | IT05287 | The fix for these vulnerabilities is packaged with fixes that require agent updates. \n \nNavigate to the [Support Portal](<http://www-947.ibm.com/support/entry/portal/support/>) and search for technote [ 736218441](<http://www.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>) for instructions on installing updates for the FSM and Agents. \nFlex System Manager | 1.3.1.x | IT05287 | Upgrade to FSM 1.3.3.0 and follow the appropriate remediation for all vulnerabilities, or open a PMR with support to request an APAR. \nFlex System Manager | 1.3.0.x | IT05287 | Upgrade to FSM 1.3.3.0 and follow the appropriate remediation for all vulnerabilities, or open a PMR with support to request an APAR. \nFlex System Manager | 1.2.1.x | IT05287 | IBM is no longer providing code updates for this release, upgrade to FSM 1.3.3.0 and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager | 1.2.0.x | IT05287 | IBM is no longer providing code updates for this release, upgrade to FSM 1.3.3.0 and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager | 1.1.x.x | IT05287 | Effective April 30, 2015, IBM has discontinued service for these version/release/modification/fix levels. \n \n## Workarounds and Mitigations\n\nNone.\n\n## Reference\n\n * [Complete CVSS V2 Guide](<http://www.first.org/cvss/v2/guide>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n * [OpenSSL Advisory on above listed CVEs](<https://www.openssl.org/news/secadv_20150108.txt>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>)\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n27 August, 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2019-01-31T02:10:01", "id": "7B7C45F482E6FC81C29C872600E597A4BFEEA39F4A4682A9D96AF33965BDA088", "href": "https://www.ibm.com/support/pages/node/867780", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:55:09", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js is used by IBM Business Process Manager Configuration Editor. IBM Business Process Manager Configuration Editor has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99706> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710> or the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703>)[_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708>)[_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See [](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704>)[_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\n * IBM Business Process Manager V8.5.5 and V8.5.6\n\n## Remediation/Fixes\n\nInstall the interim fix for APAR JR52893 as appropriate for your current IBM Business Process Manager environment. \n\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR52893>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR52893>)\n * [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR52893>)\n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\n[IBM BPM Configuration Editor](<http://www-01.ibm.com/support/knowledgecenter/SSFPJS_8.5.5/com.ibm.wbpm.imuc.doc/topics/tmig_edit_adv_win.html>) is a stand-alone tool for editing properties file. Use a standard text file editor instead.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:43", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-15T07:02:43", "id": "36DFBA3A2119551C6D14656B2EA79D2DAD4DA46982BD0D496ED45568D8A36444", "href": "https://www.ibm.com/support/pages/node/258601", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:52:16", "description": "## Summary\n\nSecurity vulnerabilities have been discovered in OpenSSL used with IBM Security Network Protection.\n\n## Vulnerability Details\n\n \n**CVEID:**[**_CVE-2014-3569_**](<https://vulners.com/cve/CVE-2014-3569>) \n \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \n \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99706_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99706>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P \n \n \n \n**CVEID:**[**_CVE-2014-3570_**](<https://vulners.com/cve/CVE-2014-3570>) \n \n**DESCRIPTION: **An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99710_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99710>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N \n \n \n \n**CVEID:**[**_CVE-2014-3571_**](<https://vulners.com/cve/CVE-2014-3571>) \n \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \n \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99703_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P \n \n \n \n**CVEID:**[**_CVE-2014-3572_**](<https://vulners.com/cve/CVE-2014-3572>) \n \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99705_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N \n \n \n \n**CVEID:**[**_CVE-2014-8275_**](<https://vulners.com/cve/CVE-2014-8275>) \n \n**DESCRIPTION: **OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99709_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99709>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N \n \n \n \n**CVEID:**[**_CVE-2015-0204_**](<https://vulners.com/cve/CVE-2015-0204>) \n \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N \n \n \n \n**CVEID:**[**_CVE-2015-0205_**](<https://vulners.com/cve/CVE-2015-0205>) \n \n**DESCRIPTION: **OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99708_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N \n \n \n \n**CVEID:**[**_CVE-2015-0206_**](<https://vulners.com/cve/CVE-2015-0206>) \n \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources. \n \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99704_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P\n\n## Affected Products and Versions\n\nProducts: IBM Security Network Protection (XGS) models 3100, 4100, 5100, 7100 \nFirmware versions: 5.2, 5.3\n\n## Remediation/Fixes\n\nIBM has provided fixes for all supported versions. Follow the installation instructions in the README files included with the fix. \n\n\n * Firmware 5.2: [_5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0007_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/IBM+Security+Network+Protection&release=5.2&platform=All&function=all>)\n * Firmware 5.3: Firmware Update 5.3.0.4 for IBM Security Network Protection products at version 5.3** \n**[_https://ibmss.flexnetoperations.com_](<https://ibmss.flexnetoperations.com/>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:22:25", "type": "ibm", "title": "Security Bulletin: IBM Security Network Protection is affected by OpenSSL vulnerabilities (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, and CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-16T21:22:25", "id": "67EF437A7EE9F806664D3B7FEB18353C77D537D23FE902D56CE220B1302C1BDA", "href": "https://www.ibm.com/support/pages/node/526895", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:38:07", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by the Cordova platform packaged with Rational Software Architect and Rational Software Architect for WebSphere Software and has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>) \n \n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99706>_ for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:**[_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n \n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \n \n**CVSS Base Score:** 2.6 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:**[_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\n**CVSS Base Score:** 5 \n**CVSS Temporal Score:** See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99703>_ for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:**[_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\n**CVSS Base Score: **1.2 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector:** (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\n**CVSS Base Score:** 1.2 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system.\n\n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\n**CVSS Base Score: **2.1 \n**CVSS Temporal Score:** See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99708>_ for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources\n\n**CVSS Base Score:** 5 \n**CVSS Temporal Score:** See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99704>_ for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nRational Software Architect 9.1 and 9.1.1 \n\nRational Software Architect for WebSphere Software 9.1 and 9.1.1\n\n## Remediation/Fixes\n\nUpdate the IBM SDK for Node.js using by the Cordova platform in the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nRational Software Architect \n \nRational Software Architect for Websphere Software| 9.1 and 9.1.1| \n\n * Apply [IBM SDK for Node.js 1.1.0.12](<https://www.ibm.com/developerworks/web/nodesdk/>) to the Cordova platform in the product. \n \nInstallation instructions for applying the update to the Cordova platform in the product can be found here: \n \n[Upgrading the IBM SDK for Node.js used by Cordova](<http://www.ibm.com/support/docview.wss?uid=swg21684946>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-09-10T15:49:00", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affects Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-020", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2020-09-10T15:49:00", "id": "9D4CE3C1ABE40F94B4BE3EE8C4ACB8067AFF379F67374E38DF455E5F62978BC9", "href": "https://www.ibm.com/support/pages/node/257629", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-01T14:32:32", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by Multiple IBM N Series Products. Below IBM N Series Products have addressed the applicable CVEs.\n\n## Vulnerability Details\n\nOpenSSL is used in IBM N series Products for providing communication security by encrypting data being transmitted. \n\n**CVEID:** [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>)\n\n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99706_](<http://xforce.iss.net/xforce/xfdb/99706>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>)\n\n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99710_](<http://xforce.iss.net/xforce/xfdb/99710>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>)\n\n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99703_](<http://xforce.iss.net/xforce/xfdb/99703>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>)\n\n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99705_](<http://xforce.iss.net/xforce/xfdb/99705>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>)\n\n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99709_](<http://xforce.iss.net/xforce/xfdb/99709>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>)\n\n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99708_](<http://xforce.iss.net/xforce/xfdb/99708>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>)\n\n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources\n\nCVSS Base Score: 5\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99704_](<http://xforce.iss.net/xforce/xfdb/99704>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)\n\n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99707_](<http://xforce.iss.net/xforce/xfdb/99707>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nClustered Data ONTAP: 8.2.1, 8.2.2, 8.2.3, 8.2.4; \nClustered Data ONTAP Antivirus Connector: 1.0, 1.0.1, 1.0.2; \nData ONTAP operating in 7-Mode: 7.3.7, 8.1.4, 8.2.1, 8.2.2, 8.2.3; \nData ONTAP SMI-S Agent: 5.1.2, 5.2; \nNS OnCommand Core Package: 5.1.2, 5.2.1, 5.2; \nOpen Systems SnapVault: 3.0.1; \nSnapDrive for Unix: 5.2.2; \nSnapDrive for Windows: 7.1.1;\n\n## Remediation/Fixes\n\nFor_ _Data ONTAP SMI-S Agent: the fix exists from microcode version 5.2.1; \nFor_ _Data ONTAP operating in 7-Mode: the fix exists from microcode version 8.2.4; \nFor_ _NS OnCommand Core Package: the fix exists from microcode version 5.2.1P1; \nFor_ _Open Systems SnapVault: the fix exists from microcode version 3.0.1P7; \nFor_ _SnapDrive for Unix: the fix exists from microcode version 5.3; \nFor_ _SnapDrive for Windows: the fix exists from microcode version 7.1.2; \n\n\nPlease contact IBM support or go to this [_link_](<https://www-945.ibm.com/support/fixcentral/>) to download a supported release. For customers on Data ONTAP operating in 7-Mode 7.3.7, 8.1.4, please contact IBM support to upgrade your product version to a fixed release. For customers who are using Clustered Data ONTAP or Clustered Data ONTAP Antivirus Connector, please contact IBM support.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2021-12-15T18:04:22", "type": "ibm", "title": "Security Bulletin: January 2015 OpenSSL security vulnerabilities in Multiple IBM N Series Products", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2021-12-15T18:04:22", "id": "74883CCC877A00E64646F1A01AC3B85889471753497E3ACCE0292F7CF617291F", "href": "https://www.ibm.com/support/pages/node/696169", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:52:30", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by Integrated Management Module II (IMM2). IMM2 has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by Integrated Management Module II (IMM2). IMM2 has addressed the applicable CVEs.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.\n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99703> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99708> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99704> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected products and versions\n\nAll IMM2 firmware releases prior to v4.90 for these systems:\n\n * System x3100 M4, type 2582\n * System x3100 M5, type 5457\n * System x3250 M4, type 2583\n * System x3250 M5, type 5458\n * System x3300 M4, type 7382\n * System x3500 M4, type 7383\n * System x3530 M4, type 7160\n * System x3550 M4, type 7914\n * System x3630 M4, type 7158\n * System x3650 M4 BD, type 5466\n * System x3650 M4 HD, type 5460\n * System x3650 M4, type 7915\n * System x3750 M4, types 8752, 8718\n * System x3750 M4, types 8722, 8733\n * System x3850 X6, Type 3837\n * System x3950 X6, Type 3837\n * iDataplex dx360 M4, types 7912, 7913\n * iDataplex dx360 M4 Water Cooled, types 7918, 7919\n * NeXtScale nx360 M4, type 5455\n * Flex System x220 Compute Node, types 7906, 2585\n * Flex System x222 Compute Node, type 7916\n * Flex System x240 Compute Node, types 8737, 8738, 7863, 8956\n * Flex System x440 Compute Node, type 7917\n * Flex System x880 Compute Node, types 4259,7903\n * Flex System Manager Node, types 8731, 8734, 7955\n\n## Remediation/Fixes:\n\nFirmware updates are available at IBM Fix Central - <http://www.ibm.com/support/fixcentral/> .\n\nIt is recommended to update the following affected systems to Integrated Management Module 2 v4.97 (1AOO66M) or above:\n\n * System x3100 M4, type 2582\n * System x3100 M5, type 5457\n * System x3250 M4, type 2583\n * System x3250 M5, type 5458\n * System x3300 M4, type 7382\n * System x3500 M4, type 7383\n * System x3530 M4, type 7160\n * System x3550 M4, type 7914\n * System x3630 M4, type 7158\n * System x3650 M4 BD, type 5466\n * System x3650 M4 HD, type 5460\n * System x3650 M4, type 7915\n * System x3750 M4, types 8752, 8718\n * System x3750 M4, types 8722, 8733\n * System x3850 X6, Type 3837\n * System x3950 X6, Type 3837\n * iDataplex dx360 M4, types 7912, 7913\n * iDataplex dx360 M4 Water Cooled, types 7918, 7919\n * NeXtScale nx360 M4, type 5455\n\nIt is recommended to update the following affected systems to Integrated Management Module 2 v4.90 (1AOO66O) or above:\n\n * Flex System x220 Compute Node, types 7906, 2585\n * Flex System x222 Compute Node, type 7916\n * Flex System x240 Compute Node, types 8737, 8738, 7863, 8956\n * Flex System x440 Compute Node, type 7917\n * Flex System x880 Compute Node, types 4259, 7903\n * Flex System Manager Node, types 8731, 8734, 7955\n\n## Workarounds and Mitigations:\n\nYou can avoid CVE-2015-0204, also referred to as FREAK, on the IMM2 by disabling export-grade ciphers on any server the IMM2 may connect to, such as your LDAP server.\n\nYou should verify applying this configuration change does not cause any compatibility issues.\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n * [OpenSSL Advisory on above listed CVEs](<https://www.openssl.org/news/secadv_20150108.txt>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n27 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect Integrated Management Module II (IMM2) (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2019-01-31T01:55:01", "id": "FE01AAE21F4E92E4CAAE32BED0583AACA306DB4E76E15F000BBFD18F8EF8B374", "href": "https://www.ibm.com/support/pages/node/866722", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:41:08", "description": "## Summary\n\nMultiple vulnerabilities in OpenSSL disclosed on January 8, 2015 by the OpenSSL Project\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)** \nDESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)** \nDESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)** \nDESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \n**CVEID:** [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM SDK for Node.js v1.1.0.11 and previous releases.