## Summary
The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM Security Network Intrusion Prevention System.
## Vulnerability Details
**CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)
**DESCRIPTION: **The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
## Affected Products and Versions
Products: GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108, GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800, GV200, GV1000
Firmware versions 4.6.2, 4.6.1, 4.6, 4.5, 4.4, and 4.3
## Remediation/Fixes
_Product_
| _VRMF_| _Remediation/First Fix_
---|---|---
IBM Security Network Intrusion Prevention System | Firmware version 4.6.2| [_4.6.2.0-ISS-ProvG-AllModels-System-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
IBM Security Network Intrusion Prevention System | Firmware version 4.6.1| [_4.6.1.0-ISS-ProvG-AllModels-System-FP0012_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
IBM Security Network Intrusion Prevention System | Firmware version 4.6| [_4.6.0.0-ISS-ProvG-AllModels-System-FP0010_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
IBM Security Network Intrusion Prevention System | Firmware version 4.5| [_4.5.0.0-ISS-ProvG-AllModels-System-FP0012_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
IBM Security Network Intrusion Prevention System | Firmware version 4.4| [_4.4.0.0-ISS-ProvG-AllModels-System-FP0012_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
IBM Security Network Intrusion Prevention System | Firmware version 4.3| [_4.3.0.0-ISS-ProvG-AllModels-System-FP0010_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.
## Workarounds and Mitigations
none
##
{"ibm": [{"lastseen": "2023-02-21T01:47:07", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM MessageSight.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5\n\n \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM MessageSight 1.2 and earlier\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM MessageSight_| _1.1_| _IT08200_| 1.1.0.1-IBM-IMA-IFIT08200 \n_IBM MessageSight_| _1.2_| _IT08200_| 1.2.0.0-IBM-IMA-Physical-IFIT08200 \n\n1.2.0.0-IBM-IMA-VirtualEdition-IFIT08200\n\n1.2.0.0-IBM-IMA-SoftLayerVirtual-IFIT08200 \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:12:15", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM MessageSight (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:12:15", "id": "8D32D1F194329BA56AB2404AB16F06BCF8F5CE6BEC3C715F218ECA7ABBA7D4D9", "href": "https://www.ibm.com/support/pages/node/260959", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:55", "description": "## Summary\n\nIBM DB2 is shipped as a component of WebSphere Remote Server. Information about security vulnerabilities affecting IBM DB2 has been published in a security bulletin.\n\n## Vulnerability Details\n\nFor vulnerability details, see the security bulletin** **[**_Vulnerability in RC4 stream cipher affects IBM DB2 LUW (CVE-2015-2808)._**](<http://www.ibm.com/support/docview.wss?uid=swg21717865>)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Remote Server version V6.2, 6.2.1, 7.0, 7.1, 7.1.1, 7.1.2, 8.5 | IBM DB2 Workgroup Server Edition \nV9.5, 9.7, 10.1, 10.5 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:57", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with WebSphere Remote Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:57", "id": "5CAC33E06E2C656A8F0F2B3DD8616A6C1527F08B2D322F61DBC7614925A11B76", "href": "https://www.ibm.com/support/pages/node/261785", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-12T21:33:53", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by IBM SONAS. This issue was disclosed as part of the IBM Java SDK updates in April 2015.\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SONAS \nThe product is affected when running a code releases 1.5.0.0 to 1.5.2.1\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SONAS to the following code level or higher: \n \n1.5.2.2 \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nWorkaround(s): None \n \nMitigation(s) : Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {}, "published": "2018-06-22T05:47:45", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affect IBM SONAS (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-22T05:47:45", "id": "BC4EAF61DE018F3DB7A7F596B8F8073F339BFA9444A0A1C43D76571F6F0EDA47", "href": "https://www.ibm.com/support/pages/node/706961", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:48", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects TS4500.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFirmware versions below 1.1.1.2.\n\n## Remediation/Fixes\n\nUpdate product to firmware version 1.1.1.2 or later. \n \nYou should verify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects TS4500 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:26", "id": "A61ACFBEA7EB35DC3E0966C9913AF28CB2C5D4D64F62042C595744E098F91566", "href": "https://www.ibm.com/support/pages/node/690407", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:45:03", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Intelligent Operations Center.\n\n## Vulnerability Details\n\n**CVE ID: **[CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION: **The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as **Bar Mitzvah Attack**. \n \nCVSS Base Score: 5.00 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product shipped as a component** \n---|--- \nIBM Intelligent Operations Center version 1.6.0.3| IBM HTTP Server \n \n## Remediation/Fixes\n\nInterim fix [PO04697](<http://www.ibm.com/support/docview.wss?uid=swg24039899>) fixes this issue. Either apply the interim fix, or follow the manual instructions that are provided in the \"Workarounds and Mitigations\" section.\n\n## Workarounds and Mitigations\n\n1\\. For a standard topology, on the web server, edit the following file: \n` /opt/IBM/HTTPServer/conf/httpd.conf` \n \nFor a high availability topology, modify the file on both of the web servers. \n \n2\\. Modify the following lines: \n \n` SSLCipherSpec ALL SSL_RSA_WITH_RC4_128_MD5 \nSSLCipherSpec ALL SSL_RSA_WITH_RC4_128_SHA \n` \nto: \n \n` ##SSLCipherSpec ALL SSL_RSA_WITH_RC4_128_MD5 \n##SSLCipherSpec ALL SSL_RSA_WITH_RC4_128_SHA \n` \n3\\. In a standard environment, restart the web server. For more information, see \"Starting the components in a standard environment\" in the [IBM Intelligent Operation Center product documentation](<http://www.ibm.com/support/knowledgecenter/SS3NGB_1.6.0/ioc/kc_welcome.dita>). \nIn a high availability environment, restart both web servers. For more information, see \"Starting the components in a high availability environment\" in the [IBM Intelligent Operation Center product documentation](<http://www.ibm.com/support/knowledgecenter/SS3NGB_1.6.0/ioc/kc_welcome.dita>).\n\n## ", "cvss3": {}, "published": "2018-06-17T22:28:25", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Intelligent Operations Center (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T22:28:25", "id": "BD5A8592894DFC559659FD42A38827EC577BA530F0B58F5F9014E3109AD96B82", "href": "https://www.ibm.com/support/pages/node/260689", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:38:05", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects TS3310.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFirmware versions below 660G. \n\n## Remediation/Fixes\n\nUpdate product firmware to 660G or later. \n \nYou should verify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects TS3310 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:26", "id": "7FFC9D02CF4E41D82C797DF64C1AB3F317232B978DF318282845098228C6A4EE", "href": "https://www.ibm.com/support/pages/node/690405", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:53", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Rational ClearQuest. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x, 8.0.1.x, in the following components: \n\n * ClearQuest Eclipse clients that use Report Designer, run remote reports on servers using secure connections, or use the embedded browser to connect to secure web sites.\n * ClearQuest Web Server with SSL enabled\n\n## Remediation/Fixes\n\nThe fix depends on the component you use that is affected by this vulnerability: \n\n\n * **ClearQuest Eclipse client component**\n \nUpgrade ClearQuest \n \n\n\n**Affected Versions**\n\n| \n\n** Fix Pack containing the fix** \n \n---|--- \n \n8.0.1.x\n\n| Install [Rational ClearQuest Fix Pack 8 (8.0.1.8)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039864>) \n \n8.0.0.x\n\n| Install [Rational ClearQuest Fix Pack 15 (8.0.0.15)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039862>) \n \n7.1.2.x \n7.1.1.x \n7.1.0.x\n\n| Customers with extended support contracts should install [Rational ClearQuest Fix Pack 18 (7.1.2.18)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039860>) \n * **ClearQuest Web Server**** component**\n \nThe solution is to apply fixes or mitigations to your IBM WebSphere Application Server (WAS) and IBM HTTP Server (IHS) components. \n\nIf your clients connect to IHS via SSL (which then redirects their connections to WAS), then review this IHS bulletin: [Security Bulletin: Vulnerability in RC4 stream cipher affects IBM HTTP Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701072>) and apply fixes or remediations to your server.\n\nIf your clients connect directly to WAS with SSL, then review this bulletin for instructions on applying a mitigation or fix to your WAS installation and your ClearCase profile:\n\n \n[Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>). \n\nDepending on your version of ClearQuest, you may need additional steps when installing IHS or WAS fixes:\n\n \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n7.1.0.x, 7.1.1.x, and 7.1.2.x| [Document 1390803](<http://www.ibm.com/support/docview.wss?uid=swg21390803>) explains how to update WebSphere Application Server and/or IBM HTTP Server for ClearQuest Web Servers at release 7.1.x. Consult those instructions when applying the fix. \n8.0.0.x \n8.0.1.x| Apply the appropriate WebSphere Application Server and/or IBM HTTP Server fix directly to your ClearQuest Web server host. No ClearQuest-specific steps are necessary. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n_For unsupported versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:59", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in RC4 stream cipher affects ClearQuest (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:59", "id": "A01095B85130C6F3590205F9C223B6445272B68D08E6AB6E74247C45E91CE8A8", "href": "https://www.ibm.com/support/pages/node/263735", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:44:49", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM FlashSystem 900.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM FlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE2 and 9843-AE2.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nFlashSystem 900 MTMs: \n \n9840-AE2 & \n9843-AE2 | A code fix is now available. The VRMF of this code level is 1.2.1.8 (or later). | None | This vulnerability has been remediated in firmware version 1.2.1.8 \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables any use of the RC4 stream cipher when interfacing to the IBM FlashSystem 900 -- and does not allow it to be re-enabled. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n_For firmware versions released earlier than 1.2.1.8, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {}, "published": "2019-01-03T20:55:01", "type": "ibm", "title": "Security Bulletin: A vulnerability in RC4 stream cipher affects IBM FlashSystem 900 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-03T20:55:01", "id": "EE13AC8357DD960F4675FB52EA635CB1F98308493448718725A86592C6B9B86C", "href": "https://www.ibm.com/support/pages/node/690519", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-12T17:34:41", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM\u00ae FlashSystem\u2122 V840. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n_FlashSystem V840 including machine type and models (MTMs) for all available code levels._ MTMs affected include 9846-AE1, 9848-AE1, 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1. \n\n## Remediation/Fixes\n\n_V840 MTMs_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**Storage nodes:** \n9846-AE1 & \n9848-AE1 \n \n**Control nodes:** 9846-AC0, \n9846-AC1, \n9848-AC0, \n9848-AC1| _A code fix is now available, the VRMF of this code level is 1.3.0.2 (or later) for the storage enclosure nodes and 7.5.0.2 for the control nodes. _| _ __N/A_| _No workarounds or mitigations, other than applying this code fix, are known for this vulnerability_ \n \n \n1.3.0.2 is available @ IBM\u2019s Fix Central **: **[**_V840 fixes, download 1.3.0.2 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash+high+availability+systems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=All&platform=All&function=all>)* \n7.5.0.2 is available @ IBM\u2019s Fix Central**: **[**_V840 fixes, download 7.5.0.2 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash+high+availability+systems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=All&platform=All&function=all>)* \n \n* This vulnerability had been previously fixed on the FlashSystem V840\u2019s control nodes, but was fixed in all code fixes release 7.4.0.4 or later, though upgrade to 7.5.0.2 or later is recommended because of other fixes in 7.5.0.2 which are not in 7.4.0.4. This vulnerability had also been previously fixed on the FlashSystem V840\u2019s storage node, for other ports, but was reintroduced in the code level 1.2.1.4 on the port opened to allow REST API control. FlashSystem V840 storage nodes running code levels prior to 1.3.0.2, but at 1.2.1.4 or 1.2.1.7, only have this vulnerability on the port used exclusively by the REST API. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:58", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects the IBM FlashSystem V840 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:58", "id": "8231FCB823156A9FFD54E4122B0CB8FACB019DF1BE7C9AC11E08A11C07956B2F", "href": "https://www.ibm.com/support/pages/node/690657", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:18", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Informix Genero.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nInformix Genero 2.32, 2.40, and 2.50 \n\n## Remediation/Fixes\n\nInformix Genero component products with version numbers of 2.50.12.P4 and v2.50.14.P4 to address these vulnerabilities. These versions can be downloaded from IBM\u2019s Fix Central web site at the locations indicated below. \n\n**Informix Genero Version**\n\n| \n\n**_Remediation/Fix by OS / Platform_**\n\n| \n \n---|---|--- \n \n**2.50.14.P4**\n\n| \n\n[**Linux-32;**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=Linux+32-bit,x86&function=all>)** **[**Linux-64**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=Linux+64-bit,x86_64&function=all>) \n[**Linux (pSeries)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=Linux+64-bit,pSeries&function=all>) \n[**HP-UX (Risc-64)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=HPUX+64-bit,+PA+RISC&function=all>) \n[**HP-UX (IA-64)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=HPUX+64-bit,+IA64&function=all>) \n[**Mac OSX 10.5**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=Mac+OSX+10.5&function=all>) \n[**Solaris (SPARC)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=Solaris+64-bit,SPARC&function=all>) \n[**Solaris (Intel)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=Solaris+64-bit,x86&function=all>) \n[**AIX (pSeries)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.14.P4&platform=AIX+64-bit,+pSeries&function=all>)\n\n| \n \n \n**2.50.12.P4**\n\n| \n\n[**Windows(32);**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Windows+32-bit,+x86&function=all>)** **[**Windows(64**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Windows+64-bit,+x86&function=all>)**)** \n[**Linux-32;**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Linux+32-bit,x86&function=all>)** **[**Linux-64**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Linux+64-bit,x86_64&function=all>) \n[**Linux (pSeries)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Linux+64-bit,pSeries&function=all>) \n[**HP-UX (Risc-64)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=HPUX+64-bit,+PA+RISC&function=all>) \n[**HP-UX (IA-64)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=HPUX+64-bit,+IA64&function=all>) \n[**Mac OSX 10.5**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Mac+OSX+10.5&function=all>) \n[**Solaris (SPARC)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Solaris+64-bit,SPARC&function=all>) \n[**Solaris (Intel)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=Solaris+64-bit,x86&function=all>)[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=AIX+64-bit,+pSeries&function=all>) \n[**AIX (pSeries)**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Informix+Tools&release=GEN2.50.12&platform=AIX+64-bit,+pSeries&function=all>)\n\n| \n \nThis fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. You should verify applying this fix does not cause any compatibility issues. \n\nFor Informix Genero versions 2.3x and 2.4x, IBM recommends an upgrade to a fixed, supported version of the product. \n\n## Workarounds and Mitigations\n\nThe mitigation for this issue is to configure the OpenSSL library used by Informix Genero to disable the RC4 cipher. The options to perform this action are as follows: \n\n**_Configuring OpenSSL to disable RC4_**\n\n**Option 1 - ****_Disable RC4 in a server via a config file._**\n\n \nLocate the configuration file for OpenSSL that your product uses. \n\nNote: If your product uses a _shared_ config file, particularly if it uses a config file owned by the OS, this needs to be fixed first, since changing the supported ciphers may impact other processes and cause them to stop working. Look for a line similar to this:\n\n \nSSLCipherSuite **ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3:!EXPORT** \nNote: The SSLCipherSuite tag may vary from product to product. This example is from Apache, but the general format for the cipher selection is a common format which the OpenSSL API accepts. \n\nAdd **!RC4** to disable RC4 and remove any lines that explicitly enable RC4, in the example above \"RC4+RSA\" also needs to be removed.\n\ni.e. old\n\n \nSSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT \nnew \nSSLCipherSuite ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT \nVerify, using \n**openssl ciphers -V \"<cipherlist>\" | grep RC4** \nWhere <cipherlist> is similar to \nALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT \ni.e. \n**openssl ciphers -V \"ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT\" | grep RC4**\n\n**<cipherlist> MUST BE the cipher specification your product actually uses.**\n\n \nNote: This is *NOT* an exact recipe for secure operation, it merey shows how to solve THIS problem and remove RC4 from the negotiated cipher list. \n\nSee [_http://www.openssl.org/docs/apps/ciphers.html_](<http://www.openssl.org/docs/apps/ciphers.html>) for more detail on the syntax of cipher suite configuration. When testing, it is recommended to run **openssl ciphers -V \"<cipherlist>**\" and check that you have some ciphers left and not an empty set.\n\n \n \n**Option 2 - ****_Disable RC4 programatically (Client or server)_**\n\n \nThis is similar to the config file method, except you use **SSL_CTX_set_cipher_list()** or **SSL_set_cipher_list()**\n\nSee <http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>\n\nThe syntax of the list is the same as described above. When testing, it is recommended to run **openssl ciphers -V \"<cipherlist>**\" and check that you have some ciphers left and not an empty set.\n\nChecking the ciphers configured can also be done programmatically using **SSL_get_cipher_list()**\n\nSee <http://www.openssl.org/docs/ssl/SSL_get_ciphers.html>\n\n \n \n**_Testing_**\n\n * The easiest testing is to use SSL_get_cipher_list() and dump the list of configured ciphers that will work for client or server.\n * The other option is to use the openssl command line program, configure that to act as the other end of the connection with RC4 suites enabled, and check that when negotiation occurs, ciphers containing RC4 are never available and never selected. This is awkward in practice as the ciphers used are negotiated from the intersection of the sets supported by client and server. The best method differs a little between client and server testing.\n \n\n\n**_Testing a client_**\n\n \nTesting a client is the simple case as openssl s_server dumps the shared ciphers when a connection from the client is made. Testing with both RSA and EC certs is difficult as the server needs to be restarted to do both, but for the simpler RSA case: \n\nGenerate the server key & certificate\n\n \n**openssl genrsa -out server_privkey2k.pem 2048**\n\n**openssl req -new -x509 -key server_privkey2k.pem -out server_cert2k.pem -days 1095 -subj ''''/C=AU/ST=Queensland/L=GoldCoast/CN=somewhere.ibm.com''''**\n\n \nStart the openssl server and connect the client to the server. In the example below the server binds to localhost port 3443. \n\nNote that the client and server can be run on the same machine, but the commands below need to be run in separate windows.\n\n_Start the server in \"window 1\"_\n\n \n**openssl s_server -accept 3443 -cert server_cert2k.pem -key server_privkey2k.pem** \n_Start the client in \"window 2\"_ \n**openssl s_client -connect localhost:3443 **(Note that the client output is NOT useful here) \nThe server output (in window 1) IS useful and will look like this: \n\nUsing default temp DH parameters\n\nUsing default temp ECDH parameters\n\nACCEPT\n\n\\-----BEGIN SSL SESSION PARAMETERS-----\n\nMFUCAQECAgMDBALALwQABDDLJ0FuVcIvtbursIelrqg25tPmnJ5Qfo+Iz9oxqrAY\n\nw0Q0MV2dCKXHMp8ChZDJZXShBgIEVRnxuqIEAgIBLKQGBAQBAAAA\n\n\\-----END SSL SESSION PARAMETERS-----\n\nShared ciphers:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDHE-RSA-**RC4****-**SHA:ECDHE-ECDSA-**RC4**-SHA:**RC4**-SHA\n\nCIPHER is ECDHE-RSA-AES128-GCM-SHA256\n\nSecure Renegotiation IS supported\n\nAs can be seen above, this would be a fail. RC4 appears in the shared cipher list. \n\n**Note: **The fact that RC4 wasn\u2019t actually used is irrelevant for this test, if it is in the shared cipher list it could have been used.\n\n \n \n**_Testing a server_** \nThe flexibility of the OpenSSL cipher selection helps here. \n**openssl s_client -connect localhost:3443 -cipher \"RC4\"** \nThis will set the client cipher list which includes all the available RC4 ciphers and the server will pick one if there\u2019s a match. \n\nBelow is a failure, which is what you want to see. \n\nCONNECTED(00000003)\n\n140333137577840:error:14077410:SSL **routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:**\n\n\\---\n\nno peer certificate available\n\n\\---\n\nNo client certificate CA names sent\n\n\\---\n\nSSL handshake has read 7 bytes and written 105 bytes\n\n\\---\n\nNew, (NONE), Cipher is (NONE)\n\nSecure Renegotiation IS NOT supported\n\nCompression: NONE\n\nExpansion: NONE\n\nBelow is the fail case. This is a successful connection, but a test failure.\n\n**mulga:~> openssl s_client -connect localhost:3443 -cipher \"RC4\"**\n\nCONNECTED(00000003)\n\ndepth=0 C = AU, ST = Queensland, L = GoldCoast, CN = mulga.gc.au.ibm.com\n\nverify error:num=18:self signed certificate\n\nverify return:1\n\ndepth=0 C = AU, ST = Queensland, L = GoldCoast, CN = mulga.gc.au.ibm.com\n\nverify return:1\n\n\\---\n\nCertificate chain\n\n0 s:/C=AU/ST=Queensland/L=GoldCoast/CN=mulga.gc.au.ibm.com\n\ni:/C=AU/ST=Queensland/L=GoldCoast/CN=mulga.gc.au.ibm.com\n\n\\---\n\nServer certificate\n\n\\-----BEGIN CERTIFICATE-----\n\nMIIDezCCAmOgAwIBAgIJAJjckZ/MuhACMA0GCSqGSIb3DQEBBQUAMFQxCzAJBgNV\n\nBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMRIwEAYDVQQHDAlHb2xkQ29hc3Qx\n\nHDAaBgNVBAMME211bGdhLmdjLmF1LmlibS5jb20wHhcNMTQwMzI4MDExMTA0WhcN\n\nMTcwMzI3MDExMTA0WjBUMQswCQYDVQQGEwJBVTETMBEGA1UECAwKUXVlZW5zbGFu\n\nZDESMBAGA1UEBwwJR29sZENvYXN0MRwwGgYDVQQDDBNtdWxnYS5nYy5hdS5pYm0u\n\nY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAujPV7n24u2rGkTHV\n\ncu0DwdUoNtB9SgzKmgTgg7xwjUbuJlAtqKfOZCiqV4H9/6M2fU8u8wABQ10NoI0W\n\nlz/e27VFzlzRFyonubH7Nl+Bh2ZVe+SRWZri1Ak6DBpx+spLtm9HzddpS9FKQbIL\n\ngppbh07BX9hBmMy0S5FvTRw/GXT/yhVw/dOXiHm2ZDd3+/7EAMPjLhh0ck3l5rk2\n\nJw0MuKmLgy79YCTLpHY09NyKNvcx7DpZM/J4PWrHT9xaTcYj5kmes15ZKH7CU5uC\n\nnT8HpsBB0sVjgyPVi40vOG5gMaTkWdavNbZsFEzNHZAijPh6LawPsjUHNpJWo0bp\n\n4zhHlQIDAQABo1AwTjAdBgNVHQ4EFgQU+wXIKZAahSg2DLXcDqmh2Z99dZ8wHwYD\n\nVR0jBBgwFoAU+wXIKZAahSg2DLXcDqmh2Z99dZ8wDAYDVR0TBAUwAwEB/zANBgkq\n\nhkiG9w0BAQUFAAOCAQEAq8TynGnKpZHjbYeaXxxMAow/JM4FgwjL7gTXEBeVXGKW\n\nNPtZBFCUDiGhSWKu0muvkd2NMCuaFSAJme8m/gW4xkVPsCk8Fr2diViT1dLZrBR4\n\nElAdiI/4RwigQFkRvrKu1CU1CPDcyAuj7Qg213WOV48PAmfmRVOLWp1Lsh8ZUTDD\n\nQvi80EHOUE5+2jYwQKELyn81OoWHAuQ/IXCW0Xqhz3cybr88CV2paarHKLGEYd8C\n\nMHn100Qpwg5zieG4Vy+9jEuoTfxs6weGsUllvrIQ0LV3EItzh+k3SYw/+u+8wgjT\n\n1zTyiY7b883aBnjUDLmOzcJaLSGb4Ms8jY1+5jpvOA==\n\n\\-----END CERTIFICATE-----\n\nsubject=/C=AU/ST=Queensland/L=GoldCoast/CN=mulga.gc.au.ibm.com\n\nissuer=/C=AU/ST=Queensland/L=GoldCoast/CN=mulga.gc.au.ibm.com\n\n\\---\n\nNo client certificate CA names sent\n\nServer Temp Key: ECDH, prime256v1, 256 bits\n\n\\---\n\n**SSL handshake has read 1550 bytes and written 259 bytes**\n\n\\---\n\nNew, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA\n\nServer public key is 2048 bit\n\nSecure Renegotiation IS supported\n\nCompression: NONE\n\nExpansion: NONE\n\nSSL-Session:\n\nProtocol : TLSv1.2\n\nCipher : ECDHE-RSA-RC4-SHA\n\nSession-ID: 7D141BD56CFD88646E7B71300239C773D11CDC93BF5DBFA7C1FF213D3A7B1889\n\nSession-ID-ctx: \n\nMaster-Key: 1F32F04738C3FAA3A49F7AB642CF29F53112A8A3238A2E5828148DEC755D8215EBA4301B62B5D13CED92B65D75C988BC\n\nKey-Arg : None\n\nKrb5 Principal: None\n\nPSK identity: None\n\nPSK identity hint: None\n\nTLS session ticket lifetime hint: 300 (seconds)\n\nTLS session ticket:\n\n0000 - 88 83 0a ae 25 28 87 3f-69 0a 5f 75 fa dc 28 fb ....