\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM SDK for Node.js v1.1.0.12 and subsequent releases. \n \nIBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from [_here_](<http://www.ibm.com/developerworks/web/nodesdk/>). \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin.\n\n## ", "cvss3": {}, "published": "2018-08-09T04:20:36", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Current Release of IBM\u00ae SDK for Node.js\u2122", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-08-09T04:20:36", "id": "D8618C22C2CC7086DC30EEEDA381A4508223A7ECA27B540900371500AFAD2814", "href": "https://www.ibm.com/support/pages/node/525201", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:50:16", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by MegaRAID Storage Manager. MegaRAID Storage Manager has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by MegaRAID Storage Manager. MegaRAID Storage Manager has addressed the applicable CVEs.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate to bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [http://exchange.xforce.ibmcloud.com/vulnerabilities/99708](<http://exchange.xforce.ibmcloud.com/vulnerabilities/99708%20>) for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.\n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nProduct | Affected Version \n---|--- \nMegaRAID Storage Manager | 15.05.* \n \n## Remediation/Fixes:\n\nIt is recommended to update to the firmware level listed below, or later version. Firmware updates are available through IBM Fix Central: \n<http://www.ibm.com/support/fixcentral/>.\n\nProduct | Fixed Version \n---|--- \nMegaRAID Storage Manager \nibm_utl_msm_15.11.50.00_linux_32-64 \nibm_utl_msm_15.11.50.00_windows_32-64 | 15.11.50.00 \n \nYou should verify applying the fix does not cause any compatibility issues.\n\n## Workaround(s) & Mitigation(s):\n\nNone\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n * [OpenSSL Advisory on above listed CVEs](<https://www.openssl.org/news/secadv_20150108.txt>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n01 August 2016: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2019-01-31T02:25:02", "id": "2D559605991F1CA79052D638B7A30228E86D07AFDF258611970D276D5AA39F4B", "href": "https://www.ibm.com/support/pages/node/868544", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T13:37:44", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM BladeCenter Advanced Management Module (AMM). AMMhas addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM BladeCenter Advanced Management Module (AMM). AMM has addressed the applicable CVEs.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.\n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected products and versions\n\nThese IBM BladeCenter Advanced Management Module Firmware versions are affected in v3.66K (BPET66K, BBET66K, BPEO66K) and previous versions.\n\nThis applies to the following hardware products:\n\n * BladeCenter Advanced Management Module, Option 25R5778\n * BladeCenter T Advanced Management Module, Option 32R0835\n * IBM BladeCenter(TM)-E: Type 1881, 7967, 8677\n * IBM BladeCenter(TM)-H: Types 1886, 7989, 8852\n * IBM BladeCenter(TM)-HT: Types 8740, 8750\n * IBM BladeCenter(TM)-S: Types 1948, 7779, 8886\n * IBM BladeCenter(TM)-T: Types 8720, 8730\n\n## Remediation/Fixes:\n\nYou should verify applying this fix does not cause any compatibility issues.\n\nFix Central: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct | Remediation \n---|--- \nBladeCenter Advanced Management Module \u2014 IBM BladeCenter T Chassis | Update to v3.66N (BBET66N) \nBladeCenter Advanced Management Module \u2014 BladeCenter OEM Chassis | Update to v3.66N (BPEO66N) \nBladeCenter Advanced Management Module \u2014 All other IBM BladeCenter Chassis | Update to v3.66N (BPET66N) \n \n## Workaround(s) & Mitigation(s):\n\nNone\n\n## Reference:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n * [OpenSSL Advisory on above listed CVEs](<https://www.openssl.org/news/secadv_20150108.txt>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n30 April 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2023-04-14T14:32:25", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM BladeCenter Advanced Management Module (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, and CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2023-04-14T14:32:25", "id": "972ABB22C65A5EE5BE7BF9FDB11795821052D2BA3EF9349B90A2F9B77A8438FA", "href": "https://www.ibm.com/support/pages/node/866454", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T13:53:24", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Security Network Intrusion Prevention System. IBM Security Network Intrusion Prevention System has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n \n**CVEID: **[_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>) \n \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \n \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99706_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99706>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n \n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710>) or the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https:/__/exchange.xforce.ibmcloud.com/#/vulnerabilities/99703_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n \n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n\n \n \n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\n \nProducts: GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108, GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800, GV200, GV1000 \n\n\n * Firmware versions 4.6.2, and 4.6.1 are affected by the following CVEs: \nCVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206\n * * Firmware versions 4.6, 4.5, 4.4, and 4.3 are affected by the following CVEs: \nCVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204\n\n## Remediation/Fixes\n\n \nYou should verify applying this fix does not cause any compatibility issues. \n\n\n * [_4.6.2.0-ISS-ProvG-AllModels-System-FP0007_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>) \nfor all IBM Security Network Intrusion Prevention System products at Firmware version 4.6.2\n * [_4.6.1.0-ISS-ProvG-AllModels-System-FP0011_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>) \nfor all IBM Security Network Intrusion Prevention System products at Firmware version 4.6.1\n * [_4.6.0.0-ISS-ProvG-AllModels-System-FP0009_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>) \nfor all IBM Security Network Intrusion Prevention System products at Firmware version 4.6\n * [_4.5.0.0-ISS-ProvG-AllModels-System-FP0011_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>) \nfor all IBM Security Network Intrusion Prevention System products at Firmware version 4.5\n * [_4.4.0.0-ISS-ProvG-AllModels-System-FP0011_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>) \nfor all IBM Security Network Intrusion Prevention System products at Firmware version 4.4\n * [_4.3.0.0-ISS-ProvG-AllModels-System-FP0009_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)_ \n_for all IBM Security Network Intrusion Prevention System products at Firmware version 4.3\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-02-23T19:48:26", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Intrusion Prevention System (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2022-02-23T19:48:26", "id": "370720DD138E7F0A22E9D2EC7B9B753467F08D4E08DA37215653D937EDB0E545", "href": "https://www.ibm.com/support/pages/node/257397", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T14:00:03", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by GPFS V3.5 for Windows. GPFS V3.5 for Windows has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/99706_](<http://xforce.iss.net/xforce/xfdb/99706>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710_](<http://exchange.xforce.ibmcloud.com/>) or the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nOpenSSH for GPFS V3.5 for Windows\n\n## Remediation/Fixes\n\nIn GPFS V3.5.0.24 dated March 18, 2015, IBM upgraded OpenSSH for GPFS on Windows to use OpenSSL 1.0.1l to address these vulnerabilities. System administrators should update their systems to GPFS V3.5.0.24 by following the steps below. \n \n1\\. Download the GPFS 3.5.0.24 update package dated March 18, 2015 into any directory on your system from [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=Windows&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=Windows&function=all>) \n \n2\\. Extract the contents of the ZIP archive so that the .msi file it includes is directly accessible to your system. \n \n3\\. Follow the instructions in the README included in the update package in order to install the OpenSSH msi package. This updated OpenSSH msi package is built using OpenSSL 1.0.1l. \n \nIf GPFS multiclustering is configured on Windows nodes, upgrade all OpenSSL packages that may have been installed. The following can be done on a small group of nodes at each time (ensuring that quorum is maintained) to maintain file system availability: \n \na. Stop GPFS on the node \nb. Install the version of OpenSSL \nc. Restart GPFS on the node\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2021-06-25T16:46:35", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect GPFS V3.5 for Windows (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2021-06-25T16:46:35", "id": "2F9EB7050356C406E631B5274AEC53CACCB554C8B5CBCF823A2680028726AAAC", "href": "https://www.ibm.com/support/pages/node/680515", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-04T03:12:18", "description": "## Summary\n\nThe Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0\n\n## Remediation/Fixes\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS: \n\n[Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21957980>)\n\nIf your product is deployed on Apache Tomcat, apply the workarounds listed in the Workaround and Mitigation section.\n\nUpdate your supplied IBM\u00ae Java SDK according to\n\n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, etc.)](<http://www.ibm.com/support/docview.wss?uid=swg21964625>)\n\n## Workarounds and Mitigations\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS: \n\n[Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21957980>)\n\n**To disable vulnerable ciphers on Tomcat:**\n\n \n \n1) Open the file <JTS Install>/server/tomcat/conf/server.xml \n \n2) Modify the <Connector> element, **ciphers **property to use this list: \n`ciphers = \"SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_DSS_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\" ` \n \n**Note**: To be able to use the 256 bit AES Ciphers, it may be necessary to install the JCE Unlimited Strength Jurisdiction Policy Files, which can be found [_here._](<https://www.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=jcesdk&lang=en_US>) Your IBM JRE may already have these policy files depending on version. \n\n**To disable vulnerable ciphers in the RTC Client, either:**\n\n * Disabling DH and DHE cipher suites. The can be achieved by adding the DH and DHE cipher suites to the list of disabled algorithms defined by the **jdk.tls.disabledAlgorithms **security property in <RTC Client>/client/eclipse/jdk/jre/lib/security/java.security \n \n**Or **\n * Configure SP800-131a strict compliance or any Suite B configuration\n * **To disable vulnerable ciphers on Liberty:** \n \n1) Open the file <JTS Install>/server/liberty/clmServerTemplate/server.xml \n \n2) Add the following line depending on the scenario used: \n \nCase 1: Configuration when not integrating with DOORS v9.x \n`<ssl id=\"defaultSSLConfig\" sslProtocol=\"TLS\" enabledCiphers= \"SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\"/>` \n \nCase 2: Configuration when integrating with DOORS v9.x (Note: DOORS 9 requires use of some ciphers not listed in Case 1. The ciphers DOORS 9 product supports may change over time. Consult your documentation for DOORS 9 releases to monitor any changes.) \n`<ssl id=\"defaultSSLConfig\" sslProtocol=\"TLS\" enabledCiphers= \"SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA\"/>` \n \n3) Repeat steps 1 and 2 for <JTS Install>/server/liberty/servers/clm/server.xml(if exists) \n \nNote: It will be required to install the JCE Unlimited Strength Jurisdiction Policy Files, which can be found [_here._](<https://www.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=jcesdk&lang=en_US>) Your IBM JRE may already have these policy files depending on version.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-4000)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2021-04-28T18:35:50", "id": "6652670EF6E6EDBDD8B1BC971B1388AE4EAD3072A0556537B0DC7258BBDD9001", "href": "https://www.ibm.com/support/pages/node/714399", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:44:40", "description": "## Summary\n\nIBM Tivoli System Automation for Multiplatforms is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM Tivoli System Automation for Multiplatforms has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the security bulletins for IBM Tivoli System Automation for Multiplatforms for vulnerability details and information about fixes. \n \n\n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-0466, CVE-2015-7575)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977127>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21971479&myns=swgtiv&mynp=OCSSRM2X&mync=E&cm_sp=swgtiv-_-OCSSRM2X-_-E>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21970548>) \n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21967199>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-1283)](<http://www-01.ibm.com/support/docview.wss?uid=swg21967199>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-3183)](<http://www-01.ibm.com/support/docview.wss?uid=swg21967197>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963330>) \n \n\n * [Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000)](<www.ibm.com/support/docview.wss?uid=swg21960862>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-1914, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21957951>) \n \n\n * [Security Bulletin: Vulnerability in WebSphere Application Server affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-1920)](<http://www.ibm.com/support/docview.wss?uid=swg21957952>) \n \n\n * [Security Bulletin: Vulnerability in IBM Tivoli System Automation for Multiplatforms (CVE-2014-0453)](<http://www-01.ibm.com/support/docview.wss?uid=swg21680562>) \n \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882749>). \n \n\n * Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2014-3566, CVE-2014-6468, CVE-2014-6457) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2014-6593, CVE-2015-0410, CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698239>)\n\n## Affected Products and Versions\n\n**Principal Product and Version**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.5, 2.5.0.1, 2.5.0.1 Interim Fix1, 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.3 \n\nIBM Cloud Orchestrator Enterprise 2.5.0.1, 2.5.0.1 Interim Fix1, 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.3\n\n| IBM Tivoli System Automation for Multiplatforms 4.1 \nIBM SmartCloud Orchestrator 2.3, 2.3.0.1 \n\nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1\n\n| IBM Tivoli System Automation for Multiplatforms 3.2.2 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0453", "CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6468", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1283", "CVE-2015-1914", "CVE-2015-1916", "CVE-2015-1920", "CVE-2015-1931", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4749", "CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911", "CVE-2015-5006", "CVE-2015-7575", "CVE-2016-0466"], "modified": "2018-06-17T22:33:02", "id": "5D0CC6456D2278646647F1A4FEFECEB673F2B5D1F99FBBC5755735CEF5AA6268", "href": "https://www.ibm.com/support/pages/node/261391", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:49", "description": "## Summary\n\nIBM Tivoli System Automation Application Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM Tivoli System Automation Application Manager has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the following security bulletins for IBM Tivoli System Automation Application Manager for vulnerability details and information about fixes: \n\n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21986467>)\n * [Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982644>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0306)](<http://www-01.ibm.com/support/docview.wss?uid=swg21981988>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977129>)\n * [Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Tivoli System Automation Application Manager (CVE-2015-5254)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977546>)\n * [](<http://www-01.ibm.com/support/docview.wss?uid=swg21970551>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970551>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21971113>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-3183)](<http://www.ibm.com/support/docview.wss?uid=swg21967198>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-1283)](<http://www.ibm.com/support/docview.wss?uid=swg21967200>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation Application Manager (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963331>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1946)](<http://www.ibm.com/support/docview.wss?uid=swg21963233>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21963673>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1885)](<http://www.ibm.com/support/docview.wss?uid=swg21963672>) \n \n\n * [Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Tivoli System Automation Application Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21960859>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1920)](<http://www.ibm.com/support/docview.wss?uid=swg21957955>) \n \n\n * Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2014-3566, CVE-2014-6457) \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2014-6593, CVE-2015-0410, CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698238>) \n \n\n * [](<http://www.ibm.com/support/docview.wss?uid=swg21698238>)[](<http://www.ibm.com/support/docview.wss?uid=swg21691929>)[Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli System Automation Application Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882751>)\n\n## Affected Products and Versions\n\n** Principal Product and Version**\n\n| ** Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.5, 2.4, 2.4.0.3, 2.4.0.2, and 2.4.0.1 \n\nIBM Cloud Orchestrator Enterprise 2.5.0.2, 2.5.0.1, 2.4, 2.4.0.3, 2.4.0.2 and 2.4.0.1\n\n| IBM Tivoli System Automation Application Manager 4.1 \nIBM SmartCloud Orchestrator 2.3 and 2.3.0.1 \n\nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1\n\n| IBM Tivoli System Automation Application Manager 3.2.2 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410", "CVE-2015-1283", "CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1946", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4749", "CVE-2015-5254", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0306", "CVE-2016-0359", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T22:30:51", "id": "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "href": "https://www.ibm.com/support/pages/node/261351", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:49:02", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by Rational Insight. Rational Insight has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n \n**CVE-ID**: [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.** \n**CVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \nCVE-ID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \nDESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.** \n**CVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n** \nCVE-ID: **[_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \nCVE-ID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \nDESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.** \n**CVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n** \nCVE-ID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \nDESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.** \n**CVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n** \nCVE-ID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>)** \nDESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.** \n**CVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n** \nCVE-ID**: [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>)** \nDESCRIPTION**: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources** \n**CVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nRational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5 and 1.1.1.6\n\n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 10](<http://www-01.ibm.com/support/docview.wss?uid=swg24039564>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 10](<http://www-01.ibm.com/support/docview.wss?uid=swg24039564>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 9](<http://www-01.ibm.com/support/docview.wss?uid=swg24039563>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 8](<http://www-01.ibm.com/support/docview.wss?uid=swg24039563>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:00:33", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect Rational Insight (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-17T05:00:33", "id": "082DD4D3D5A2230E0A249956C9D5318C077607F91E27D9FBA96469263417C232", "href": "https://www.ibm.com/support/pages/node/256867", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:11", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by IBM Tivoli Netcool/Reporter Netcool/Reporter has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99706_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99706>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710_](<http://exchange.xforce.ibmcloud.com/>) or the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nIBM Tivoli Netcool/Reporter 2.2\n\n## Remediation/Fixes\n\nYou must upgrade your current version of the Netcool/Reporter provided Apache 2.2.22 to include the updated OpenSSL (1.0.1m) which is available from Fix Central via Tivoli Netcool Reporter 2.2.0.9 IF0005, 2.2.0.9-TIV-NCReporter-IF0005. \n\nYou should verify applying this fix does not cause any compatibility issues.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:02:34", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tivoli Netcool/Reporter (CVE\u2019s: 2014-3569, 2014-3570, 2014-3571, 2014-3572, 2014-8275, 2015-0205, 2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-17T15:02:34", "id": "80D6B1E89C59275C4183B6851642940B058D26DFCF91E2AA2372277A15E831D7", "href": "https://www.ibm.com/support/pages/node/265295", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-08T02:04:42", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0\n\n## Remediation/Fixes\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS: \n\n[Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>)\n\nIf your product is deployed on Apache Tomcat, apply the workarounds listed in the Workaround and Mitigation section. \n\nUpdate your supplied IBM\u00ae Java SDK according to\n\n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, etc.)](<http://www.ibm.com/support/docview.wss?uid=swg21964625>)\n\n## Workarounds and Mitigations\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS. \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>)\n\nIf your product is deployed on Apache Tomcat, then you should apply the following mitigation:\n\n 1. Open the `<Jazz Install>\\server\\tomcat\\conf\\server.xml file`, and search for '`SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,` ' (no quotes), and delete the found text. If your version of server.xml has any other ciphers containing the \"RC4\", delete that cipher also. \n \n\n 2. Stop and restart the Apache Tomcat server.\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2808"], "modified": "2021-04-28T18:35:50", "id": "3E8CBD7664E23468E3388AAA8D38722322E48FB06767224AD7578A77FEF26330", "href": "https://www.ibm.com/support/pages/node/261183", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:52:26", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware. IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware. IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware have addressed the applicable CVEs.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99703> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99708> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected products and versions\n\n * IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware versions 9.1.0.xx, 9.1.1.xx, 9.1.2.xx, and 9.1.3.xx.\n\n## Remediation/Fixes:\n\nFirmware updates are available at IBM Fix Central - <http://www.ibm.com/support/fixcentral/> .\n\nIt is recommended to apply the following fix for IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware: \nqlgc_fw_flex_9.1.5.02.00_anyos_noarch version 9.1.5.02.00 (or a later version).\n\n## Workarounds and Mitigations:\n\nNone\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n[Subscribe to Security Bulletins](<http://www.ibm.com/support/mynotifications/>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n5 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2019-01-31T01:55:01", "id": "D769A719969444D9AD76545DE357F1D2E512B3988DB6009C87813FBB572EA7C4", "href": "https://www.ibm.com/support/pages/node/867380", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:40:56", "description": "## Summary\n\nPortions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i (RPG and COBOL + Modernization Tools, Java and EGL editions), and Rational Developer for AIX and Linux. \nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by the Cordova platform packaged with Rational Application Developer for WebSphere Software and has addressed the applicable CVEs (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206). \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710>) or the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nIBM Rational Developer for i v9.1, v9.1.1 and v9.1.1.1 RPG and COBOL + Modernization Tools, Java Edition| Rational Application Developer 9.1, 9.1.1 \nIBM Rational Developer for i v9.1, v9.1.1 and v9.1.1.1, RPG and COBOL + Modernization Tools, EGL Edition| Rational Application Developer 9.1, 9.1.1 \nIBM Rational Developer for AIX and Linux v9.1 and v9.1.1, AIX COBOL Edition| Rational Application Developer 9.1, 9.1.1 \nIBM Rational Developer for AIX and Linux v9.1 and v9.1.1, C/C++ Edition| Rational Application Developer 9.1, 9.1.1 \n \n## Remediation/Fixes\n\nReview the Remediation/Fixes section of [Security Bulletin: Vulnerabilities in OpenSSL affects Rational Application Developer for WebSphere Software (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)](<http://www.ibm.com/support/docview.wss?uid=swg21697140>) for instructions on obtaining the fix for this issue.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect the Cordova platform packaged with Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-08-03T04:23:43", "id": "B109CC9FDED0C49D3D95375D16D391EDC04BBA2A574F1B4F6C062A55D8FDB73F", "href": "https://www.ibm.com/support/pages/node/257487", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:52", "description": "## Summary\n\nA fix is available for IBM SONAS, for the OpenSSL security vulnerabilities found in January 2015.\n\n## Vulnerability Details\n\n \nOpenSSL is used in IBM SONAS for providing communication security by encrypting data being transmitted. \n** ** \n \n**CVEID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a flaw when handling malicious messages. A remote attacker could exploit this vulnerability to cause a denial of service. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION: **OpenSSL could allow a local attacker to bypass security restrictions. An attacker could exploit this vulnerability and perform unauthorized actions. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION: **OpenSSL could provide weaker than expected security when using RSA. RSA is one of the algorithms used for secure data transmission. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION: **OpenSSL could allow a remote authenticated attacker to bypass security restrictions. An attacker could exploit this vulnerability to authenticate without the use of a private key. \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a memory leak in one of its functions. A remote attacker could exploit this vulnerability to exhaust all available memory resources, resulting in a denial of service. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\n \nIBM SONAS \n \nAll products are affected when running code releases 1.3, 1.4 and 1.5 except for version 1.5.2.0 and above.\n\n## Remediation/Fixes\n\n \nA fix for these issues is in version 1.5.2.0 of IBM SONAS. Customers running an affected version of SONAS should upgrade to 1.5.2.0 or a later version, so that the fix gets applied. \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nWorkaround(s): None \n \nMitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:22", "type": "ibm", "title": "Security Bulletin: OpenSSL security vulnerabilities in IBM SONAS (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-18T00:09:22", "id": "2FE668D42E62E785093F7A1383964B8536CAA9C60BA914F71D88C743276D15F7", "href": "https://www.ibm.com/support/pages/node/690347", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:29", "description": "## Summary\n\nThere are multiple vulnerabilities in OpenSSL that is used by IBM Tivoli Composite Application Manager for Transactions. These issues were disclosed on January 8, 2015 by the OpenSSL Project.\n\n## Vulnerability Details\n\n**CVE-ID: **[_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \n \nCVSS Base Score: 2.600 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>)** \n** \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \n \nCVSS Base Score: 5.000 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVE-ID: **[_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.200 \nCVSS Temporal Score: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99705>_ for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \n \nCVSS Base Score: 1.200 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n** \nDESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 4.300 \nCVSS Temporal Score: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>_ for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \n \nCVSS Base Score: 2.100 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources. \n \nCVSS Base Score: 5.000 \nCVSS Temporal Score: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99704>_ for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager (ITCAM) for Transactions is affected. ITCAM for Transactions contains multiple sub components (Agents). Only the Internet Service Monitor (ISM \u2013 Agent code \u2018IS\u2019) is affected. \n \nVersions: \n\u00b7 7.4 \u2013 Affected by CVE's (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206) \n\u00b7 7.3 \u2013 Affected by CVE's (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206) \n\u00b7 7.2 \u2013 Affected by CVE's (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_7.4.0.0-TIV-CAMIS-IF0026_| _7.4.0.0_| _None_| [_http://www.ibm.com/support/docview.wss?uid=isg400002083_](<http://www.ibm.com/support/docview.wss?uid=isg400002083>) \n_7.3.0.1-TIV-CAMIS-IF0034_| _7.3.0.1_| _None_| [_http://www.ibm.com/support/docview.wss?uid=isg400002090_](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400002090>) \n_7.2.0.3-TIV-CAMIS-IF0029_| _7.2.0.3_| _None_| [_http://www.ibm.com/support/docview.wss?uid=isg400002107_](<http://www.ibm.com/support/docview.wss?uid=isg400002107>) \n \nFor unsupported versions/releases IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n\n## ", "cvss3": {}, "published": "2018-06-17T14:56:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Composite Application Manager for Transactions (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-17T14:56:42", "id": "F5268DE4D308447E14FC618A3C21177AD2B2B1F46CB3B75F60E908782F34C984", "href": "https://www.ibm.com/support/pages/node/527271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:39:37", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by the Cordova platform packaged with Rational Application Developer for WebSphere Software and has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:**[_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n \n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \n \n**CVSS Base Score:** 2.6 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:**[_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.\n\n**CVSS Base Score:** 5 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:**[_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\n**CVSS Base Score: **1.2 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector:** (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\n**CVSS Base Score:** 1.2 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system.\n\n**CVSS Base Score:** 1.2 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\n**CVSS Base Score: **2.1 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources\n\n**CVSS Base Score:** 5 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nIBM Rational Application Developer for WebSphere Software 9.1, 9.1.0.1, and 9.1.1\n\n## Remediation/Fixes\n\nUpdate the IBM SDK for Node.js using by the Cordova platform in the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nRational Application Developer| 9.1, 9.1.0.1, and 9.1.1| \n| \n\n * Apply [IBM SDK for Node.js 1.1.0.12](<https://www.ibm.com/developerworks/web/nodesdk/>) to the Cordova platform in the product. \n \nInstallation instructions for applying the update to the Cordova platform in the product can be found here: \n \n[Upgrading the IBM SDK for Node.js used by Cordova](<http://www.ibm.com/support/docview.wss?uid=swg21684946>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-02-05T00:09:48", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affects Rational Application Developer for WebSphere Software (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2020-02-05T00:09:48", "id": "20D9FD73B42624C1C3513A1858097222D9BA0D6A9B0665F5A6BD5CD4ED315DA2", "href": "https://www.ibm.com/support/pages/node/527183", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:54", "description": "## Summary\n\nA fix is available for IBM Storwize V7000 Unified, for the OpenSSL security vulnerabilities found in January 2015.