%(.?i._u..(.\n\n0010 - cb 79 fa a2 67 46 63 83-9e 74 82 c5 e2 2f 39 35 .y..gFc..t.../95\n\n0020 - 72 85 f4 e4 26 2a d7 49-d5 8e da 7a 46 ad a3 a3 r...&*.I...zF...\n\n0030 - e4 f4 7e e8 2c 37 42 ed-3e 3b 5b ce f0 5a 23 0c ..~.,7B.>;[..Z#.\n\n0040 - 12 df f9 2c db 23 94 56-83 60 40 e5 29 66 90 0a ...,.#.V.`@.)f..\n\n0050 - f2 d4 7b 1e ff 73 fd 38-76 56 b6 34 b9 77 72 9b ..{..s.8vV.4.wr.\n\n0060 - 54 f6 e8 87 50 7d f5 a9-71 56 7f 3e b6 b5 f1 62 T...P}..qV.>...b\n\n0070 - 97 e8 f7 96 cf 43 47 5b-9f 4b 7f 1f c9 24 e1 37 .....CG[.K...$.7\n\n0080 - 65 5d d3 44 dd e7 f1 cf-29 f0 dc 9e c8 06 51 ea e].D....).....Q.\n\n0090 - 04 91 9b a8 70 3a 1e 88-53 08 b6 55 9c 05 3a 25 ....p:..S..U..:%\n\nStart Time: 1427765190\n\nTimeout : 300 (sec)\n\nVerify return code: 18 (self signed certificate)\n\nYou should verify that applying this configuration change does not cause any compatibility issues. _Not disabling the RC4 stream cipher will expose yourself to the attack described above._ IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2021-06-03T22:07:53", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Informix Genero (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-06-03T22:07:53", "id": "E724E59674A5FAAA2E20B6D20583DEBF17E0AF4DDA7B45308A373ED95976AE19", "href": "https://www.ibm.com/support/pages/node/264063", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:54", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects InfoSphere BigInsights. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nCustomers who have Secure Sockets Layer (SSL) support enabled for any of the BigInsights components. \n \nIBM InfoSphere BigInsights 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0 \n\n## Remediation/Fixes\n\nFor versions 2.1.2, 2.1, and 2.0: Apply the Interim fix which will remove RC4 cipher suites from the default list of enabled cipher suites. After downloading the BigInsights IBM Java version 1.6 Service Refresh 16 Fix Pack 3 from [fixcentral](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%3FInformation%2BManagement&product=ibm/Information+Management/InfoSphere+BigInsights&release=2.1.2.0&platform=All&function=all>) perform the following steps to replace the default JDK as BigInsights Administrator: \n \nSteps below assume that the new JDK is_ ibm-java-sdk-6.0-16.3-linux-x86_64.tgz_, and the current JDK is _ibm-java-sdk-6.0-12.0-linux-x86_64.tgz_. Replace the file names with the version of the new JDK for your platform and with the current version installed on your system. \n\n\n 1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh\n 2. Upload the new IBM JDK to console node in the $BIGINSIGHTS_HOME directory\n 3. Run the following commands on the BigInsights console node:\n * cd $BIGINSIGHTS_HOME\n * mv jdk/ jdk_orig\n * sudo chmod 777 ibm-java-sdk-6.0-16.3-linux-x86_64.tgz\n * sudo chown biadmin:biadmin ibm-java-sdk-6.0-16.3-linux-x86_64.tgz\n * tar zxvf ibm-java-sdk-6.0-16.3-linux-x86_64.tgz\n * mv ibm-java-x86_64-60 jdk\n * mv $BIGINSIGHTS_HOME/hdm/jdk $BIGINSIGHTS_HOME/hdm/jdk_orig\n * cp -r $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/hdm/ \n* Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node) \n\n * ssh node \"mv $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/jdk_orig\"\n * scp -r $BIGINSIGHTS_HOME/jdk**_ node_****_:_**$BIGINSIGHTS_HOME/\n* Run the following commands on the console node:\n\n * cd $BIGINSIGHTS_HOME/hdm/artifacts\n * mv ibm-java-sdk-6.0-12.0-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz_orig\n * cp $BIGINSIGHTS_HOME/ibm-java-sdk-6.0-16.3-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz\n * cd $BIGINSIGHTS_HOME/hdm/todeploy\n * mv jdk.tar.gz jdk.tar.gz_orig\n * mv jdk.tar.gz.cksum jdk.tar.gz.cksum_orig\n * syncconf.sh \n * cp jdk.tar.gz.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum\n * For each node ( where node is the name of the non-console node) :\n * scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum\n* Sync configuration, and restart the BigInsights: \n$BIGINSIGHTS_HOME/bin/sysncconf.sh \n$BIGINSIGHTS_HOME/bin/start-all.sh \n$BIGINSIGHTS_HOME/bin/healthcheck.sh \n\nFor other versions affected by this vulnerability, follow the instuctions in the mitigation section. \n\n## Workarounds and Mitigations\n\nThis vulnerability can be mitigated by disabling RC4 in the IBM Java security file, and enable FIPS mode in the LDAP security plugin-in configuration file for Big SQL. \n \n**For versions 3.0, 3.0.0.1, 3.0.0.2** \n \nFollow the mitigation instruction below as BigInsights Administrator to disable RC4 in IBM Java: \n\n\n 1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh \n 2. On console node update the java.security file to turn off RC4\n * Locate the java.security file on console node under $BIGINSIGHTS_HOME/hdm/jdk/jre/lib/security/java.security \n * Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4 \n* Recreate jdk.tar.gz to include the new version of the java.security file on the console node\n\n * cd $BIGINSIGHTS_HOME/hdm/todeploy\n * mv jdk.tar.gz jdk.tar.gz.orig\n * mv jdk.tar.gz.cksum jdk.tar.gz.cksum.orig\n * syncconf.sh \n * cp $BIGINSIGHTS_HOME/hdm/todeploy/jdk.tar.gz.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum \n* Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node) \n\n * ssh node mv $BIGINSIGHTS_HOME/jdk/.deploy.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum.orig\n * scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum \n* On each node: \n\n * Locate the java.security file used by the BigInsights: $BIGINSIGHTS_HOME/jdk/jre/lib/security/java.security\n * Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4 \n* Restart BigInsights: $BIGINSIGHTS_HOME/bin/start-all.sh\n \n \n**For versions 3.0, 3.0.0.1, 3.0.0.2, and 4.0** \n \nCustomers who have Secure Sockets Layer (SSL) support enabled in their client configuration using LDAP security plug-in to communicate with LDAP server for Big SQL should follow the instructions below to mitigate the problem. SSL support is not enabled in LDAP security plug-in by default. \n \nMitigation instructions: \n\nCustomers should enable FIPS mode in LDAP security plugin-in as follows: \n\n 1. As the Big SQL instance owner, open up the LDAP security plugin-in configuration file The default name and location for the IBM LDAP security plug-in configuration file is:\n * \"BIGSQL_HOME/sqllib/cfg/IBMLDAPSecurity.ini . \n * Optionally, it could be resided in the location defined by the DB2LDAPSecurityConfig environment variable \n* Search for the FIPS_MODE configuration parameter in the file and change its value to true. Save and close the file. \n\n; FIPS_MODE \n; To set SSL encryption FIPS mode on or off. \n; Optional; Valid values are true (on) and false (off). Defaults to \n; false (FIPS mode off). \nFIPS_MODE = true \n\n## ", "cvss3": {}, "published": "2021-04-08T20:59:42", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects InfoSphere BigInsights (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-04-08T20:59:42", "id": "A000D9D739BF19E450376504F59B738631A89DC3231F08AD20A9C9A368A1B2C4", "href": "https://www.ibm.com/support/pages/node/262717", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:52", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects TS3400.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFirmware versions below 0053.\n\n## Remediation/Fixes\n\nUpdate product to firmware version 0053 or later. \n \nYou should verify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects TS3400 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:26", "id": "C647AAD0793912354F54C4B8043E2D01E399C4D5A45845600A6C92FFFFA7A81B", "href": "https://www.ibm.com/support/pages/node/690409", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:40:41", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah Attack\" for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) affects z/TPF.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n\n\n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nz/TPF Enterprise Edition Version 1.1.11 and earlier\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nz/TPF| 1.1.11 and earlier| None| Do not use the RC4 algorithm in SSL sessions. See Workarounds and Mitigations. \n \n## Workarounds and Mitigations\n\nDisable the RC4 encryption algorithm from the OpenSSL library for z/TPF. To disable the RC4 encryption algorithm, complete the following steps: \n\n 1. Ensure that existing SSL applications are not set up to use the RC4 encryption alogorithm. If they are, change the applications to use a more secure algorithm, such as AES-128.\n 2. Add the OPENSSL_NO_RC4 compiler option to the `cryp.mak` and `cssl.mak` files:\n * In the `cryp.mak` file, add the following statement: \n`CFLAGS_CRYP += -DOPENSSL_NO_RC4`\n * In the `cssl.mak` file, add the following statement: \n`CFLAGS_CSSL += -DOPENSSL_NO_RC4`\n* Remove or comment out the following source segments in the `cryp.mak` file: \n`#C_SRC += rc4_enc.c \n#C_SRC += rc4_skey.c`\n* Build the CRYP and CSSL shared objects by using `**maketpf**` with the force (`-f`) option\n* Load the CRYP and CSSL shared objects to the z/TPF system again.\n* Recyle the shared SSL daemons (if defined) and restart all SSL applications.\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects z/TPF (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-08-03T04:23:43", "id": "54D8CEDBAC6FD9B41208009218D5BB60370978EE37D8959B1153B08392F7339A", "href": "https://www.ibm.com/support/pages/node/260843", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:40:47", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah Attack\" for Secure Socket Layer (SSL) and Transport Layer Security (TLS) affects TPF Toolkit.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n\n\n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nTPF Toolkit 4.0.x and 4.2.x\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nTPF Toolkit| 4.2.x| JR53501| \n\n 1. Install the latest version of IBM Installation Manager.\n 2. Apply Interim Fix 4.2.4 by using IBM Installation Manager.\n 3. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from [_http://www.ibm.com/developerworks/java/jdk/_](<http://www.ibm.com/developerworks/java/jdk/>) \nTPF Toolkit| 4.0.x| JR53500| \n\n 1. Install the latest version of IBM Installation Manager.\n 2. Apply Interim Fix 4.0.7 by using IBM Installation Manager.\n 3. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from [_http://www.ibm.com/developerworks/java/jdk/_](<http://www.ibm.com/developerworks/java/jdk/>) \n \n## Workarounds and Mitigations\n\nFor TPF Toolkit 4.0.x and 4.2.x, you can disable the RC4 encryption algorithm for the IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by TPF Toolkit and the DSTORE server on any remote systems. To disable the RC4 encryption algorithm, complete the following steps: \n\n 1. Close TPF Toolkit.\n 2. Navigate to the `%TPFHOME%\\jdk\\jre\\lib\\security` directory, and add or update the `jdk.tls.disabledAlgorithms` property in the java.security file to include the RC4 encryption algorithm: \n`jdk.tls.disabledAlgorithms=SSLv3, RC4`\n 3. On each remote system that hosts a DSTORE server for TPF Toolkit, navigate to the `$JAVA_HOME\\jre\\lib\\security` directory and add or update the `jdk.tls.disabledAlgorithms` property in the `java.security` file to include the RC4 encryption algorithm: \n`jdk.tls.disabledAlgorithms=SSLv3, RC4` \n` \n`**Note: **`$JAVA_HOME` is the installation directory for Java on the remote systems.\n 4. Restart TPF Toolkit.\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects TPF Toolkit (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-08-03T04:23:43", "id": "29687AF8C77B1B380581C7B76C863B078995151B56F0F908E108D3AB6EBE7340", "href": "https://www.ibm.com/support/pages/node/260861", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-12T21:34:38", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Network Advisor.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Network Advisor Versions prior to 12.4.2.\n\n## Remediation/Fixes\n\nIBM Network Advisor 12.4.2. \n\n \n<https://www-947.ibm.com/support/entry/portal/product/system_networking/storage_area_network_%28san%29/san_management_software/ibm_network_advisor?productContext=-1976103879> \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:56", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Network Advisor (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:56", "id": "BB51B1CD5A42161B2D7937DBBCDFB1234DFC6114023656683DA2AFDAAC6A2542", "href": "https://www.ibm.com/support/pages/node/690671", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Personal Communications.