\n\n## Vulnerability Details\n\nOpenSSL is used in IBM Storwize V7000 Unified for providing communication security by encrypting data being transmitted. \n** ** \n \n**CVEID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>) \n \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2014-3571](<https://vulners.com/cve/CVE-2014-3571>) \n \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a flaw when handling malicious messages. A remote attacker could exploit this vulnerability to cause a denial of service. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>) \n \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>) \n \n**DESCRIPTION: **OpenSSL could allow a local attacker to bypass security restrictions. An attacker could exploit this vulnerability and perform unauthorized actions. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) \n \n**DESCRIPTION: **OpenSSL could provide weaker than expected security when using RSA. RSA is one of the algorithms used for secure data transmission. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>) \n \n**DESCRIPTION: **OpenSSL could allow a remote authenticated attacker to bypass security restrictions. An attacker could exploit this vulnerability to authenticate without the use of a private key. \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \n \n**CVEID: **[CVE-2015-0206](<https://vulners.com/cve/CVE-2015-0206>) \n \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a memory leak in one of its functions. A remote attacker could exploit this vulnerability to exhaust all available memory resources, resulting in a denial of service. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running a code releases 1.3.0.0 to 1.5.1.3\n\n## Remediation/Fixes\n\nA fix for these issues is in version 1.5.2.0 of IBM Storwize V7000 Unified. Customers running an affected version of V7000 Unified should upgrade to 1.5.2.0 or a later version, so that the fix gets applied. \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>)\n\n## Workarounds and Mitigations\n\nWorkaround(s): None \n \nMitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall. \n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:11", "type": "ibm", "title": "Security Bulletin: OpenSSL security vulnerabilities in IBM Storwize V7000 Unified (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-18T00:09:11", "id": "9437657736284A97858F6CDD402B769C4DEEB9B4B52059A41B7084497BBE7679", "href": "https://www.ibm.com/support/pages/node/690237", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T13:39:40", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes the vulnerability that has been referred to as \u201cFREAK\u201d. OpenSSL is used by Bluemix Workflow for internal communication. Bluemix Workflow has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710>) or the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99709>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by an error in the ssl3_get_key_exchange function. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability using man-in-the-middle techniques to facilitate brute-force decryption.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nThis vulnerability affected IBM Workflow for Bluemix.\n\n## Remediation/Fixes\n\nThe production system has been upgraded. A user action is not required.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2023-03-06T14:43:44", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2023-03-06T14:43:44", "id": "E297CE15C15A71E06225EE1F8E0468EA8DDA995147F4E4D843705D5A43330DF4", "href": "https://www.ibm.com/support/pages/node/258535", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:53:51", "description": "## Summary\n\nSecurity vulnerablities have been discovered in OpenSSL\n\n## Vulnerability Details\n\n**CVEID:**CVE-2014-3570 \n**DESCRIPTION: **An unspecified error in OpenSSL related to the production of incorrect results on \nsome platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99710> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:**CVE-2014-3571 \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference \nwhen handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker \ncould exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**CVE-2014-3572 \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. The client accepts a \nhandshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An \nattacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:**CVE-2014-8275 \n**DESCRIPTION: **OpenSSL could allow a local attacker to bypass security restrictions, caused by the \nmodification of the fingerprint without breaking the signature. An attacker could exploit this \nvulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass \nsecurity restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:**CVE-2015-0204 \n**DESCRIPTION: **OpenSSL could provide weaker than expected security. The client accepts the use of \nan RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this \nvulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:**CVE-2015-0205 \n**DESCRIPTION: **OpenSSL could allow a remote authenticated attacker to bypass security restrictions, \ncaused by the acceptance of a DH certificate for client authentication without verification. An attacker \ncould exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \n**CVEID:**CVE-2015-0206 \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a memory leak in the \ndtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a \nremote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nIBM SDN VE, Unified Controller, KVM Edition: 1.2.2 and earlier \nIBM SDN VE, Unified Controller, VMware Edition: 1.2.2 and earlier \nIBM SDN VE, Unified Controller, OpenFlow edition: 1.2.2 and earlier \nIBM SDN VE, DOVE Management Console, VMware Edition: 1.0.0 \nIBM SDN VE, Service Appliance, KVM Edition: 1.2.2 and earlier \nIBM SDN VE, Service Appliance, VMware Edition: 1.2.2 and earlier\n\n## Remediation/Fixes\n\nIBM recommends updating affected to the latest versions for which IBM is providing a fix, which are \nidentified below: \nIBM SDN VE, Unified Controller, KVM Edition: 1.2.3 \nIBM SDN VE, Unified Controller, VMware Edition: 1.2.3 \nIBM SDN VE, Service Appliance, KVM Edition: 1.2.3 \nIBM SDN VE, Service Appliance, VMware Edition: 1.2.3 \nThese are available from Fix Central and Passport Advantage.\n\n## Workarounds and Mitigations\n\nNone known \n: \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z \nSecurity Portal to receive the latest critical System z security and integrity service. If you are not \nsubscribed, see the instructions on the System z Security web site. Security and integrity APARs and \nassociated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying \nall security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {}, "published": "2018-06-18T01:27:47", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM SDN-VE (CVE-2014-3570, CVE-\n2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2018-06-18T01:27:47", "id": "911070BAC03CF80753BA2CFD22E941440752AD66EFED97E91D08BEB5A373CCD1", "href": "https://www.ibm.com/support/pages/node/680477", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T13:51:51", "description": "## Summary\n\nSUMMARY: OpenSSL vulnerabilities were disclosed on January 8th, 2015 by the OpenSSL Project. OpenSSL is used by IBM InfoSphere Master Data Management. IBM InfoSphere Master Data Management has addressed the applicable CVEs provided by OpenSSL\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99710_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99710>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99703_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99703>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99705_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99709_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99709>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99708_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99708>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99704_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nThese vulnerabilities are known to affect the following offerings: \n\nIBM Initiate Master Data Service versions 8.1, 9.0, 9.2, 9.5, 9.7, 10.0, 10.1 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM Initiate Master Data Service Patient Hub versions 9.5, 9.7 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM Initiate Master Data Service Provider Hub versions 9.5, 9.7 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM InfoSphere Master Data Management Patient Hub version 10.0 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM InfoSphere Master Data Management Provider Hub version 10.0 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM InfoSphere Master Data Management Standard/Advanced Edition version 11.0 (impacts [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and [_Enterprise Integrator Toolkit_](<http://pic.dhe.ibm.com/infocenter/initiate/v9r5/topic/com.ibm.release_notes.doc/topics/r_release_notes_GAenterprise_integrator_toolkit.html>) component) \n \nIBM InfoSphere Master Data Management Standard/Advanced Edition version 11.3 (impacts [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component) \n \nIBM InfoSphere Master Data Management Standard/Advanced Edition version 11.4 (impacts [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component)\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Initiate Master Data Service | \n\n8.1\n\n| None| [_8.1.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=8.1.032215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.0\n\n| None| [_9.0.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.0.032215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.2\n\n| None| [_9.2.032215 _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.2.032215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.5\n\n| None| [_9.5.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.5.032215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Patient Hub| \n\n9.5\n\n| None| [_9.5.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.5.032215_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Provider Hub| \n\n9.5\n\n| None| [_9.5.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.5.032215_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.7\n\n| None| [_9.7.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.7.032215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Patient Hub \n| \n\n9.7\n\n| None| [_9.7.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.7.032215_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Provider Hub| \n\n9.7\n\n| None| [_9.7.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.7.032215_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| \n\n10.0\n\n| None| [_10.0.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.0.032215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM InfoSphere Master Data Management Patient Hub | \n\n10.0\n\n| None| [_10.0.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=10.0.032215_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM InfoSphere Master Data Management Provider Hub| \n\n10.0\n\n| None| [_10.0.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=10.0.032215_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| \n\n10.1\n\n| None| [_10.1.032215_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.1.032215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM InfoSphere Master Data Management Standard/Advanced Edition| \n\n11.0\n\n| None| [11.0-FP3](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FInformation+Management%2FInfoSphere+Master+Data+Management&fixids=11.0.0.3-MDM-SE-AE-FP03IF000_FC&source=SAR&function=fixId&parent=ibm/Information%20Management>) \nIBM InfoSphere Master Data Management Standard/Advanced Edition| \n\n11.3\n\n| None| [11.3-FP2](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FInformation+Management%2FInfoSphere+Master+Data+Management&fixids=11.3.0.2-MDM-SE-AE-FP02IF000_FC&source=SAR&function=fixId&parent=ibm/Information%20Management>) \n \n[IWM Samples](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-iismdms>) \nIBM InfoSphere Master Data Management Standard/Advanced Edition| \n\n11.4\n\n| None| [_11.4-FP2_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/InfoSphere+Master+Data+Management&release=All&platform=All&function=fixId&fixids=11.4.0.2-MDM-SE-AE-FP02IF000_FC&includeSupersedes=0&source=fc>) \n \n## ", "cvss3": {}, "published": "2022-04-27T09:58:00", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Master Data Management (CVE-2014-3571, CVE-2015-0206, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "modified": "2022-04-27T09:58:00", "id": "F4A34005E745D62ED5BBDB831E5D767C24B118051EFDE3423ADF017A2626FD14", "href": "https://www.ibm.com/support/pages/node/525807", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:49", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7, IBM SDK Java Technology Edition, Version 6, and IBM SDK Java 2 Technology Edition, Version 5 that are used by IBM Virtualization Engine TS7700. These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2014-6512_](<https://vulners.com/cve/CVE-2014-6512>) \n**DESCRIPTION:** An unspecified vulnerability related to the Libraries component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97147_](<http://xforce.iss.net/xforce/xfdb/97147>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2014-6457_](<https://vulners.com/cve/CVE-2014-6457>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97148_](<http://xforce.iss.net/xforce/xfdb/97148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2014-6558_](<https://vulners.com/cve/CVE-2014-6558>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97151_](<http://xforce.iss.net/xforce/xfdb/97151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)** \n** \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/100151_](<http://xforce.iss.net/xforce/xfdb/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>)** \nDESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97013_](<http://xforce.iss.net/xforce/xfdb/97013>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/100153_](<http://xforce.iss.net/xforce/xfdb/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \nIBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues. \n\n## Affected Products and Versions\n\nAll versions of microcode for the IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB) prior to release R2.1 are affected. In addition, microcode versions of releases R2.1, R3.0, R3.1 and R3.2 prior to and including the following are also affected: \n\n**Release**\n\n| **Version** \n---|--- \nR3.2| 8.32.0.88 \nR3.1| 8.31.0.92 \nR3.0| 8.30.3.4 \nR2.1| 8.21.0.178 \n \n## Remediation/Fixes\n\nContact IBM Service at 1-800-IBM-SERV to arrange an upgrade to the latest microcode level followed by the installation of vtd_exec.202, vtd_exec.213, vtd_exec.214 and vtd_exec.215 as needed. Minimum microcode levels are shown below: \n\n**Release**\n\n| **Fix** \n---|--- \nR3.2| 8.32.0.88 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \n**\\- OR -** \n8.32.1.8 + vtd_exec.202 \nR3.1| 8.31.0.92 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \nR3.0| 8.30.3.4 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 \nR2.1| 8.21.0.178 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \nOlder Releases| 8.21.0.178 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \n \nPlease note that vtd_exec packages carry their own internal version numbers. For the vulnerabilities reported in this Security Bulletin, the minimum required vtd_exec versions are as follows: **Package**| **Version** \n---|--- \nvtd_exec.202| 1.5 \nvtd_exec.213| 1.03 \nvtd_exec.214| 1.03 \nvtd_exec.215| 1.03 \n \n## Workarounds and Mitigations\n\nAlthough IBM recommends that you upgrade to the fixes identified above, you can mitigate, but not eliminate the risk of these vulnerabilities by restricting physical and network access to the TS7700 to authorized users and IBM Service Personnel only.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-18T00:09:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 - October 2014 & January 2015", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6512", "CVE-2014-6558", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-18T00:09:23", "id": "B34877D991F21B254E16D92D7328B03658AA2122E7631AA85688801D398E5BAF", "href": "https://www.ibm.com/support/pages/node/690373", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:52:32", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015. \n \nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by IBM Cognos Business Intelligence . Cognos Business Intelligence is vulnerable to CVE 2014-0204 (FREAK) in versions 8.4.1 - 10.2.0 only. \n \nAn HTTP header vulnerability has been discovered in IBM WebSphere Application Server Liberty which is packaged with IBM Cognos Business Intelligence 10.2.2 and above. \n\n\n## Vulnerability Details\n\n**CVE-ID:** [_CVE-2014-9495_](<https://vulners.com/cve/CVE-2014-9495>) \n**DESCRIPTION**: libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_combine_row function when decompressing the IDAT_data. A remote attacker could exploit this vulnerability using a \"very wide interlaced\" PNG image to overflow a buffer and execute arbitrary code on the system or cause a denial of service. \n**CVSS:** \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99699> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \n**CVE-ID: **[_CVE-2015-0973_](<https://vulners.com/cve/CVE-2015-0973>) \n**DESCRIPTION:** Libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_read_IDAT_data() function. A remote attacker could exploit this vulnerability using IDAT data with a large width to overflow a buffer and execute arbitrary code on the system or cause a denial of service. \n**CVSS:** \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100239> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n**CVE-ID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>) \n**DESCRIPTION**: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections. \n**CVSS:** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVE-ID:** [_CVE-2014-6457_](<https://vulners.com/cve/CVE-2014-6457>) \n**DESCRIPTION**: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \n**CVSS:** \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97148> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n \n**CVE-ID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>) \n**DESCRIPTION:** An unspecified vulnerability in Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service. \n**CVSS:** \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVE ID:** [_CVE-2014-3021_](<https://vulners.com/cve/CVE-2014-3021>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by a vulnerability in HTTP headers used by Web Applications. An attacker could exploit this vulnerability using a specially crafted HTTP method to access cookie and authentication data, which could be used to launch further attacks on the system. \n**CVSS:** \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93059> for the current score \nCVSS Environmental Score*: Undefined \nCVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVE-ID**: [_CVE-2014-3569_](<https://vulners.com/cve/CVE-2014-3569>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. \n**CVSS:** \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVE-ID**: [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \n**CVSS:** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVE-ID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \nDESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \n**CVSS:** \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS: \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVE-ID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \nDESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \n**CVSS:** \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID:** [_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \nDESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \n**CVSS:** \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID:** [_CVE-2015-0205_](<https://vulners.com/cve/CVE-2015-0205>) \n**DESCRIPTION:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. \n**CVSS:** \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n \n**CVE-ID**: [_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n**DESCRIPTION**: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources \n**CVSS:** \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n\n## Affected Products and Versions\n\n * IBM Cognos Business Intelligence Server 10.2.2\n * IBM Cognos Business Intelligence Server 10.2.1.1\n * IBM Cognos Business Intelligence Server 10.2.1\n * IBM Cognos Business Intelligence Server 10.2\n * IBM Cognos Business Intelligence Server 10.1.1\n * IBM Cognos Business Intelligence Server 10.1\n * IBM Cognos Business Intelligence Server 8.4.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n \n[IBM Cognos Business Intelligence 8.4.1 Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24039562>) \n \n[IBM Cognos Business Intelligence 10.1.x Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24039564>) \n \n[IBM Cognos Business Intelligence 10.2, 10.2.1x and 10.2.2 Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24039563>) \n\n\n## Workarounds and Mitigations\n\nNone known. Apply fixes.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-15T23:13:37", "type": "ibm", "title": "Security Bulletin: IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3021", "CVE-2014-3566", "CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-6457", "CVE-2014-6593", "CVE-2014-8275", "CVE-2014-9495", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206", "CVE-2015-0410", "CVE-2015-0973"], "modified": "2018-06-15T23:13:37", "id": "86068A3EE3A608D1F7EA675B6A18718AB78B3E482DFEBF95682F1449D557C582", "href": "https://www.ibm.com/support/pages/node/257275", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:41:32", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 6, 7, and 8 that are used by Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872, CVE-2015-5006). These were disclosed as part of the IBM Java SDK updates in July and October 2015 and are included in the October update.\n\n## Vulnerability Details\n\nRational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software** **are affected by the following vulnerabilities: \n\n** **\n\n \n**CVEID**: [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION**: An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION**: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION**: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 2.6** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION**: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.** \nCVSS Base Score**: 2.1** \nCVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID**: [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION**: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \n**CVSS Base Score**: 5 \n**CVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-5006_](<https://vulners.com/cve/CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \n**CVSS Base Score**: 4.6 \n**CVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Product Name**\n\n| **Versions Affected** \n---|--- \nRational Developer for Power Systems Software| 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.3, 8.0.3.1, 8.5, 8.5.1 \nRational Developer for i| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1, 9.5, 9.5.0.1, 9.5.0.2 \nRational Developer for AIX and Linux, AIX COBOL Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.2 \nRational Developer for AIX and Linux, C/C++ Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.2 \n \n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \nRational Developer for Power Systems Software| 8.0 through 8.5.1| \n\n * For all versions, apply [IBM SDK Java Technology Edition Critical Patch Update - October 2015 - RD Power](<http://www.ibm.com/support/docview.wss?uid=swg24041521>) \nRational Developer for i| 9.0 through to 9.5| \n\n * For all versions, update the currently installed product using Installation Manager. ** **For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSAE4W_9.1.1/com.ibm.etools.iseries.install.doc/topics/t_upgrading.html>) in the IBM Knowledge Center. \n * Or, you can optionally download the update manually and apply [IBM SDK Java Technology Edition Critical Patch Update - October 2015 - RDi](<http://www.ibm.com/support/docview.wss?uid=swg24041519>) \nRational Developer for AIX and Linux| 9.0 through to 9.1| \n\n * For all client versions, update the currently installed product using Installation Manager. For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSPSQF_9.1.1/com.ibm.etools.install.rdal.doc/topics/t_upgrading.html>) in the IBM Knowledge Center. \n * For server updates or to manually download and apply the client updates see [IBM SDK Java Technology Edition Critical Patch Update - October 2015 - RDAL](<http://www.ibm.com/support/docview.wss?uid=swg24041520>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2018-08-03T04:23:43", "id": "046BFDFDFEF57E40AEF5921AC2EAEE3EEA1453CC00EE02DF1AEFB9C2AC05178C", "href": "https://www.ibm.com/support/pages/node/537511", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:28", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition that is used by IBM Process Designer in IBM Business Process Manager and WebSphere Lombardi Edition. These issues were disclosed as part of the IBM Java SDK updates for October 2015 and in the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n \n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects IBM Business Process Manager V7.5.x through V8.5.6.0 and WebSphere Lombardi Edition V7.2.0.x.\n\n## Remediation/Fixes\n\nThe eclipse-based IBM Process Designer tool includes an instance of the IBM SDK Java\u2122 Technology Edition. In order to provide the fix for this development tool, install APAR JR54682 for your version of IBM Business Process Manager or WebSphere Lombardi Edition: \n\n\n * [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR54682>)\n * [_IBM Business Process Manager Standard_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR54682>)\n * [_IBM Business Process Manager Express_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR54682>)\n * [_WebSphere Lombardi Edition_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Lombardi+Edition&release=7.2.0.5&platform=All&function=aparId&apars=JR54682>)\n \nIf you are on earlier unsupported releases, IBM strongly recommends to upgrade. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749", "CVE-2015-4872"], "modified": "2018-06-15T07:04:24", "id": "A0C4AD3CFBFCE151B5419A4CAB2FE62A2088629DFE37047C4ACED864D50B6136", "href": "https://www.ibm.com/support/pages/node/273521", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:07", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by Juniper EX Series Network Switches sold by IBM for use in IBM Products. Juniper has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by Juniper EX Series Network Switches sold by IBM for use in IBM Products. Juniper has addressed the applicable CVEs.\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2014-3569](<https://vulners.com/cve/CVE-2014-3569>)\n\n**Description:** OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-3570](<https://vulners.com/cve/CVE-2014-3570>)\n\n**Description:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3572](<https://vulners.com/cve/CVE-2014-3572>)\n\n**Description:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-8275](<https://vulners.com/cve/CVE-2014-8275>)\n\n**Description:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.\n\nCVSS Base Score: 1.2 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)\n\n**Description:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0205](<https://vulners.com/cve/CVE-2015-0205>)\n\n**Description:** OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)\n\n## Affected products and versions\n\nJunOS release 12.3R9 and earlier.\n\n## Remediation/Fixes\n\nJunOS release 12.3R10 and later.\n\n * _Juniper Technical Bulletin:_ [ http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679](<http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679>)\n\nYou should verify applying this fix does not cause any compatibility issues.\n\n## Workarounds and Mitigations\n\nRefer to the Juniper Technical Bulletin for Workarounds.\n\n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n * [OpenSSL Advisory on above listed CVEs](<https://www.openssl.org/news/secadv_20150108.txt>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n14 July 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect Juniper EX Series Network Switches sold by IBM for use in IBM Products (CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2019-01-31T02:10:01", "id": "02868FD8BFCA9A633DC55F29203BFAA2E5E918B96DBA7F26948D507AE685E5BD", "href": "https://www.ibm.com/support/pages/node/867556", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:14", "description": "## Summary\n\nAddresses multiple vulnerabilities disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6 that is used by Tivoli Composite Application Manager for SOA. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability. These fixes were also previously included in 7.2.0.1-TIV-ITCAMSOA-IF0003. \n \n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n** \n****CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager for SOA 7.2\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_ | \n\n_APAR_ | \n\n_Remediation/First Fix_ \n---|---|---|--- \n \nIBM Tivoli Composite Application Manager for SOA | \n\n7.2.0.1 | \n\nIV73049 | \n\n[7.2.0.1-TIV-ITCAMSOA-IF0004](<http://www-01.ibm.com/support/docview.wss?uid=isg400002197>) \n \nThis fix also resolves the LogJam vulnerability in Diffie-Hellman ciphers. For details see here: <http://www-01.ibm.com/support/docview.wss?uid=swg21902710> \n \nFor earlier releases IBM recommends upgrading to a fixed, supported version of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:01:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime (April 2015)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T15:01:51", "id": "F0ABD172DAB727B9E1A590E26426CC6FC3FB7572FBBAACB844B6C8AA844A1A2D", "href": "https://www.ibm.com/support/pages/node/264073", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:42:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition Version 6 and 7, which is used by IBM Content Collector for SAP Applications. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n\n**CVEID: **[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \nDESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID: **[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \nDESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID: **[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \nDESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID: **[_CVE-2015-2808 \n_](<https://vulners.com/cve/CVE-2015-2808>)DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_ CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \nDESCRIPTION: Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID: **[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \nDESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications V2.2 \n\nIBM Content Collector for SAP Applications V3.0\n\nIBM Content Collector for SAP Applications V4.0\n\n## Remediation/Fixes\n\nIBM provides patches for the affected version. Follow the installation instructions in the README files that is included in the patch. \n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Content Collector for SAP Applications| 2.2.0| HE12317| Apply JRE Update 2.2.0.2-ICCSAP-Server-JRE-6.0.16.4, and 2.2.0.2-ICCSAP-Client-JRE-6.0.16.4, which are available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039994>. \nIBM Content Collector for SAP Applications| 3.0.0| HE12318| Apply JRE Update 3.0.0.2-ICCSAP-Server-JRE-7.0.9, and 3.0.0.2-ICCSAP-Client-JRE-7.0.9, which are available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039992>. \nIBM Content Collector for SAP Applications| 4.0.0| HE12319| Apply JRE Update 4.0.0.0-ICCSAP-Base-JRE-7.0.9, which is available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039993>. \n \n## ", "cvss3": {}, "published": "2018-06-25T05:54:54", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector for SAP Applications (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-25T05:54:54", "id": "42E120F033799AC7E1B18D852BA65973034A0861B261895FEE37D36B6D3EAAC7", "href": "https://www.ibm.com/support/pages/node/264479", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:13", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server included in Tivoli Network Manager IP Edition. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n \n**CVE IDs:** CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2015 Critical Patch Update and additional vulnerabilties which affect IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. \n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nTivoli Network Manager 3.8| Bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 7. \nTivoli Network Manager 4.1 and 4.1.