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Personal Communications versions: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nEnable FIPS mode for the secure connection in order to automatically disable the RC4 ciphers. \n\n_Steps to enable FIPS mode:_\n\n1\\. Select \"Communication -> Configure...\" menu item.\n\n![\\[$26BB2E81A9C5F26D.jpg\\]](/support/pages/system/files/support/swg/rattech.nsf/0/c2575bf8443ba15b85257e21003ba2a6/WorkaroundsMitigations/0.2FE.jpg) \n--- \n \n2\\. Click \"Link Parameters...\" button. ![\\[$189AE46F1C7A9E4E.jpg\\]](/support/pages/system/files/support/swg/rattech.nsf/0/c2575bf8443ba15b85257e21003ba2a6/WorkaroundsMitigations/0.3EEC.jpg) \n--- \n3\\. Select \"Enable FIPS Mode (TLS Protocol only)\" check box from \"Security Setup\" tab. ![\\[$121AD5899AA28873.jpg\\]](/support/pages/system/files/support/swg/rattech.nsf/0/c2575bf8443ba15b85257e21003ba2a6/WorkaroundsMitigations/3.2F0E.jpg) \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n--- \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n10 April 2015: Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSEQ5Y\",\"label\":\"Personal Communications\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0;6.0.1;6.0.2;6.0.3;6.0.4;6.0.5;6.0.6;6.0.7;6.0.8;6.0.9;6.0.10;6.0.11;6.0.12;6.0.13;6.0.14\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB17\",\"label\":\"Mainframe TPS\"}},{\"Product\":{\"code\":\"SSEQ5Y\",\"label\":\"Personal Communications\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB17\",\"label\":\"Mainframe TPS\"}}]", "cvss3": {}, "published": "2019-03-05T12:59:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Personal Communications (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-03-05T12:59:26", "id": "CAFD515F067C0ADB25648289EE581F0602867E759926D5D9A4F349BAFFDF5676", "href": "https://www.ibm.com/support/pages/node/260877", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-12T17:34:51", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM FlashSystem V840.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM FlashSystem V840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9846-AE1, 9848-AE1,9846-AC0, 9846-AC1, 9848-AC0, and 9848-AC1. \n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nFlashSystem V840 MTMs: \n\n9846-AE1,\n\n9848-AE1,\n\n9846-AC0,\n\n9846-AC1,\n\n9848-AC0,\n\n9848-AC1\n\n| A code fix is now available. The VRMF of this code level is 1.1.3.8 (or later) for the storage enclosure nodes (-AEx) and 7.4.0.4 for the control nodes (-ACx)| None| This vulnerability has been remediated in firmware versions 1.1.3.8 (-AEx) and 7.4.0.4 (-ACx) \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables any use of the RC4 stream cipher when interfacing to the IBM FlashSystem V840 -- and does not allow it to be re-enabled. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n_For firmware versions released earlier than 1.1.3.8 for the storage enclosure nodes and 7.4.0.4 for the control nodes, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \n \n[_Link to FlashSystem V840 fixes_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash+high+availability+systems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:28", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM FlashSystem V840 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:28", "id": "3B11861A1C6A1658F4CCA0857EFB445DDD388E749F390CC0A61C823304AEAB17", "href": "https://www.ibm.com/support/pages/node/690443", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:53", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Workload Deployer.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Workload Deployer version 3.1 and later\n\n## Remediation/Fixes\n\nVirtual machines deployed from IBM Workload Deployer are affected. This includes RedHat Linux and AIX based deployments. The solution is to apply the following IBM Workload Deployer fix to the deployed virtual machines. \n \nUpgrade the IBM Workload Deployer to the following fix level: \n \n\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \nIBM Workload Deployer System| Release V3.1.0.7| V3.1.0.7 Interim fix7, \n \n[_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix7-IBM_Workload_Deployer&includeSupersedes=0_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix7-IBM_Workload_Deployer&includeSupersedes=0>) \n \nRefer to the following technical note for additional installation information and known limitations: \n \n<http://www.ibm.com/support/docview.wss?uid=swg24039951> \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:00", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Workload Deployer (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:03:00", "id": "79FF450C16609BDFE97D2B95AEC892EA9C8E34D6245BBEA39F89FD91A816BC7D", "href": "https://www.ibm.com/support/pages/node/263027", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:12", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Connect:Express for UNIX\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Express for UNIX 1.4.6 \n\\- All versions prior to 1.4.6.1 iFix 146-109 \n \nIBM Sterling Connect:Express for UNIX 1.5.0 \n\\- All versions prior to 1.5.0.12 (included)\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nTo protect yourself against the attack above, for each SSL server and client definition, ciphers using RC4 should be disabled. Each SSL definition must specify a cipher list. In the [Sterling Connect:Express for UNIX Documentation](<http://www.ibm.com/support/docview.wss?uid=swg27023827>), refer to the Chapter 4 of \"Sterling Connect:Express for UNIX Option SSL\" to learn how to specify a cipher list in a SSL server or client definition. In the cipher list, all RC4 ciphers must be disabled. \n\nVisit [https://www.openssl.org/ ](<https://www.openssl.org/>)to learn how to use the OpenSSL cipher list tool.\n\n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2020-07-24T22:49:37", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Connect:Express for UNIX (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2020-07-24T22:49:37", "id": "5E2DAB17CB1D8636F0B8C789C12BF0A656BE2CC73DB7C669A7B515704D6DB5C8", "href": "https://www.ibm.com/support/pages/node/260695", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Synergy. \n\n## Vulnerability Details\n\n**CVEID: **[**_CVE-2015-2808_**](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION: **The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)_ _for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\n\u00b7 Rational Synergy release 7.2.1.3 ifix01 or earlier. \n\u00b7 Rational Synergy release 7.2.0.7 or earlier. \n\u00b7 Rational Synergy release 7.1.0.7.005 or earlier.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Rational Synergy_| **_7.1.x, 7.2.x and 7.2.1.x_**| _N/A_| Replace the JRE used in Rational Synergy. \n\n \n**Steps to download and replace JRE in Rational Synergy:** \n1\\. Open the list of [_Synergy downloads on Fix Central_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Synergy&release=All&platform=All&function=all&source=fc>)\n\n2\\. Select the SDK and Readme for Rational Synergy which applied to your release as follows:\n\n \n**Note:** The fix will use the following naming convention: \n**_<V.R.M.F>_**_-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-_**_<platform>_**** \n \n**Where **<V.R.M.F> = release **& **<platform> = operating system** \no Rational Synergy 7.2.1 (uses 7.2.1.3 release designation) \n \nExample: **7.2.1.3-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Linux**\n\no Rational Synergy 7.2.0 (uses 7.2.0.6 release designation) \n \nExample: **7.2.0.6-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Windows **\n\no Rational Synergy 7.1 (uses 7.1.0.7 release designation) \n \nExample: **7.1.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-AIX \n**Example: **7.1.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Solaris**\n\n \n3\\. Follow the steps in the [_Install instructions_](<http://www.ibm.com/support/docview.wss?uid=swg27042896>) to replace the JRE. \n\nFollow the steps in the [_HPUX_Install Instructions_](<http://www.ibm.com/support/docview.wss?uid=swg27045456>) to replace the JRE if your Synergy Platform is on HPUX \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n**To verify if Synergy has JRE version to address this security vulnerability**:- \nOpen a command prompt \n**Unix**:- \nGo to $CCM_HOME/jre/bin folder \nExecute ./java -version \n \n**Windows**:- \nGo to %CCM_HOME%\\jre\\bin folder \nExecute java -version \n \nIf in the output version is greater than SR16 FP3 or if it is SR16 FP3+IV70681+IV71888, It implies the run area has jre version that addressed this security vulnerability. \n \n**Example**:- \njava version \"1.6.0\" \nJava(TM) SE Runtime Environment (build pwi3260sr16fp3ifix-20150407_01(**SR16 FP3+IV70681+IV71888)**) \nIBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows 7 x86-32 jvmwi3260sr16-201412\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-12-22T16:37:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Synergy (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2020-12-22T16:37:26", "id": "923294A0D760CBEA1F881BDE77C3AD9511502CD4C82F443DA7F51400CA7FD1C3", "href": "https://www.ibm.com/support/pages/node/260965", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Tau.\n\n## Vulnerability Details\n\n**CVEID:**[](<https://vulners.com/cve/CVE-2015-2808>) [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**DESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5\n\n \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\n4.3, 4.3.0.1, 4.3.0.2, 4.3.0.3, 4.3.0.4, 4.3.0.5, 4.3.0.6, 4.3.0.6 Interim Fix 1, 4.3.0.6 Interim Fix 2\n\n## Remediation/Fixes\n\nUpgrade to [Rational Tau Interim Fix 3 for 4.3.0.6](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FRational&product=ibm/Rational/IBM+Rational+Tau&release=4.3.0.6&platform=All>)\n\n## Workarounds and Mitigations\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Tau (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:43", "id": "628C9425E5431BE9014057AFDFA6432B71F3CD61D1B5A6D4BCC34623DE9C8567", "href": "https://www.ibm.com/support/pages/node/261149", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-12T21:34:47", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM SONAS\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n\n\n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n \nIBM SONAS \n \nAll products are affected when running code releases 1.3, 1.4 and 1.5 except for version 1.5.2.0 and above.\n\n## Remediation/Fixes\n\n \nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SONAS to the following code level or higher: \n \n1.5.2.0 \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:28", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM SONAS (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:28", "id": "82DCDA96004A5FA5D49A7CFE54A99D1CD5DD4735B6B568B1A2432924A113F1A6", "href": "https://www.ibm.com/support/pages/node/690437", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM WebSphere Service Registry and Repository component of IBM SOA Policy Gateway Pattern for AIX Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM SOA Policy Gateway Pattern for AIX Server 2.5\n\n## Remediation/Fixes\n\nUsers are already protected from this issue if they: \n\n * Have already applied WebSphere Application Server Interim Fix PI36563 to mitigate against the \"FREAK: Factoring Attack on RSA-EXPORT keys\". This fix removes RC4 from the default cipher lists.\n * **AND** are not using a custom WebSphere Application Server cipher list that includes the RC4 cipher\n \n\n\nIf WebSphere Application Server Interim Fix PI36563 has not yet been applied, users should follow the advice contained in the following linked WebSphere Application Server security bulletin: [](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)[http://www.ibm.com/support/docview.wss?uid=swg21698613](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>).\n\nIf a custom cipher list is being used, users should verify that RC4 is not one of the listed ciphers, and remove it if it is. \n\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:55", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM SOA Policy Gateway Pattern (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:55", "id": "CE5A2E40695AFADA32C2CA19691CD89CA1B35A315127B0F32CF305DAACB2ED23", "href": "https://www.ibm.com/support/pages/node/261569", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:22", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Tivoli Netcool/OMNIbus\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus 7.3.0 \nTivoli Netcool/OMNIbus 7.3.1 \nTivoli Netcool/OMNIbus 7.4.0 \nTivoli Netcool/OMNIbus 8.