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 7. \nUpgrade your SDK to an interim fix level as determined below: \n<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>\n\n## ", "cvss3": {}, "published": "2018-06-17T15:02:03", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server included in Tivoli Network Manager IP Edition April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T15:02:03", "id": "B0A8528C5B7260F238809AFE84C73C427F4F789344CCD8F90DC5F1984C53BD6A", "href": "https://www.ibm.com/support/pages/node/264309", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:57:46", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nWebSphere Service Registry and Repository 6.3, 7.0, 7.5, 8.0, 8.5, 8.5.5 \n\nWebSphere Service Registry and Repository Studio 6.3, 7.0, 7.5, 8.0, 8.5, 8.5.5\n\n## Remediation/Fixes\n\nTo fix the WebSphere Service Registry and Repository server, please apply the fix indicated in the WebSphere Application Server bulletin at <https://www-304.ibm.com/support/docview.wss?uid=swg21902260>\n\nIf you wish to also apply a fix to WebSphere Service Registry and Repository Studio, please either contact IBM support for a fix, or replace Studio's bundled JRE with IBM JRE, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 4 and subsequent releases. The fixed JRE can be downloaded from <https://www.ibm.com/developerworks/java/jdk/>\n\n \n_For WebSphere Service Registry and Repository version 6.3, __IBM recommends upgrading to a fixed, supported version of the product._\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:08", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:08", "id": "0ABAD79A1E5919C3C1BBA78B75BABD96320D05680BD1E0F4A51175A11334B8E2", "href": "https://www.ibm.com/support/pages/node/527739", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:54:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2015 Critical Patch Update and additional vulnerabilties which affect IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. \n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n** \n****CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \n****CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n\n\n## Affected Products and Versions\n\nIBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.5, Version 8.0.0.0 through 8.0.0.10, Version 7.0.0.0 through 7.0.0.37, Version 6.1.0.0 through 6.1.0.47 \n\n * This _does not occur_ on IBM Java SDK shipped with WebSphere Application Servers Fix Packs 8.5.5.6, 8.0.0.11 and 7.0.0.39 or later. \n**Warning: ** \nFor mixed cells that contain WebSphere Application Server version 6.0.2 nodes where Java 2 security is enabled, ensure APAR PM92206 or its circumvention is applied to the Deployment Manager to prevent sync operation failure. PM92206 has been delivered with an Interim Fix or with WebSphere Application Server Fix Packs 8.5.5.1 and 8.0.0.7 and 7.0.0.31 or later. \n\n## Remediation/Fixes\n\n**_For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition_** **:** \n \nDownload and apply the interim fix APARs below, for your appropriate release: \n** \n****For V8.5.0.0 through 8.5.5.5 Full Profile:**\n\n * Apply Interim Fix [PI39865](<http://www-01.ibm.com/support/docview.wss?uid=swg24039957>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038091>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036965>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036506>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035399>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034999>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034798>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034589>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 (required) \n * Apply Interim Fix [PI39864](<http://www-01.ibm.com/support/docview.wss?uid=swg24039958>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039665>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039312>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038810>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038089>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037534>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037709>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 (optional) \n * Apply Interim Fix [PI39863](<http://www-01.ibm.com/support/docview.wss?uid=swg24039961>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039311>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038809>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038165>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>): Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) (optional) \n * Apply Interim Fix [PI39862](<http://www-01.ibm.com/support/docview.wss?uid=swg24039962>): Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 1(optional)\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 6 (8.5.5.6) or later.\n** \nFor 8.0.0.0 through 8.0.0.10:**\n\n * Apply Interim Fix [PI39866](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039668>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039304>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038812>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038093>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037708>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036967>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036505>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035398>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034998>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034447>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 [](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>)Fix Pack 4 \n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 11 (8.0.0.11) or later.\n** \nFor V7.0.0.0 through 7.0.0.37:**\n\n * Apply Interim Fix [PI39867](<http://www-01.ibm.com/support/docview.wss?uid=swg24039964>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039694>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039292>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038816>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038094>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037515>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036968>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036504>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035397>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034997>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034443>) Will upgrade you to IBM SDK, Java Technology Edition, Version 6 Service Refresh 16[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) Fix Pack 4\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 39 (7.0.0.39) or later.\n** \nFor V6.1.0.0 through 6.1.0.47:**\n\n * Contact IBM Support and apply Interim Fix PI39868[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037458>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035396>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034996>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034418>): Will upgrade you to IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 10\n**_ \nFor IBM WebSphere Application Server for i5/OS operating systems:_** \n \nThe IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to [_Java on IBM i_](<https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20i%20Technology%20Updates/page/Java%20on%20IBM%20i>) for updates on when these fixes will be available. \n\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:02", "id": "3D2BA838E870B8857BE2FA142F996E4B48BB78A52BC727BF3328ED478FA98B94", "href": "https://www.ibm.com/support/pages/node/263523", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:12", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server as a component of IBM Tivoli Network Performance Manager . These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2015 Critical Patch Update and additional vulnerabilties which affect IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. \n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as component \n---|--- \nTivoli Network Performance Manager 1.4| Bundled the Jazz for Service Management version 1.1.0.2, IBM WebSphere version 8.5.0.1 and the JRE from IBM SDK Java 2 Technology Edition Version 7. \nTivoli Network Performance Manager 1.3.3| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Performance Manager 1.3.2| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Performance Manager 1.3.1| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \n \n## Remediation/Fixes\n\nDownload and apply interim fix based on your WebSphere version in [**_Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server Apr 2015 CPU_**](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>)\n\n## ", "cvss3": {}, "published": "2018-06-17T15:02:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU shipped with Tivoli Netcool Performance Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T15:02:23", "id": "694D3B7CF684931E1E178B6FDF78609D68407843FB33B1D31A233EEFD48DAFC6", "href": "https://www.ibm.com/support/pages/node/264893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:49:10", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by Rational Insight. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID: **[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID: **[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID: **[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID: **[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**CVEID:**[_ CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nRational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6 and 1.1.1.7\n\n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 13 (Implemented by file 10.1.6305.506)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040116>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 13 (Implemented by file 10.1.6305.506)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040116>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 11 (Implemented by file 10.2..5000.1156)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040114>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 and 1.1.1.7 ** \n \n\n\n 1. If the Data Collection Component or Jazz Reporting Serivce are used, perform this step first. \nReview the topics in <http://www-01.ibm.com/support/docview.wss?uid=swg21964625> for addressing the listed vulnerabilities in their underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 10 (Implemented by file 10.2.5007.509)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040114>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:03:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0488, CVE-2015-0138, CVE-2015-0204)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T05:03:01", "id": "EB71F37AE79D10570F97CA3FC53F42E19ADC7017181D81804A759E38C876802E", "href": "https://www.ibm.com/support/pages/node/528089", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:57:42", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n** \nCVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See_ __<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * * IBM Business Process Manager V7.5.x through V8.5.6.0\n * WebSphere Lombardi Edition V7.2.0.x\n_For__ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Remediation/Fixes\n\nIBM SDK Java\u2122 Technology Edition is used in WebSphere Application Server. See the following security bulletin for vulnerability details and information about fixes: \n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU](<https://www.ibm.com/support/docview.wss?uid=swg21902260>) \n \nThe eclipse-based IBM Process Designer tool includes an instance of the IBM SDK Java\u2122 Technology Edition. In order to provide the fix for this development tool, install APAR JR54070 for your version of IBM Business Process Manager or WebSphere Lombardi Edition: \n\n\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR54070>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR54070>)\n * [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR54070>)\n * [WebSphere Lombardi Edition](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Lombardi+Edition&release=7.2.0.5&platform=All&function=aparId&apars=JR54070>)\n \nThe fix for IBM Business Process Manager V8.5.6.0 is included in Version 8.5.6.0 Cumulative Fix 1 for the IBM Business Process Manager products and all later cumulative fixes. See [Fix list for the IBM Business Process Manager Version 8.5 products](<http://www.ibm.com/support/docview.wss?uid=swg27039722>) to determine the latest available cumulative fix for your release. \n \nIf you are on earlier unsupported releases, IBM strongly recommends to upgrade. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:13", "id": "731FA112727B2A8CB08738E86A13435F3E4FCF392C86655870AE870BE2F79A56", "href": "https://www.ibm.com/support/pages/node/528601", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:49:09", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server, which is needed for the RequisiteWeb component of Rational RequisitePro. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n \n7.1.4.x (all versions)\n\n| \n\nAffected \n \n7.1.3.x (all versions)\n\n| \n\nAffected \n \n7.1.2.x (all versions)\n\n| \n\nAffected \n \n7.1.1.x (all versions)\n\n| \n\nAffected \n \n## Remediation/Fixes\n\nReview [Security Bulletin 1902260](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) from WebSphere Application Server for instructions on upgrading your corresponding WebSphere Application Server installation with the IBM Java SDK fix. \n \nFor 7.1.1.x and 7.1.2.x, review [Document 1390803](<http://www-01.ibm.com/support/docview.wss?uid=swg21390803>) for instructions on how to apply updates for WebSphere Application Server. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:03:07", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational RequisitePro", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T05:03:07", "id": "EA9E75BBEC6BA9ADA633156B467353320E007F4F6D8146EDA54E8FC2FCF771FE", "href": "https://www.ibm.com/support/pages/node/528519", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T05:47:31", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 5, 6, 7, and 8** that are used by Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, TRIRIGA for Energy Optimization (previously known as Intelligent Building Management), and SmartCloud Control Desk. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n[CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n \n**CVEID:**[CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[CVE-2015-0478](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:**[CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nThe following IBM Java versions are affected: \n \n\u2022 IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 Fix Pack 10 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2 Fix Pack 10 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 8 GA ** \n \nIBM supplied the Java Runtime Environment (JRE) from the IBM SDK Java Technology Edition Versions with the following: \n \nThe 7.1.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java 2 Technology Edition Version 5. \n \nThe 7.2.x versions of Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java 2 Technology Edition Version 5. \n \nThe 7.5.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, and SmartCloud Control Desk bundled the JRE from IBM SDK Java Technology Edition Version 6. \n \nThe 7.6.x versions of Maximo Asset Management bundled the JRE from IBM SDK Java Technology Edition Version 7. \n \nTRIRIGA for Energy Optimization 1.1.x bundled the JRE from IBM SDK Java Technology Edition Version 6. \n \nIt is likely that earlier unsupported versions are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers running unsupported versions upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities.\n\n## Remediation/Fixes\n\nThere are two areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation: \n \n1\\. Application Server \u2013 Update the Websphere Application Server. Refer to [JDK Fixes for Websphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server. \n2\\. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on [developerWorks JavaTM Technology Security Alerts](<http://www.ibm.com/developerworks/java/jdk/alerts/>) or referenced on [Oracle\u2019s latest Critical Patch Update](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) (which can be accessed via [developerWorks JavaTM Technology Security Alerts](<http://www.ibm.com/developerworks/java/jdk/alerts/>)). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest [_Maximo Asset Management Scheduler Interim Fix_](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/Maximo+Asset+Management+Scheduler&release=All&platform=All&function=all&source=fc>) for Version 7.1 or [_Maximo Asset Management Fix Pack_](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Maximo+Asset+Management&release=All&platform=All&function=all&source=fc>) for Version 7.5.0.2 or later, which includes the resolution for APAR IV11560. \n \nDue to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible.\n\n## Workarounds and Mitigations\n\nUntil you apply the fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem. \n \nMitigation instructions for CVE-2015-2808 are available here: \n\n[\u2022 IBM SDK, Java Technology Edition, Version 8](<http://www-01.ibm.com/support/docview.wss?uid=swg21672834>)\n\n \n[\u2022 IBM SDK, Java Technology Edition, Version 7R1](<http://www-01.ibm.com/support/docview.wss?uid=swg21639279>) \n[\u2022 IBM SDK, Java Technology Edition, Version 7](<http://www-01.ibm.com/support/docview.wss?uid=swg21499721>)\n\n \nNo equivalent mitigation is available for IBM SDK, Java Technology Edition, Version 6, and IBM SDK, Java 2 Technology Edition, Version 5.0.\n\n## ", "cvss3": {}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Asset and Service Management", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2022-09-22T03:02:31", "id": "363F1E6A6B5C2A70D13E0D8374B17FDF5930E05DCB5525830BB35B47CB16585E", "href": "https://www.ibm.com/support/pages/node/265319", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T05:53:46", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6.0 that is used by IBM WebSphere Application Server embedded in IBM Global Name Management. These issues were disclosed as part of the IBM Java SDK updates in April 2015.\n\n## Vulnerability Details\n\n \n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)\n\n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM InfoSphere Global Name Management 5.0\n\n## Remediation/Fixes\n\nFrom the Websphere Security Bulletin: \n \n**For 8.0.0.0 through 8.0.0.10: ** \n\uf0b7 Apply Interim Fix [_PI39866_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 \n\n**\\--OR--**\n\n\uf0b7 Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 11 (8.0.0.11) or later (targeted to be available 17 August 2015). \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-04-20T17:04:55", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Global Name Management 5.0 ( CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2022-04-20T17:04:55", "id": "84675A12010348000987B3B23199431634511DDFAE93164E5909BC080FB29130", "href": "https://www.ibm.com/support/pages/node/264751", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:48:53", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and Version 7 that are used by IBM Rational Directory Server (Tivoli) and IBM Rational Directory Administrator. New iFixes do not include the JRE. Install new iFixes and updated JRE to resolve these issues.\n\n## Vulnerability Details\n\nRational Directory Server is affected by the following vulnerabilities: \n \n**CVEID**: [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION**: An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION**: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>_ for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION**: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 2.6** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION**: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.** \nCVSS Base Score**: 2.1** \nCVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-7575_](<https://vulners.com/cve/CVE-2015-7575>)** \nDESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \n**CVEID**: [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION**: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/__107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:N/I;P/A:N)\n\n## Affected Products and Versions\n\nRational Directory Server (Tivoli) v5.2.0.2 iFix 3 and earlier \nRational Directory Server (Tivoli) v5.2.1 iFix 8 and earlier \nRational Directory Administrator v6.0.0.2 iFix 3 and earlier\n\n## Remediation/Fixes\n\nUpgrade to Rational Directory Server (Tivoli) v5.2.1 iFix 9 or v5.2.0.2 iFix 5, and Rational Directory Administrator v6.0.0.2 iFix 4, which do not include Java. Before installing the new iFixes, install the Java Runtime Environment version 6.0.16.21 or 7.0.9.31, or subsequent versions. \n \nTo obtain the updated version of the IBM JRE, [_contact IBM Support_](<https://www-947.ibm.com/support/servicerequest/Home.action?category=2>). Support can help identify the latest JRE that is compatible with your operating system and platform. Publicly available versions of the Oracle JRE are also supported with Rational Directory Server. \n\n_For versions for Rational Directory Server that are earlier than version 5.2.0.2, and Rational Directory Administrator 6.0.0.2, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:10:03", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-7575, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872", "CVE-2015-7575"], "modified": "2018-06-17T05:10:03", "id": "05EA0613CCDE54EFA5261A92BB8AD85AC9483C1FF44BBFC007A754DD1DA033F1", "href": "https://www.ibm.com/support/pages/node/542697", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:29", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVE-ID: **[_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \n \nCVSS Base Score: 2.600 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2014-3571_](<https://vulners.com/cve/CVE-2014-3571>)** \n** \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault. \n \nCVSS Base Score: 5.000 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVE-ID: **[_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 1.200 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2014-8275_](<https://vulners.com/cve/CVE-2014-8275>) \n \n**DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions. \n \nCVSS Base Score: 1.200 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n** \nDESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system. \n \nCVSS Base Score: 4.300 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVE-ID: **[_CVE-2015-0206_](<https://vulners.com/cve/CVE-2015-0206>) \n \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources. \n \nCVSS Base Score: 5.000 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nSSM 4.0.0 FP1 - FP14 and Interim Fix 14-01 \u2013 Interim Fix 14-04 \nSSM 4.0.1 FP1 \u2013 FP2\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_4.0.1.2-TIV-SSM-IF0001_| _4.0.1.2_| _None_| [_http://www.ibm.com/support/docview.wss?uid=isg400002085_](<http://www.ibm.com/support/docview.wss?uid=isg400002085>) \n_4.0.0.14-TIV-SSM-IF0005_| _4.0.0.14_| _None_| [_http://www.ibm.com/support/docview.wss?uid=isg400002088_](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400002088>) \n \n## Workarounds and Mitigations\n\nNone known\n\n## ", "cvss3": {}, "published": "2018-06-17T14:56:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0206)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0206"], "modified": "2018-06-17T14:56:42", "id": "0EC5DE74619B5AB53A50C54C0FF6254EEA3E64A614AB412757FA4BA050D69E92", "href": "https://www.ibm.com/support/pages/node/527277", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:17", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 5 and 7 that is used by IBM Tivoli System Automation Application Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1, 3.2.2, 3.2.1, and 3.2.0.\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation Application Manager. To select the fix you need to apply in your environment, click on 'Download Link' in the table below. \n \n* If you are running IBM Tivoli System Automation Application Manager 4.1, please apply fixpack IBM Tivoli System Automation Application Manager 4.1.0.1. \n* If you are running IBM Tivoli System Automation Application Manager 3.2.2, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.2. \n* If you are running IBM Tivoli System Automation Application Manager 3.2.1, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.1. \n* If you are running IBM Tivoli System Automation Application Manager 3.2.0, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.0. \n \nAdditionally, you need to install the corresponding fix from IBM WebSphere Application Server. Please follow this link for details: <http://www-01.ibm.com/support/docview.wss?uid=swg21962931>. You need to apply the fix for IBM WebSphere Application Server 8.5 if you run IBM Tivoli System Automation Application Manager 4.1, and you need to apply the fix for IBM WebSphere Application Server 6.1 if you run IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, or 3.2.0. \n \n\n\n_Product_| _VRMF_| _APAR_ \n---|---|--- \n_IBM Tivoli System Automation Application Manager_| _4.1, 3.2.2, 3.2.1, 3.2.0_| [Download Link](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+System+Automation+Application+Manager&release=All&platform=All&function=all>) \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n \n_For __IBM Tivoli System Automation Application Manager 3.1__ __IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:07:22", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation Application Manager (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T15:07:22", "id": "E7B27D160CD8AD6CEE5EE17DF994C844B5EC3D6A8C4976FBBC5C2E758D5732CA", "href": "https://www.ibm.com/support/pages/node/533789", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:57:32", "description": "## Summary\n\nThere are multiple security vulnerability exists in the IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 and 7 that is used by IBM WebSphere Application Server Community Edition 3.0.0.4. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n## Affected Products and Versions\n\nWebSphere Application Server Community Edition 3.0.0.4 \n\n## Remediation/Fixes\n\nIf you use the IBM SDK for Java: upgrade your SDK to a level as noted below, please refer to [_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>): \n \n \nIBM SDK for Java 6: \nIBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 7 and subsequent releases \nIBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 7 and subsequent releases \n \nIBM SDK for Java 7: \nIBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 and subsequent releases \nIBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 10 and subsequent releases\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:29", "type": "ibm", "title": "Security Bulletin: Multiple Security vulnerability in IBM Java SDK including Logjam affect WebSphere Application Server Community Edition 3.0.0.4(CVE-2015-4000 CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-15T07:03:29", "id": "1BBF2A32FAD2400D9BC729236743DB5BA10E71E968751393DCCFA07C879D7E68", "href": "https://www.ibm.com/support/pages/node/534903", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:41", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 5 and 7 that is used by IBM Tivoli System Automation for Multiplatforms. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation for Multiplatforms 4.1, 3.2.2, 3.2.1, and 3.2.0.\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation for Multiplatforms. To select the fix you need to apply in your environment, click on 'Download Link' in the table below. \n \n* If you are running IBM Tivoli System Automation for Multiplatforms 4.1, please apply fixpack IBM Tivoli System Automation for Multiplatforms 4.1.0.2. \n* If you are running IBM Tivoli System Automation for Multiplatforms 3.2.2, please apply interim fix IF0007 of this product version. You can apply this iFix on top of any fixpack of version 3.2.2. \n* If you are running IBM Tivoli System Automation for Multiplatforms 3.2.1, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.1. \n* If you are running IBM Tivoli System Automation for Multiplatforms 3.2.0, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.0. \n \nAdditionally, for IBM Tivoli System Automation for Multiplatforms 3.2.2, 3.2.1 and 3.2.0, you need to install the corresponding fix from IBM WebSphere Application Server 6.1. Please follow this link for details: <http://www-01.ibm.com/support/docview.wss?uid=swg21962931>. \n \n\n\n_Product_| _VRMF_| _APAR_ \n---|---|--- \n_IBM Tivoli System Automation for Multiplatforms _| _4.1, 3.2.2, 3.2.1, 3.2.0_| [_Download Link_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+System+Automation+for+Multiplatforms&release=All&platform=All&function=all>) \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n \n_For __IBM Tivoli System Automation for Multiplatforms 3.1__ __IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:07:21", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T15:07:21", "id": "1A6ED5D827C9B7F2277B3D67DC5CF6E6E0140AD47BEA97E4D1117C4DB04282EC", "href": "https://www.ibm.com/support/pages/node/533787", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:56:12", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 that is used by WebSphere Application Server shipped with IBM SmartCloud Provisioning. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n\n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n** \nCVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n** \nCVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Principal Product**\n\n| **Affected Supporting Product Version** \n---|--- \nIBM SmartCloud Provisioning V2.1,V 2.1.0.1, V2.1.0.2, V2.1.0.3, V2.1.0.5, V2.1.0.5 from Interim Fix 1 to Interim Fix3| IBM WebSphere Application Server V8.0 \nIBM SmartCloud Provisioning V2.3, V2.3.0.1 and V2.3.0.1 from Interim Fix 1 to Interim Fix 7 | IBM WebSphere Application Server V8.0.0.1 thorugh V8.0.1.11 \n \n## Remediation/Fixes\n\nPlease note that product software support discontinuance is approaching as per [_IBM Withdrawal Announcement 916-016_](<http://www-01.ibm.com/common/ssi/rep_ca/6/897/ENUS916-016/ENUS916-016.PDF>). \n\n**Product**| **Affected Supporting Product Version**| **Remediation/First Fix** \n---|---|--- \nIBM SmartCloud Provisioning V2.1,V 2.1.0.1, V2.1.0.2, V2.1.0.3, V2.1.0.5, V2.1.0.5 from Interim Fix 1 to Interim Fix3| IBM WebSphere Application Server V8.0| Contact [_IBM support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \nIBM SmartCloud Provisioning V2.3, V2.3.0.1 and V2.3.0.1 from Interim Fix 1 to Interim Fix 7 | IBM WebSphere Application Server V8.0.0.1 thorugh V8.0.1.11| Upgrade to Cloud Orchestrator 2.3.0.1 Interim Fix 8 or later, at [ http://www-01.ibm.com/support/docview.wss?uid=swg2C4000036](<http://www-01.ibm.com/support/docview.wss?uid=swg2C4000036>) \nNote as for logjam, you will also need to update your java.security file to add jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768\\. \n\nContact [_IBM support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) for questions. \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identaify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:32:53", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition, and Logjam affect WebSphere Application Server shipped with SmartCloud Provisioning", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T22:32:53", "id": "2FE25685E021FF1A9C831364B6F5965095F1E1B81C165A2C647499A7FF03D904", "href": "https://www.ibm.com/support/pages/node/619261", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:52:10", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 5.0 , Version 6.0 and Version 7.0 that is used by Security Directory Integrator. Some of these issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability RC4 Bar Mitzvah Attack for SSL/TLS vulnerability and the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol .\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n \n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n \nIBM Tivoli Directory Integrator 6.1.1 \nIBM Tivoli Directory Integrator 7.0.0 \nIBM Tivoli Directory Integrator 7.1.0 \nIBM Tivoli Directory Integrator 7.1.1 \nIBM Security Directory Integrator 7.2.0\n\n## Remediation/Fixes\n\nAffected Products and Versions\n\n| Fix availability \n---|--- \nTDI 6.1.1| [7.0.0-TIV-TDI-LA0024](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040301>) \nTDI 7.0| [7.0.0-TIV-TDI-LA0024](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040301>) \nTDI 7.1| [7.1.1-TIV-TDI-LA0027](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040295>) \nTDI 7.1.1| [7.1.1-TIV-TDI-LA0027](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040295>) \nSDI 7.2| [7.2.0-ISS-SDI-LA0008](<http://www.ibm.com/support/docview.wss?uid=swg24040294>) \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nAs the length of the server key size are increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted. \n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T21:25:20", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-16T21:25:20", "id": "6DF3814722A33BAC4382EFDB9DF33B5A2FFEA62B91E068C5925CD8FDD7EED52D", "href": "https://www.ibm.com/support/pages/node/530247", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:44:49", "description": "## Summary\n\nIBM SmartCloud Cost Management is shipped as a component of IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM SmartCloud Cost Management has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletins for IBM SmartCloud Cost Management for vulnerability details and information about fixes. \n\n\n * [Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg2C1000121>)\n * [Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg2C1000003>) \n\n * * [Security Bulletin: A security vulnerability has been found in IBM WebSphere Application Server 8.5.5.6 shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21964651>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management. (CVE-2015-1932)](<http://www.ibm.com/support/docview.wss?uid=swg21965064>) \n \n\n * [Security Bulletin: A security vulnerability has been found in IBM WebSphere Application Server 8.5.5.6 shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-1885)](<http://www.ibm.com/support/docview.wss?uid=swg21964504>)** \n \n**\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21964499>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management. (CVE-2015-4938)](<http://www.ibm.com/support/docview.wss?uid=swg21964864>) \n \n\n * [Security Bulletin: Security vulnerabilities have been identified in IBM\u00ae DB2\u00ae shipped with SmartCloud Cost Management (SCCM/TUAM) (CVE-2013-6747, CVE-2014-0963)](<http://www.ibm.com/support/docview.wss?uid=swg21675921>) \n \n\n * [Security Bulletin: Tivoli Usage and Accounting Manager / SmartCloud Cost Management (CVE-2015-1920) ](<http://www.ibm.com/support/docview.wss?uid=swg21957821>) \n \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli usage and Accounting Manager / SmartCloud Cost Management (CVE-2015-2808, CVE-2015-0138 )](<http://www.ibm.com/support/docview.wss?uid=swg21883107>)\n\n## Affected Products and Versions\n\n** Principal Product and Version**\n\n| ** Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator Enterprise 2.5, 2.5.0.1| IBM SmartCloud Cost Management 2.1.0.5 \nIBM Cloud Orchestrator Enterprise 2.4 and 2.4.0.1, 2.4.0.2, 2.4.0.3| IBM SmartCloud Cost Management 2.1.0.4 \nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1| IBM SmartCloud Cost Management 2.1.0.3 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:51", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in IBM SmartCloud Cost Management shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6747", "CVE-2014-0963", "CVE-2015-0138", "CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1932", "CVE-2015-2017", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4938", "CVE-2015-7450"], "modified": "2018-06-17T22:30:51", "id": "705280D237DEDB26D3D68396BC2097819ADC8127D93D08AF8CFC027E9A703179", "href": "https://www.ibm.com/support/pages/node/262093", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:49:08", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM Rational Software Architect , Rational Software Architect for Websphere software and Rational Software Architect Real Time. These issues were disclosed as part of the Logjam and IBM Java SDK updates in April 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>) \n \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See_ __<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [CVE-2015-0478](<https://vulners.com/cve/CVE-2015-0478>) \n \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See_ __<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active \nman-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See_ __<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>) \n \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See_ __<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) \n \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export \nRSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Rational Software Architect, IBM Rational Software Architect for Websphere Software and IBM Rational Software Architect Real-Time Edition Versions 8.0.x to 8.0.4.2, 8.5 to 8.5.5.3 and \n9.0 to 9.1.2\n\n## Workarounds and Mitigations\n\n**Product**\n\n| **VRMF**| **Remediation/Download FixCentral Link** \n---|---|--- \nRational Software Architect \nRational Software Architect for Websphere Software \nRational Software Architect Real-Time Edition| 8.0.x to 8.0.4.2| [**RSA ****FixCentral Link for IBM Java 6 SR16 FP5**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=8.0.0&platform=All&function=fixId&fixids=Rational-RSA-Java6SR16FP5-ifix&includeSupersedes=0&source=fc>) \n \n[**RSA4WS ****FixCentral Link for IBM Java 6 SR16 FP5**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=8.0.0&platform=All&function=fixId&fixids=Rational-RSA4WS-Java6SR16FP5-ifix&includeSupersedes=0&source=fc>) \n8.5 to 8.5.5.3 and \n9.0 to 9.1.2| [**RSA ****FixCentral Link for IBM Java 7 SR19 FP1**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA-Java7SR9FP1-ifix&includeSupersedes=0&source=fc>) \n \n[**RSA4WS ****FixCentral Link for IBM Java 7 SR19 FP1**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA4WS-Java7SR9FP1-ifix&includeSupersedes=0&source=fc>) \n \n[**RSART ****FixCentral Link for IBM Java 7 SR19 FP1**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSART-Java7SR9FP1-ifix&includeSupersedes=0&source=fc>) \n \n**Installation Instructions:** \n \nFor instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SS8PJ7_9.1.0/com.ibm.xtools.installation.rsaws.doc/topics/t_update.html>) in the IBM Knowledge Center. \n** \nInstructions to download and install the update from the compressed files:** \n1\\. Download the update files from Fix Central by following the link listed in the download table above. \n2\\. Extract the compressed files in an appropriate directory. \nFor example, choose to extract to C:\\temp\\update \n3\\. Add the update repository location in IBM Installation Manager. \n4\\. Start IBM Installation Manager. \n5\\. On the Start page of Installation Manager, click **File > Preferences**, and then click **Repositories**. The Repositories page opens. \n6\\. On the Repositories page, click **Add Repository**. \n7\\. In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK. \nFor example, enter C:\\temp\\updates\\repository.config. \n8\\. Click **OK** to close the Preference page. \n9\\. Install the update as described in the the topic **Updating Installed Product Packages** in the [_IBM Knowledge Center_](<http://www.ibm.com/support/knowledgecenter/>) for your product and version. \n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T05:03:09", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational Software Architect , Rational Software Architect for Websphere software and Rational Software Architect Real Time (CVE-2015-4000, CVE-2015-0488, CVE-2015-0478, CVE-2015-02", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-17T05:03:09", "id": "567C15075E9484A28990EB25FA44FEDA308784635D8C000E7696260435ECDB4A", "href": "https://www.ibm.com/support/pages/node/528885", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:39:29", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 6 and 7 that is used by IBM Rational Application Developer for WebSphere Software. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID**: [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \n \n**DESCRIPTION**: An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID**: [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \n \n**DESCRIPTION**: An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID**: [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID**: [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n \n**DESCRIPTION**: Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID**: [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n \n**DESCRIPTION**: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nRational Application Developer 9.1.1 and earlier.\n\n## Remediation/Fixes\n\nUpdate the IBM SDK, Java Technology Edition of the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nRational Application Developer| 8.0 through 9.1.1| PI43820| \n\n * For all versions, apply [IBM SDK Java Technology Edition Critical Patch Update - April 2015, RC4 Bar Mitzvah Attack for SSL/TLS, and Logjam vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24040408>).\n * For the WebSphere Application Server 7.0 Test Environment, apply [WebSphere Application Server 7.0 Test Environment Extension Fix Pack 37u1 (7.0.0.37u1)](<http://www.ibm.com/support/docview.wss?uid=swg24040433>)\n * For WebSphere Application Server version 8.0 and 8.5 used by the product, see [Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server (CVE-2015-4000)](<http://www-01.ibm.com/support/docview.wss?uid=swg21957980>) \nRational Agent Controller| 7.0 through to 9.1.1| PI43820| \n\n * Apply [Rational Agent Controller FixPack 2 (9.1.1.2) for 9.1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg24040414>) \nRational Build Utility| 8.0 through to 9.1.1| PI43820| \n\n * For use on Windows or Linux: apply [IBM SDK Java Technology Edition Critical Patch Update - April 2015, RC4 Bar Mitzvah Attack for SSL/TLS, and Logjam vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24040408>).\n * For use on System z:\n * Version 8.0: Apply the latest [Java Technology Edition, V6.0.0 PTF](<http://www-03.ibm.com/systems/z/os/zos/tools/java/>).\n * Version 8.5, 9.0 and 9.1: Apply the latest [Java Technology Edition, V7.0.0](<http://www-03.ibm.com/systems/z/os/zos/tools/java/>). \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-02-05T00:09:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2020-02-05T00:09:48", "id": "99252B8C83925477AC9230DB60D185CD3362EAA40BD8AEF0AE7A3FDA1C98939D", "href": "https://www.ibm.com/support/pages/node/534975", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:52:27", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM&reg; SDK Java&trade; Technology Edition, Version 7.0 that is used by IBM Fabric Manager. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015.\n\n## Vulnerability Details\n\n## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7.0 that is used by IBM Fabric Manager. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015.\n\nThis bulletin also addresses the \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)\n\n**Description:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.\n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/100691> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>)\n\n**Description:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/100151> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-6593](<https://vulners.com/cve/CVE-2014-6593>)\n\n**Description:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.\n\nCVSS Base Score: 4 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/100153> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3566](<https://vulners.com/cve/CVE-2014-3566>)\n\n**Description:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97013> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVE-ID:** [CVE-2014-6457](<https://vulners.com/cve/CVE-2014-6457>)\n\n**Description:** An unspecified vulnerability related to the JSSE component has no partial confidentiality impact, partial integrity impact, and no availability impact.\n\nCVSS Base Score: 4 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97148> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-6558](<https://vulners.com/cve/CVE-2014-6558>)\n\n**Description:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97151> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected products and versions\n\n * IBM Fabric Manager 4.1.00.24 and earlier versions.\n\n## Remediation/Fixes:\n\nIBM recommends updating to version [ 4.1.02.0031](<http://www-933.ibm.com/support/fixcentral/systemx/selectFixes?parent=x222+Compute+Node&product=ibm/systemx/7916&&platform=All&function=fixId&fixids=ibm_sw_ifm-4.1.02.0031_linux_32-64&includeSupersedes=0>) or later. Firmware updates are available through IBM Fix Central - <http://www.ibm.com/support/fixcentral/> . \n\nIBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.\n\n## Workarounds and Mitigations:\n\nTo avoid CVE-2014-3566 (POODLE), SSL 3.0 can be disabled by using the IFM \"TLS 1.2 only\" setting. You should verify disabling SSLv3 does not cause any compatibility issues.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager (CVE-2015-0138, CVE-2015-0410, CVE-2014-6593, CVE-2014-3566, CVE-2014-6457, CVE-2014-6558)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6558", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2019-01-31T01:55:01", "id": "9B73D553C5721DEF146CFAFEC1F0FF71EB7E3943ED00FB587A9862A47029FA57", "href": "https://www.ibm.com/support/pages/node/866792", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:41:11", "description": "## Summary\n\nAn IBM Tivoli Monitoring shared component is included as part of Agent for NetApp Storage. Information about a security vulnerability affecting an IBM Tivoli Monitoring shared component has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: CVE-2015-2625 \nDESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-1931 \nDESCRIPTION: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-7575 \nDESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as \u201cSLOTH\u201d. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109415> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \nCVEID: CVE-2015-4000 \nDESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103294> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Product Code**| **Affected IBM Tivoli Monitoring Version** \n---|---|--- \nIBM\u00ae Tivoli\u00ae Monitoring for Virtual Environments Agent for NetApp Storage versions 6.2.2 , 6.2.3 , 7.1 , 7.2 , 7.2.3| KNU| IBM Tivoli Monitoring versions 6.2.3 FP1 (JRE 6) through 6.3.0 FP6 (JRE 7) \n \n## Remediation/Fixes\n\nPlease consult the following IBM Tivoli Monitoring security bulletins for vulnerability details and information about fixes for the \"Java (CANDLEHOME) Remediation\" section. Note there is a single set of patches which address both bulletins. \n[_Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21976066>)\n\n[_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931__ ) _](<http://www-01.ibm.com/support/docview.wss?uid=swg21976560>)\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-23T07:35:29", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in an IBM Tivoli Monitoring shared component shipped with Agent for NetApp Storage(CVE-2015-2625, CVE-2015-1931, CVE-2015-7575, CVE-2015-4000)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749", "CVE-2015-7575"], "modified": "2018-07-23T07:35:29", "id": "376881B708EE709A23D7CF26BB3E3EFE99A529E7B07BD86A464ECD42C2CA569D", "href": "https://www.ibm.com/support/pages/node/277407", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:41:12", "description": "## Summary\n\nAn IBM Tivoli Monitoring shared component is included as part of Agent for Linux Kernel-based Virtual Machines. Information about a security vulnerability affecting an IBM Tivoli Monitoring shared component has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: CVE-2015-2625 \nDESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-1931 \nDESCRIPTION: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-7575 \nDESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as \u201cSLOTH\u201d. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109415> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \nCVEID: CVE-2015-4000 \nDESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103294> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Product Code**| **Affected IBM Tivoli Monitoring Version(s)** \n---|---|--- \nIBM\u00ae Tivoli\u00ae Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines versions 6.2.3 , 7.1 , 7.2 , 7.2.0.3| KV1| IBM Tivoli Monitoring versions 6.2.3 FP1 (JRE 6) through 6.3.0 FP6 (JRE 7) \n \n## Remediation/Fixes\n\nPlease consult the following IBM Tivoli Monitoring security bulletins for vulnerability details and information about fixes for the \"Java (CANDLEHOME) Remediation\" section. Note there is a single set of patches which address both bulletins. \n[_Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21976066>) \n \n[_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931__ ) _](<http://www-01.ibm.com/support/docview.wss?uid=swg21976560>)\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-23T07:35:29", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in an IBM Tivoli Monitoring shared component shipped with Agent for Linux Kernel-based Virtual Machines (CVE-2015-2625, CVE-2015-1931, CVE-2015-7575, CVE-2015-4000)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749", "CVE-2015-7575"], "modified": "2018-07-23T07:35:29", "id": "CEB27E785E600294CBB232BE2A4F87611DCB20D91D768C5E4A4B5C3B0D8D1D3A", "href": "https://www.ibm.com/support/pages/node/277409", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T13:51:49", "description": "## Summary\n\nIBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 1.6 shipped with IBM MDM SE engine, Workbench, and Brokers contains multiple vulnerabilities. IBM MDM SE engine, Workbench, and Brokers has addressed these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker with an active man-in-the-middle session to hijack plaintext application data from active SSL/TLS sessions. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)\n\n**CVEID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>) \n**DESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/97013_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2014-6457_](<https://vulners.c
Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator