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus | 7.3.0.16| IIV73107, IV73123, IV74026| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24039351>)<http://www-01.ibm.com/support/docview.wss?uid=swg24039351> \nOMNIbus| 7.3.1.13| IV73107, IV73123, IV74026| <http://www-01.ibm.com/support/docview.wss?uid=swg24039350> \nOMNIbus| 7.4.0.7| IV73107, IV73123, IV74026| <http://www-01.ibm.com/support/docview.wss?uid=swg24039348> \nOMNIbus | 8.1.0.4| IV73107, IV73123, IV74026| <http://www-01.ibm.com/support/docview.wss?uid=swg24039347> \n \n## Workarounds and Mitigations\n\nConfigure the OMNIbus server components to use FIPS mode as that will disable RC4 by default. FIPS mode configuration is described here: <http://www-01.ibm.com/support/knowledgecenter/SSSHTQ_8.1.0/com.ibm.netcool_OMNIbus.doc_8.1.0/omnibus/wip/install/concept/omn_con_fips_configuringsupport.html?lang=en>\n\n## ", "cvss3": {}, "published": "2018-06-17T15:03:37", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli Netcool/OMNIbus (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:03:37", "id": "C88ADBEA4F8A61ADBDF1DA25D72729E9902E90CA69E6C31DB456881DF5A6C601", "href": "https://www.ibm.com/support/pages/node/529537", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:17", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Netcool/Reporter.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION: **The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n\n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Netcool/Reporter 2.2\n\n## Remediation/Fixes\n\nYou must upgrade your current version of the Netcool/Reporter provided Apache 2.2.22 to include the updated OpenSSL (1.0.1m) which is available from Fix Central via Tivoli Netcool Reporter 2.2.0.9 IF0005, 2.2.0.9-TIV-NCReporter-IF0005. \n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nTo disable RC4 in the supplied Apache HTTPD server, in the **http-ssl.conf** file, located under $APACHE_HOME/conf/ or %APACHE_HOME%\\conf\\, locate the following line: \n \n**_SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH_** \n \n...and add the following text to the end of the existing text: \n \n**_:!RC4_** \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:00:39", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Netcool/Reporter (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:00:39", "id": "68965B30B36EADA4307038F4C06817684A78B4223983AC0AA179EC136618D394", "href": "https://www.ibm.com/support/pages/node/261723", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:42:59", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM i\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nReleases 6.1, 7.1 and 7.2 of IBM i are affected. \n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\n**Remediation/Fixes**\n\n***Note- 07/22/15 There has been an update to this document to include PTF's to fix an empty default cipher suite list**\n\n \n***Note- 07/10/15 There has been an update to this document to include PTF's to disable RC4 from the default list **\n\nThe issue can be fixed for some applications by applying PTF\u2019s to IBM i. For the remaining applications, follow the steps in the Workarounds and Mitigations section. \nReleases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed. Releases V4R1, V4R2, V4R3, V4R4, V5R1, V5R2, V5R3 and V5R4 are unsupported and will not be fixed. \n \nThe IBM i PTF numbers are: \n \n**_IBM i OS and options:_**\n\nRelease 6.1 \u2013 SI57357, MF60331, MF60429\n\n \nRelease 6.1.1 - SI57357, MF60338, MF60431 \nRelease 7.1 \u2013 SI57332, MF60335, MF60430 \nRelease 7.2 \u2013 SI57320, MF60333, MF60334, MF60432 \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n**_Mitigation instructions for IBM i_**: \n \nThere are at least four different SSL implementations used on IBM i. \n \n\\- IBM i System SSL \n\\- OpenSSL in PASE \n\\- IBMJSSE2 \u2013 The default Java JSSE implementation \n\\- Domino \u2013 contains an embedded SSL implementation. Also uses System SSL in some configurations. \n\\- Other \u2013 Any 3rd party application could include an internal SSL implementation \n \n**_IBM i System SSL_**\n\nIBM i System SSL is a set of generic services provided in the IBM i Licensed Internal Code (LIC) to protect TCP/IP communications using the SSL/TLS protocol. \n\nSystem SSL is accessible to application developers from the following programming interfaces and JSSE implementation:\n\n\uf0b7 Global Security Kit (GSKit) APIs \n\n \n\uf0b7 Integrated IBM i SSL_ APIs \n\uf0b7 Integrated IBM i JSSE implementation (IBMi5OSJSSEProvider) \n \n \n\n\nSSL applications created by IBM, IBM business partners, independent software vendors (ISV), or customers that use one of the three System SSL interfaces listed above will use System SSL. For example, FTP and Telnet are IBM applications that use System SSL. Not all SSL enabled applications running on IBM i use System SSL.\n\n \n \n \n\n\nSystem SSL supports and uses by default up to five RC4 cipher suites based on release level.\n\n*ECDHE_ECDSA_RC4_128_SHA (default in 7.2 *TLSV1.2) \n\n \n*ECDHE_RSA_RC4_128_SHA (default in 7.2 *TLSV1.2) \n*RSA_RC4_128_SHA (default in 6.1/7.1/7.2 All protocol versions) \n*RSA_RC4_128_MD5 (default in 6.1/7.1 All protocol versions) \n*RSA_EXPORT_RC4_40_MD5 (not default. *TLSV1 and *SSLV3) \n \nThe application developer determines which cipher suites/algorithms are supported by the application when it is designed. \n\uf0b7 Some applications expose the cipher suite configuration to the end user. For those applications RC4 can be disabled through that application specific configuration. \n\uf0b7 Many applications do not provide a configuration option for controlling the cipher suites. It is difficult to determine if these applications support RC4. \n\uf0b7 Many applications use the System SSL default cipher suites such as FTP and Telnet. \n \n \nAfter loading the System SSL fixes listed in this bulletin, applications coded to use the default values will no longer negotiate the use of RC4 cipher suites with peers. \nIf RC4 support is required by peers of such an application after this PTF is applied, the values can be added back to the System SSL eligible default cipher suite list using System Service Tools (SST) Advanced Analysis Command SSLCONFIG. To change the System SSL settings with the Start System Service Tools (STRSST) \ncommand, follow these steps: \n \n1\\. Open a character based interface. \n2\\. On the command line, type STRSST. \n3\\. Type your service tools user name and password. \n4\\. Select option 1 (Start a service tool). \n5\\. Select option 4 (Display/Alter/Dump). \n6\\. Select option 1 (Display/Alter storage). \n7\\. Select option 2 (Licensed Internal Code (LIC) data). \n8\\. Select option 14 (Advanced analysis). \n9\\. Select option 1 (SSLCONFIG). \n10\\. Enter -h \n \nThis will show the help screen that describes the input strings to change the new System SSL setting for \u2013eligibleDefaultCipherSuites. \n \nSystem SSL\u2019s support of RC4 can be completely disabled at the system level using the system value QSSLCSL. In this case, RC4 is disabled for all applications including those with user configuration available for cipher suites. \n \n \n**How to change the QSSLCSL system value:**\n\nFrom a 5250 command line: \n\n**WRKSYSVAL SYSVAL(QSSLCSLCTL)**\n\n\uf0b7 Enter 5 to display **QSSLCSLCTL:** This will display one of two things: \n\n \n\uf0b7 *OPSYS: Which indicates QSSLCSL is controlled by the OS. \n\uf0b7 *USRDFN: Which indicates QSSLCSL is editable and controlled by the user. \n\uf0b7 If current value is *OPSYS; Enter 2 to edit **QSSLCSLCTL:** *OPSYS is the default value. Change the value to *USRDFN. \n\n \n**WRKSYSVAL SYSVAL(QSSLCSL)**\n\n\uf0b7 Enter 5 to display **QSSLCSL:** This will display the current ordered list of cipher suites.\n\n \n\uf0b7 If a cipher suite is in the list that contains the RC4 keyword; Enter 2 to edit **QSSLCSL:**\n\n\uf0b7 To remove a cipher suite, space over cipher suite name. Press Enter.\n\n \n**QSSLCSL value recommendation at the time of publish by release:**\n\n_R720_\n\n*ECDHE_ECDSA_AES_128_GCM_SHA256 \n\n \n*ECDHE_ECDSA_AES_256_GCM_SHA384 \n*ECDHE_RSA_AES_128_GCM_SHA256 \n*ECDHE_RSA_AES_256_GCM_SHA384 \n*RSA_AES_128_GCM_SHA256 \n*RSA_AES_256_GCM_SHA384 \n*ECDHE_ECDSA_AES_128_CBC_SHA256 \n*ECDHE_ECDSA_AES_256_CBC_SHA384 \n*ECDHE_RSA_AES_128_CBC_SHA256 \n*ECDHE_RSA_AES_256_CBC_SHA384 \n*RSA_AES_128_CBC_SHA256 \n*RSA_AES_128_CBC_SHA \n*RSA_AES_256_CBC_SHA256 \n*RSA_AES_256_CBC_SHA \n*ECDHE_ECDSA_3DES_EDE_CBC_SHA \n*ECDHE_RSA_3DES_EDE_CBC_SHA \n*RSA_3DES_EDE_CBC_SHA \n\n_R710_\n\n*RSA_AES_128_CBC_SHA256 (requires TR6 or later is installed and *TLSv1.2)\n\n \n*RSA_AES_128_CBC_SHA \n*RSA_AES_256_CBC_SHA256 (requires TR6 or later is installed and *TLSv1.2) \n*RSA_AES_256_CBC_SHA \n*RSA_3DES_EDE_CBC_SHA \n\n_R611 / R610 _\n\n*RSA_AES_128_CBC_SHA \n\n \n*RSA_AES_256_CBC_SHA \n*RSA_3DES_EDE_CBC_SHA \n\n**Application configuration through Digital Certificate Manager (DCM) **\n\n7.1 TR6 and 7.2 have DCM options for controlling the cipher suites used for specific applications such as Telnet and FTP. Applications with a DCM application definition can use the DCM Update Application Definition panel to configure which cipher suites are supported by the application. If the DCM value includes a cipher suite disabled by QSSLCSL, that cipher suite value will silently be discarded by System SSL.\n\nFor IBM HTTP Server for i, the cipher suite version cannot be controlled by the DCM application ID.\n\n \n**_IBM HTTP Server for i _** \n \nThe following three HTTP Server directives can be used to specify ciphers to be used during SSL handshake. \n \nSSLCipherSpec \nSSLProxyCipherSpec \nSSLCipherRequire \n \nSee [_http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaie/rzaiemod_ibm_ssl.htm?lang=en_](<http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaie/rzaiemod_ibm_ssl.htm?lang=en>) for the usage of the 3 directives \n \nIf none of the three directives is specified in HTTP server configuration file (httpd.conf), HTTP server will use the System SSL default cipher suite list. In this case, modify system value QSSLCSL to remove all RC4 cipher suite values. \n \nIf any of the three directives are specified in HTTP server configuration file (httpd.conf), remove all RC4 ciphers from the directives. \n \nNote: \n \nHTTP server supports both a long name and a short name for some ciphers. All RC4 ciphers in either long name or short name format must be removed. For example, these two directives both refer to cipher *RSA_RC4_128_MD5. \n \nSSLCipherSpec TLS_RSA_WITH_RC4_128_MD5 \nSSLCipherSpec 34 \n \nThe full short name and long name mapping table is located in knowledge center: [_http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaie/rzaiemod_ibm_ssl.htm?lang=en_](<http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaie/rzaiemod_ibm_ssl.htm?lang=en>) \n \nAn abridged HTTP mapping for the RC4 ciphers is included here for convenience. \n \n**Short Name**| **Long Name** \n---|--- \n34| TLS_RSA_WITH_RC4_128_MD5 \n35| TLS_RSA_WITH_RC4_128_SHA \nN/A| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA \nN/A| TLS_ECDHE_RSA_WITH_RC4_128_SHA \n \n**_IBM Collaboration Solutions (formerly Lotus software)_**\n\n \n \nThe native Domino SSL stack includes RC4 ciphers in the default cipher list. \n \nRC4 ciphers can be disabled explicitly by removing them from the SSLCipherSpec notes.ini file setting. Please refer to these links for information on how to configure the SSLCipherSpec setting. \n \n[_http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration_](<http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration>) \n \n[_http://www-01.ibm.com/support/docview.wss?uid=swg21254333_](<http://www-01.ibm.com/support/docview.wss?uid=swg21254333>) \n \nIf Domino HTTP is using the System SSL stack then follow the System SSL instructions for disabling RC4 cipher suites. \n\n\n**_WebSphere Application Server_**\n\nThe RC4 \"Bar Mitzvah\" for SSL/TLS may affect some configurations of WebSphere Application Server. NOTE: If you are configured for FIPS140-2, Suite B or SP800-131 in your Security>SSL certificate and key management then you are not affected by this vulnerability or your SSL communication for Liberty.\n\nRefer to Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808) [_http://www.ibm.com/support/docview.wss?uid=swg21701503&myns=swgws&mynp=OCSSEQTP&mync=E&cm_sp=swgws-_-OCSSEQTP-_-E_](<http://www.ibm.com/support/docview.wss?uid=swg21701503&myns=swgws&mynp=OCSSEQTP&mync=E&cm_sp=swgws-_-OCSSEQTP-_-E>)\n\n**_OpenSSL_**\n\nRC4 ciphers are supported by OpenSSL. If you have an OpenSSL application you will need to disable RC4 programmatically.\n\nUse **SSL_CTX_set_cipher_list()** or **SSL_set_cipher_list() **to specify a cipher list that does not contain the RC4 ciphers.\n\n \n\n\nSee [_http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html_](<http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>)\n\n \n\n\nChecking the ciphers configured can be done programmatically using **SSL_get_cipher_list()**\n\nSee [_http://www.openssl.org/docs/ssl/SSL_get_ciphers.html_](<http://www.openssl.org/docs/ssl/SSL_get_ciphers.html>)\n\n \n\n\n**_Potential Issues_**\n\n \n \nSome customers find that one or more peer systems they communicate with only support or otherwise require RC4 cipher suites. Connections with those peer systems will no longer work after disabling RC4 cipher suites. For business critical connections that must continue to happen, RC4 cipher suites will have to remain enabled until that peer can upgrade to support AES cipher suites. In those cases the administrator can disable RC4 cipher suites on an application by application basis where cipher suite configuration exists. If RC4 must remain enabled, the RC4 cipher suite should be placed at the end of the list of cipher suites. This will result in RC4 only being selected if the peer does not support any of the cipher suites located higher up in the list. \n \n**_How to determine if RC4 cipher suites are being negotiated by System_****_ _****_SSL_****_ _** \n \nThere is no easy way to determine this. A trace active at the time the secure connection is made is required. Refer to the following Technote for PTF numbers and instructions: \n\nHow to determine the SSL protocol and cipher suite used for each System SSL connection to the IBM i \n\n \n \n \n\n\n[_http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594_](<http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594>)\n\n## ", "cvss3": {}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM i (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-12-18T14:26:38", "id": "DCB853353DA5AE8472FF1C9154EAF43C8CB8E459D966C1AF23119C800B2D4085", "href": "https://www.ibm.com/support/pages/node/646213", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:41:24", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM InfoSphere Guardium.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM InfoSphere Guardium : V 8.2, 9.x\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Guardium Database Activity Monitoring| 8.2| PSIRT 53185| [_http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_8.2p6008_SecurityUpdate&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_8.2p6008_SecurityUpdate&includeSupersedes=0&source=fc>) \nInfoSphere Guardium Database Activity Monitoring| 9.x| PSIRT 53185| [_http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_9.0p6008_SecurityUpdate&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_9.0p6008_SecurityUpdate&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\n \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. \n\n## ", "cvss3": {}, "published": "2018-07-16T10:15:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM InfoSphere Guardium (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-07-16T10:15:46", "id": "23ABE24E8359DA211211D928CA035880A9B388325873C007BF19F1CB5F997D6A", "href": "https://www.ibm.com/support/pages/node/260717", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:58", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Security Directory Integrator\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoil Directory Integrator 6.1.1 \nIBM Tivoil Directory Integrator 7.0 \nIBM Tivoil Directory Integrator 7.1 \nIBM Tivoil Directory Integrator 7.1.1 \nIBM Security Directory Integrator 7.2 \n\n## Remediation/Fixes\n\nAffected Products and Versions\n\n| Fix availability \n---|--- \nTDI 6.1.1| [7.0.0-TIV-TDI-LA0023](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24039869>) \nTDI 7.0| [7.0.0-TIV-TDI-LA0023](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24039869>) \nTDI 7.1| [7.1.0-TIV-TDI-LA0017](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24039871>) \nTDI 7.1.1| [7.1.1-TIV-TDI-LA0026](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24039870>) \nSDI 7.2| [7.2.0-TIV-TDI-LA0007](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24039872>) \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions \n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:56", "type": "ibm", "title": "Security Bulletin:Vulnerability in RC4 stream cipher affects IBM Security Directory Integrator (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T21:23:56", "id": "86569DC1304F95D744865045A81A6FAA23B9E1424022D3523E5E95B8B420B3BA", "href": "https://www.ibm.com/support/pages/node/262315", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:14", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM BladeCenter Switches.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM BladeCenter Switches.\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\nProduct | Version \n---|--- \nIBM Virtual Fabric 10GB Switch Module for IBM BladeCenter Firmware Update | Prior to 7.8.6.0 \nIBM 1/10GB Uplink Ethernet Switch Module for Firmware Update | Prior to 7.4.10.0 \nIBM GbESM 1G L2/7 Firmware Update | Prior to 21.0.22.0 \nLayer 2/3 GbESM Firmware Update | Prior to 5.3.7.0 \n \nRefer also to The following IBM Systems products are not affected by the vulnerability in RC4 stream cipher (CVE-2015-2808) Flash (Alert) in Related Information.\n\n## Remediation/Fixes\n\nFirmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\nProduct | Fix Version \n---|--- \nIBM Virtual Fabric 10GB Switch Module for IBM BladeCenter Firmware Update | 7.8.6.0 \nIBM 1/10GB Uplink Ethernet Switch Module for Firmware Update | 7.4.10.0 \nIBM GbESM 1G L2/7 Firmware Update | 21.0.22.0 \nLayer 2/3 GbESM Firmware Update | 5.3.7.0 \n \n## Workarounds and Mitigations\n\nNone.\n\n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information** \n[FLASH (Alert) IBM Systems products not affected by RC4 stream cipher](<http://www-01.ibm.com/support/docview.wss?uid=isg3T1022180>) \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n15 June 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter Switches (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:55:01", "id": "6D1260ED9EDDCDB5037EC1727A9F750274D0B23A082563C4B6104D9F7B30E4AE", "href": "https://www.ibm.com/support/pages/node/867356", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Access Manager for e-business versions 6.0, 6.1, 6.1.1 \n\nIBM Security Access Manager for Web version 7.0 software\n\nIBM Security Access Manager for Web version 7.0 appliance, all firmware versions\n\nIBM Security Access Manager for Web version 8.0 appliance, all firmware versions \n\n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n**Please note:** If you have configured the ciphers that are used in your environment, you might still be susceptible to the attack described above. Please review the 'Post-installation instructions' provided below the remediation table. \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nIBM Tivoli Access Manager for e-business| 6.0 - \n6.0.0.38| IV73153| Apply the following interim fix: \n[6.0.0-ISS-TAM-IF0039](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.0.0&platform=All&function=all>) \nIBM Tivoli Access Manager for e-business| 6.1 - \n6.1.0.19| IV73153| Apply the following interim fix: \n[6.1.0-ISS-TAM-IF0020](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.0&platform=All&function=all>) \nIBM Tivoli Access Manager for e-business | 6.1.1 - \n6.1.1.17| IV73150 | Apply the following interim fix: \n[6.1.1-ISS-TAM-IF0018](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1&platform=All&function=all>) \nIBM Security Access Manager for Web \n(software-installations)| 7.0 - \n7.0.0.13| IV73149 | Apply the following fix pack: \n[7.0.0-ISS-SAM-IF0014](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>) \nIBM Security Access Manager for Web \n(appliance-based)| 7.0 - \n7.0.0.12| IV73146| 1) Apply the following fix pack: \n[7.0.0-ISS-WGA-FP0012](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=Linux&function=all>)\n\n2) You can then apply the following interim fix:\n\n[7.0.0-ISS-WGA-IF0014](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=Linux&function=all>) \n \nIBM Security Access Manager for Web \n(appliance-based)| 7.0.0.12 \n7.0.0.13| IV73146| Apply the following interim fix: \n[7.0.0-ISS-WGA-IF0014](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=Linux&function=all>) \nIBM Security Access Manager for Web| 8.0 - \n8.0.1.1| IV73137| 1) Apply the following fix pack: \n[8.0.1-ISS-WGA-FP0002](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=Linux&function=all>) \n \n2) You can then apply the following interim fix: \n[8.0.1.2-ISS-WGA-IF0003](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=Linux&function=all>) \nIBM Security Access Manager for Web| 8.0.1.2| IV73137| Apply the following interim fix: \n \n[8.0.1.2-ISS-WGA-IF0003](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=Linux&function=all>) \n \nFor Tivoli Access Manager for e-business 5.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product.\n\n**Post-installation instructions**\n\nAfter you have applied the interim fix packages described above, you need to review your environment to check whether your environment is configured to use RC4 ciphers.\n\nReview the details below to determine whether you need to update the configuration in your environment to avoid any exposure to this vulnerability: \n\nVulnerabilities have been identified in many of the available ciphers. Here is a list of the remaining ciphers that are not affected by these known vulnerabilities. These ciphers are stated in no particular order. You can use one or more of these ciphers as you work through the configuration details included in this tech note. \n\n \n \n**Table One: SSLv3, TLSv10, TLSv11 (GSKit 7 & GSKit 8)** \n \n**Long name** | **Cipher number** \n---|--- \nTLS_RSA_WITH_3DES_EDE_CBC_SHA| 0A \nTLS_RSA_WITH_AES_128_CBC_SHA| 2F \nTLS_RSA_WITH_AES_256_CBC_SHA| 35 \n \n \n**Table Two: TLSv12 (GSKit 8 only)** \n \n**Long name** \n--- \nTLS_RSA_WITH_AES_128_GCM_SHA256 \nTLS_RSA_WITH_AES_256_GCM_SHA384 \nTLS_RSA_WITH_AES_128_CBC_SHA256 \nTLS_RSA_WITH_AES_256_CBC_SHA256 \nTLS_RSA_WITH_AES_128_CBC_SHA \nTLS_RSA_WITH_AES_256_CBC_SHA \nTLS_RSA_WITH_3DES_EDE_CBC_SHA \nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \nTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \nTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \nTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \nTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \n \n**_Mitigation for all TAMeb versions and ISAM for Web 7.0 software version _** \n \n1). Download the latest version of GSKit, 7.0.5.6 or 8.0.50.42, for your currently installed TAMeb or ISAM version - \n\n * [**_IBM Security Access Manager for Web 7.0.0 (Software)_**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=fixId&fixids=7.0.0-ISS-SAM-IF0011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)** **\n * [**_Tivoli Access Manager for e-business 6.1.1_**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.13&platform=All&function=fixId&fixids=6.1.1-ISS-TAM-IF0014&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)\n * [**_Tivoli Access Manager for e-business 6.1.0_**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.0.16&platform=All&function=fixId&fixids=6.1.0-ISS-TAM-IF0017&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)** **\n * [**_Tivoli Access Manager for e-business 6.0.0_**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.0.0.35&platform=All&function=fixId&fixids=6.0.0-ISS-TAM-IF0036&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)** **\n \n2). Shutdown all running instances of WebSEAL on the machine for which these instructions are to be followed. \n \n3). **For all ISAM and TAMeb versions.** For all machines hosting WebSEAL if the following environment variables have been set \u2013 \n \nGSK_V2_CIPHER_SPECS \nGSK_V3_CIPHER_SPECS \n \nRemove all references of the following cipher numbers, which have known vulnerabilities \u2013 \n \n01 02 03 04 05 06 09 62 64 \n \n**Note: **You can configure your environment to use of one or more of the ciphers listed in the tables at the start of this tech note. \n \n4). **For ISAM 7.0 only**. For each instance of WebSEAL, under the** [ssl] **stanza, remove all references to RC4 ciphers from both the **gsk_attr_name** and the **jct_gsk_attr_name **attributes: \n \nLong Name \n\\----------------------------------- \nTLS_RSA_WITH_RC4_128_SHA \nTLS_RSA_WITH_RC4_128_MD5 \nTLS_RSA_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT_WITH_RC4_40_MD5 \nTLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 \nTLS_RSA_EXPORT1024_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA \nTLS_RSA_WITH_NULL_SHA \nTLS_RSA_WITH_NULL_MD5 \nTLS_RSA_WITH_NULL_SHA256 \nTLS_ECDHE_RSA_WITH_NULL_SHA \nTLS_ECDHE_ECDSA_WITH_NULL_SHA \n \n**Note** \\- Any instance of the above ciphers should be removed. You can configure your environment to use one or more of the ciphers listed in the tables at the start of this tech note. \n \n5). Update the following Policy Server configuration files: **ldap.conf** and **activedir_ldap.conf**. Update the following configuration entries to ensure that there are no references to RC4 ciphers. \nConfigure the following entries to use one or more of the ciphers listed in the tables at the start of this tech note. \n \n[ldap] \nssl-tls-cipher-specs \ntls-v12-cipher-specs \n \n**Note:** Ensure that you remove any references to the following cipher numbers - \n \n01 02 03 04 05 06 09 62 64 \n \n[uraf-registry] \nssl-tls-cipher-specs \ntls-v12-cipher-specs \n \n**Note:** Ensure that you remove any references to the following ciphers: \n \nTLS_RSA_WITH_RC4_128_SHA \nTLS_RSA_WITH_RC4_128_MD5 \nTLS_RSA_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT_WITH_RC4_40_MD5 \nTLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 \nTLS_RSA_EXPORT1024_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA \nTLS_RSA_WITH_NULL_SHA \nTLS_RSA_WITH_NULL_MD5 \nTLS_RSA_WITH_NULL_SHA256 \nTLS_ECDHE_RSA_WITH_NULL_SHA \nTLS_ECDHE_ECDSA_WITH_NULL_SHA \n \n**Note**: For these updates to take effect, please restart your Policy Server. \n \n6). **For all TAMeb and ISAM versions.** For all instances of WebSEAL, if the GSKit environment variables have been correctly configured as outlined in step two above and the value of the **ssl-qop-mgmt** within the WebSEAL configuration file is currently set to \u201cNo\u201d or \u201cFalse\u201d then no additional actions are required., skip to Step 7. \n \nFor all instances of WebSEAL, if the **ssl-qop-mgmt **attribute is set to \u201cYes\u201d or \u201cTrue\u201d, configure the default configuration entries in the **[ssl-qop-mgmt-default]** stanza to ensure that you remove any vulnerable ciphers. **Note:** Do not use a setting of 'ALL'. \n \nEnsure that the following ciphers are **not** present in the configured ciphers: \n \ndefault = RC4-40 \ndefault = RC2-40 \ndefault = DES-56 \ndefault = DES-56-62 \ndefault = RC4-56 \ndefault = RC4-128 \ndefault = RC2-128 \n\n7). For all instances of WebSEAL, if not already done, set the following environment variable during the start up process for WebSEAL- \n \nGSK_STRICTCHECK_CBCPADBYTES = GSK_FALSE \n** \nImportant** \\- If this environment variable is already set then it can remain in place. It should not have any effect on this mitigation plan. \n \n8). Upgrade to GSKit, 7.0.5.6 or 8.0.50.42, using the instructions provided in the readme of their respective releases. \n \n9). Restart all instances of WebSEAL.\n\n \n \n**_Mitigation for all ISAM for Web 7.0 and 8.0 appliance versions _** \n \n**Note:** It is important that you explicitly set values for all of these entries so that the default ciphers are not used. The list of default ciphers on the appliance includes some of the RC4 ciphers that are affected by this vulnerability. To mitigate this vulnerability, you must set all of the configuration entries that are described in the following steps. \n\n1). Update to the latest interim fixes for your product version - \n\n * [**_IBM Security Access Manager for Web 8.0.1.2 IF0002_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=All&function=all>)\n * [**_IBM Security Access Manager for Mobile 8.0.1.2 IF0002_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Security+Access+Manager+for+Mobile&release=8.0.1.0&platform=All&function=all>)\n * [**_IBM Security Access Manager for Web (WGA) 7.0.0 IF0014_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>)\n * [**_IBM Single Sign On for Bluemix v2 Identity Bridge 8.0.1.2 IF0002_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FIBM+Single+Sign-On+for+Bluemix&fixids=8.0.1-ISS-SSOBluemix-IF0002&source=SAR&function=fixId&parent=Security%20Systems>)** **\n \n**Note:** Before applying the interim fixes, you must first ensure that you are running the latest fix pack level. \n2). Shut down all instances of the Reverse Proxy hosted by the appliance where these instructions are to be followed. \n \n3). For each of the instance of Reverse Proxy open its configuration file using the following instructions: \n \n1\\. Select 'Secure Web Settings -> Reverse Proxy' from the menu bar; \n2\\. Select the Reverse Proxy instance; \n3\\. Select 'Manage -> Configuration -> Edit Configuration File' from the menu \n \n4). For each instance of Reverse Proxy, under the **[ssl] **stanza, remove all references to RC4 ciphers from both the **gsk_attr_name** and the **jct_gsk_attr_name **attributes: \n \nLong Name \n\\----------------------------------- \nTLS_RSA_WITH_RC4_128_SHA \nTLS_RSA_WITH_RC4_128_MD5 \nTLS_RSA_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT_WITH_RC4_40_MD5 \nTLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 \nTLS_RSA_EXPORT1024_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA \nTLS_RSA_WITH_NULL_SHA \nTLS_RSA_WITH_NULL_MD5 \nTLS_RSA_WITH_NULL_SHA256 \nTLS_ECDHE_RSA_WITH_NULL_SHA \nTLS_ECDHE_ECDSA_WITH_NULL_SHA \n \n**Note** \\- Any instance of the above ciphers should be removed.** **Configure your environment to use one or more of the ciphers listed in the tables at the start of this tech note. \n \n5). On the Runtime Component management page, select 'Manage -> Configuration Files -> ldap.conf'. \n \nUpdate the following configuration entries to use one or more of the ciphers listed in the tables at the start of this tech note. \n \n[ldap] \nssl-tls-cipher-specs \ntls-v12-cipher-specs \n \nEnsure that you remove any references to the following cipher numbers - \n \n01 02 03 04 05 06 09 62 64 \n \n6) On the Runtime Component management page, select 'Manage -> Configuration Files -> activedir_ldap.conf'. \n \nUpdate the following configuration entries to ensure that there are no references to RC4 ciphers. You can use one or more of the ciphers listed in the tables at the start of this tech note. \n \n[uraf-registry] \nssl-tls-cipher-specs \ntls-v12-cipher-specs \n \nEnsure that you remove any references to the following ciphers: \n \nTLS_RSA_WITH_RC4_128_SHA \nTLS_RSA_WITH_RC4_128_MD5 \nTLS_RSA_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT_WITH_RC4_40_MD5 \nTLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 \nTLS_RSA_EXPORT1024_WITH_DES_CBC_SHA \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA \nTLS_RSA_WITH_NULL_SHA \nTLS_RSA_WITH_NULL_MD5 \nTLS_RSA_WITH_NULL_SHA256 \nTLS_ECDHE_RSA_WITH_NULL_SHA \nTLS_ECDHE_ECDSA_WITH_NULL_SHA \n \n**Note**: For these updates to take effect, please restart your Policy Server. \n \n7). For all instances of the Reverse Proxy, if the **ssl-qop-mgmt **attribute is set to \u201cYes\u201d or \"True\", \nconfigure the default configuration entries in the **[ssl-qop-mgmt-default]** stanza to ensure that vulnerable ciphers are removed. **Note:** Do not use a setting of 'ALL'. \n \nEnsure that the following ciphers are **not** present in the configured ciphers: \n \ndefault = RC4-40 \ndefault = RC2-40 \ndefault = DES-56 \ndefault = DES-56-62 \ndefault = RC4-56 \ndefault = RC4-128 \ndefault = RC2-128 \n\n8). For each instance of Reverse Proxy if not already set, set the following attribute and value under the **[ssl]** stanza - \n \ngsk-attr-name = enum:471:0 \njct-gsk-attr-name = enum:471:0 \n** \nNote** \\- If this attribute is already set to then this can remain in place. It should not have any affect for the mitigation plan. \n \n9). For each instance of Reverse Proxy save and deploy the changes. \n \n10). Apply the appliance fix pack using the following instructions - \n \ni). Click Manage, and then click Fix Packs. \nii). In the Fix Packs pane, click New. \niii). In the Add Fix Pack window, click Browse to locate the fix pack file, and then click Open. \niv). Click Submit to install the fix pack. \n \n11). Once the appliance has restarted, verify that all Reverse Proxy servers are restarted successfully. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:24:10", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T21:24:10", "id": "95A37AC2C7F105661E81CCB7B98B49EAB2848DF53F74121F0FEE7D2AE8FA7EA2", "href": "https://www.ibm.com/support/pages/node/263697", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:36:16", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" SSL/TLS may affect some configurations of the IBM HTTP Server and some configurations of the IBM Caching Proxy for WebSphere Application Server. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThe following IBM HTTP Server (IHS) and IBM Caching Proxy for WebSphere Application Server may be affected: \n\n * Version 8.5.5 \n * Version 8.5 \n * Version 8.0\n * Version 7.0 \n * Version 6.1 \n\n## Remediation/Fixes\n\n**For affected IBM HTTP Server for WebSphere Application Server:** \nThe recommended solutions is to apply the interim fix, Fix Pack or PTF containing APAR PI34229 for each named product as soon as practical. APAR PI34229 defaults to remove the RC4 ciphers from the default list that is used if you do not specify any ciphers. \n**NOTE:** If you specify any ciphers, you will also need to perform some of the steps in the mitigation section. \n\n** \nFor V8.5.0.0 through 8.5.5.5 Full Profile:**\n\n\u00b7 Upgrade to a minimum of Fix Pack 8.5.5.2 or later then apply Interim Fix [PI34229](<http://www-01.ibm.com/support/docview.wss?uid=swg24039770>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039197>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.6 or later. \n\n** \nFor V8.0 through 8.0.0.10:** \n\u00b7 Upgrade to a minimum of Fix Pack 8.0.0.9 or later and then apply Interim Fix [PI34229](<http://www-01.ibm.com/support/docview.wss?uid=swg24039770>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039197>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.11 or later. \n\n** \nFor V7.0.0.0 through 7.0.0.37:** \n\u00b7 Upgrade to a minimum of Fix Pack 7.0.0.33 or later and then apply Interim Fix [PI34229](<http://www-01.ibm.com/support/docview.wss?uid=swg24039770>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039197>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037517>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.39 or later. \n\n \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \nFor unsupported versions IBM recommends upgrading to a fixed support version of the product. \n\n## Workarounds and Mitigations\n\n**For affected IBM HTTP Server for WebSphere Application Server:**\n\nIBM recommends disabling RC4 in IBM HTTP Server. To disable RC4, complete the steps below: \n\n \n \n**For Version 8.0 and later: **\n\n * A simple way to mitigate this issue is to turn on FIPS140-2 support which will both disable RC4 by default and remove any RC4 ciphers added inadvertently. To enable FIPS140-2, add 'SSLFIPSEnable' to each configuration stanza with 'SSLEnable' \n \nNote: On z/OS, SSLFIPSEnable is only available in 8.5.5.0 and later and is set once globally instead of per-virtual host. \n * * If you cannot enable FIPS140-2 support or if you run into a complication, you must complete **all** of the following to disable RC4: \n \n\n 1. To remove RC4 from the defaults, add the following directives to the** end** of each configuration stanza with 'SSLEnable' (VirtualHost or bottom of httpd.conf if SSLEnable is set globally) This step is not needed if you installed the Interim fix. \n` \nSSLCipherSpec ALL -SSL_RSA_WITH_RC4_128_SHA -SSL_RSA_WITH_RC4_128_MD5 \n`\n 2. **Remove **any 'SSLCipherSpec' explicitly enabling RC4 as illustrated below: \n` \n# All of these must be removed to disable RC4 \nSSLCipherSpec SSL_RSA_WITH_RC4_128_SHA \nSSLCipherSpec SSL_RSA_WITH_RC4_128_MD5 \nSSLCipherSpec 34 \nSSLCipherSpec 35`\n 3. Review the current configuration for SSL ciphers configured via SSLCipherSpec directives with at least **two arguments** each that add an RC4-based cipher. \n \nSearch for either \"RC4\" or the numbers \"34\" and \"35\" within SSLCipherSpec directives and **remove **the corresponding ciphers. \n \n``\n# For example if a configuration contains: SSLCipherSpec TLSv1 +SSL_RSA_WITH_RC4_SHA +TLS_RSA_WITH_AES_128_CBC_SHA \n# Remove the RC4 cipher, changing the directive to: \nSSLCipherSpec TLSv1 +TLS_RSA_WITH_AES_128_CVC_SHA \nDo this for all the 'SSLCipherSpec' directives. \n** \nFor Versions 6.0, 6.1, or 7.0:**\n\n * One way to mitigate this issue is to turn on FIPS140-2 support which will both disable RC4 by default and result in a startup error if RC4 is inadvertently enabled. \n``\nFor each existing 'SSLEnable' in your IHS configuration, add 'SSLFIPSEnable' \n\n * If you do not wish to enable FIPS140-2 support or if you run into a complication, you may do **all** of the following, whichever applies to your configuration: \n\n 1. If any of the following 'SSLCipherSpec' directives are contained in the configuration, **remove** them and make sure at least 1 other SSLCipherSpec specifies a SSLv3/TLSv1 cipher. See the following bullet for an example of strong non-RC4 ciphers. \n` \nSSLCipherSpec SSL_RSA_WITH_RC4_128_SHA \nSSLCipherSpec SSL_RSA_WITH_RC4_128_MD5 \nSSLCipherSpec 34 \nSSLCipherSpec 35 \n`\n 2. If 'SSLEnable' is configured, but no 'SSLCipherSpec' is specified, explicitly select strong ciphers (excluding RC4) with the following recommended ciphers: This step is not needed if you installed the interim fix. \n` \n`SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA \nSSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA \nSSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA \n`` \n\n**For affected IBM Caching Proxy for WebSphere Application Server:**\n\nIBM recommends disabling RC4 in IBM Caching Proxy. To disable RC4, complete the steps below: \n\n \n \n**For Version 8.5.5.5 and later: **\n\n * A simple way to mitigate this issue is to turn on FIPS140-2 support which will both disable RC4 by default and remove any RC4 ciphers added inadvertently. To enable FIPS140-2, add the directive 'FIPSEnable on'' \n \n\n * If you cannot enable FIPS140-2 support or if you run into a complication, you must complete **all** of the following to disable RC4: \n \n\n 1. In TLSV11Cipherspecs directive, remove any references to the following ciphers: \n \n` \n# All of these must be removed to disable RC4 \nTLS_RSA_WITH_RC4_128_SHA(05) \nTLS_RSA_WITH_RC4_128_MD5(04) \n \n`\n 2. In V3Cipherspecs directive, remove** **any references to the following ciphers: \n` \n# All of these must be removed to disable RC4 \nTLS_RSA_WITH_RC4_128_SHA(05) \nTLS_RSA_WITH_RC4_128_MD5(04) \nTLS_RSA_EXPORT_WITH_RC4_40_MD5(03) \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64) `\n 3. In V2Cipherspecs directive, remove any references to the following ciphers: \n``\n1-RC4 US \n2-RC4 Export \n \n** \nFor Versions 8.5.5.4 and earlier:** \n\n\n * A simple way to mitigate this issue is to turn on FIPS140-2 support which will both disable RC4 by default and remove any RC4 ciphers added inadvertently. To enable FIPS140-2, add the directive 'FIPSEnable on'' \n \n\n * If you cannot enable FIPS140-2 support or if you run into a complication, you must complete **all** of the following to disable RC4: \n \n\n 1. In V3Cipherspecs directive, remove** **any references to the following ciphers: \n` \n# All of these must be removed to disable RC4 \nTLS_RSA_WITH_RC4_128_SHA(05) \nTLS_RSA_WITH_RC4_128_MD5(04) \nTLS_RSA_EXPORT_WITH_RC4_40_MD5(03) \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64) `\n 2. In V2Cipherspecs directive, remove any references to the following ciphers: \n``\n1-RC4 US \n \n\n\n## ", "cvss3": {}, "published": "2022-09-08T00:09:56", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM HTTP Server and Caching Proxy (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-09-08T00:09:56", "id": "CF5547CF1D5D824C37BDCF280934BF33268EB09472651473C4AC95EB8AB747D7", "href": "https://www.ibm.com/support/pages/node/260001", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-14T02:38:33", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects DS8000\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following products and versions are impacted: \n\n * DS8870 earlier than R7.2 ( 87.21.x.x)\n * DS8800/DS8700 earlier than R6.3 SP9 (86.31.142.x/76.31.121.x)\n\n## Remediation/Fixes\n\n \n**Product Update** \n \n \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nDS8870 < R7.2| 87.31.16.0 or above| N/A| Already available \nDS8800 R6.3 | 86.31.152.0 | N/A| Already available \nDS8700 R6.3| 76.31.131.0 | N/A| Already available \n \n \n**Note:** Customers applying updates should consult the DS8000 code recommendation page before requesting versions: <http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-05-24T17:06:20", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects DS8000 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-05-24T17:06:20", "id": "38D4C164BC68F821F7E28FD2AF5038B7CE130E3B984B1492E8B2B3C50DA33C34", "href": "https://www.ibm.com/support/pages/node/690415", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:38:23", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Multiple N-series Products\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n**DESCRIPTION**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n7-Mode Data ONTAP 8.1.x and 8.2.x; \n\nClustered Data ONTAP 8.2.x;\n\nNS OnCommand Core Package: 5.2, 5.2R1, 5.2P1, 5.2P2;\n\nNS OnCommand Unified Manager for DataONTAP: 6.1R1;\n\n## Remediation/Fixes\n\n_None_\n\n## Workarounds and Mitigations\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n**For 7-Mode Data ONTAP 8.2.3 and above (below 8.3)**\n\nA new option \u201coptions rc4.enable\u201d allows you to enable or disable the RC4 encryption algorithm that is used in the TLS and SSL protocols over HTTPS and FTPS connections. The option defaults to \u201con\u201d. To disable the RC4 cipher type \uff1a\n\n_\u201coptions rc4.enable off\u201d._\n\n**For Clustered Data ONTAP 8.2.2 RC1 and above (below 8.3)**\n\nYou can enable the OpenSSL FIPS 140-2 compliance mode to disable RC4 ciphers by executing the following command at the admin privilege level in the clustershell:\n\n_\u201csystem services web modify -ssl-fips-enable true\u201d_\n\nAbove workarounds are supported only in Data ONTAP 8.2.3 and above for 7-Mode and Data ONTAP 8.2.2 RC1 and above for Clustered-Mode. For customers who use 7-Mode Data ONTAP 8.1.x and 8.2.x (below 8.2.3), IBM urges an upgrading to 7-Mode Data ONTAP 8.2.3 and above (below 8.3) to implement the corresponding workaround. For customers who use Clustered Data ONTAP 8.1.x and 8.2.x (below 8.2.2RC1), IBM urges an upgrading to Clustered Data ONTAP 8.2.2 RC1 and above (below 8.3) to implement the corresponding workaround. Contact IBM support or go to this [_link_](<http://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=System+Storage%3bNetwork+Attached+Storage+%28NAS%29%3bN+series+software%3bibm%2fNetworkAttachedStorage%2fData+ONTAP>) to download a supported release.\n\nFor customers who are using NS OnCommand Core Package or NS OnCommand Unified Manager for DataONTAP, please contact IBM support.\n\n## ", "cvss3": {}, "published": "2021-12-15T18:05:07", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Multiple N-series Products (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-12-15T18:05:07", "id": "0CDFD8570C2BCFAEEA4CE83F890D6CA31BCAE04145F91E59910CA1669331D4EF", "href": "https://www.ibm.com/support/pages/node/690509", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:36:12", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d attack for SSL/TLS affects IBM WebSphere Application Server that is used by WebSphere Process Server (WPS) and WPS Hypervisor editions.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * WebSphere Process Server V7.0\n * WebSphere Process Server Hypervisor Editions V6.2, V7.0\n\nFor earlier unsupported versions of the above products IBM recommends upgrading to a fixed, supported version of the products.\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-09-15T18:50:52", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Process Server (WPS) and WPS Hypervisor editions (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-09-15T18:50:52", "id": "473509F5DF0045B5F52A40451D21440972E002841BC6988B77B1C5297FC47A53", "href": "https://www.ibm.com/support/pages/node/261477", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:53", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM DataQuant for Workstation. The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * DataQuant for z/OS Version 2 Release 1, Fix Pack 3 (and earlier)\n * DataQuant for Multiplatforms Version 2 Release 1, Fix Pack 3 (and earlier)\n\n## Remediation/Fixes\n\n * DataQuant for z/OS Version 2 Release 1 and DataQuant for Multiplatforms Version 2 Release 1: install [DataQuant for Workstation 2.1 in Fix Pack 4](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DataQuant&release=2.1&platform=All&function=all>)\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n_For IBM DataQuant for z/OS V1.2 and IBM DataQuant for Multiplatforms V1.2, IBM recommends upgrading to a fixed, supported version/release/platform of the product, IBM DataQuant for z/OS V2.1 and IBM DataQuant for Multiplatforms V2.1 respectively._\n\n## Workarounds and Mitigations\n\n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www-03.ibm.com/systems/z/advantages/security/integrity_sub.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {}, "published": "2021-02-11T16:57:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM DataQuant for Workstation (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-02-11T16:57:46", "id": "9AF459A47C5F674E1EEAC9038F1A38BB0088437F8A8C2399C93B05ECFD317312", "href": "https://www.ibm.com/support/pages/node/262065", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:04", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Developer for System z.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n## Affected Products and Versions\n\nRational Developer for System z, versions 8.0.3.x, 8.5.x, 9.0.x and 9.1.x \n\n## Workarounds and Mitigations\n\nBy default Rational Developer for System z relies on System SSL defaults for active cipher suites, and by default, System SSL enables the RC4 cipher suites for SSLv3 and all TLS versions. Note that usage of SSLv3 is not advised due to another vulnerability commonly referred to as \"POODLE vulnerability\". \n \nThe RC4 ciphers in TLS are: \n\n * TLS_RSA_WITH_RC4_40_MD5 (\"03\" or \"0003\") \n * TLS_RSA_WITH_RC4_128_MD5 (\"04\" or \"0004\") \n * TLS_RSA_WITH_RC4_128_MD5 (\"05\" or \"0005\") \n * TLS_ECDH_ECDSA_WITH_RC4_128_SHA (\"C002\") \n * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (\"C007\") \n * TLS_ECDH_RSA_WITH_RC4_128_SHA (\"C00C\") \n * TLS_ECDHE_RSA_WITH_RC4_128_SHA (\"C011\")\n \nYou can explicitly disable the usage of the RC4 ciphers by adding the GSK_V3_CIPHER_SPECS environment variable, ensuring that the environment variable character string does not include ciphers \"03\", \"04\", or \"05\". \nIf environment variable GSK_V3_CIPHERS is set to GSK_V3_CIPHERS_CHAR4 (this must be done explicitly), you can explicitly disable the usage of the RC4 ciphers by adding the GSK_V3_CIPHER_SPECS_EXPANDED environment variable, ensuring that the environment variable character string does not include ciphers \"0003\", \"0004\", \"0005\", \"C002\", \"C007\", \"C00C\", or \"C011\". \n \nRational Developer for System z has two components that utilize System SSL: \n\n * RSE, which is used when a client connects to the host. You must specify the GSK_V3_CIPHER_SPECS environment variable in rsed.envvars, by default located in /etc/rdz. \n * Debug Manager, by means of an AT-TLS policy. You must create a file holding the GSK_V3_CIPHER_SPECS environment variable and reference it via the Envfile keyword in the TTLSGroupAdvancedParms section.\n * \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2020-10-27T15:51:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Developer for System z (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2020-10-27T15:51:50", "id": "503FD74F886DBC0A6A5895006871227440411D00C54D147CBFA7D89D5227DB58", "href": "https://www.ibm.com/support/pages/node/260757", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:03", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Developer for System z.\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nRational Developer for System z, versions 8.5.x, 9.0.x, 9.1.x| \n\n * IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 FP3 (IV70681) and earlier\n * IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 and earlier\n * ## Remediation/Fixes \n \nIBM has provided patches for all affected versions. \n \nFollow the installation instructions in the README files included with the patch. \n \nThe fix can be obtained at the following locations: \n\n\n * [Rational Developer for System z Interim Fix 4 for 8.5.x](<http://www-01.ibm.com/support/docview.wss?uid=swg24040043>)\n * [Rational Developer for System z Interim Fix 4 for 9.0.x](<http://www-01.ibm.com/support/docview.wss?uid=swg24040042>)\n * [Rational Developer for System z Interim Fix 4 for 9.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg24040041>)\n * You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n\n## ", "cvss3": {}, "published": "2020-10-27T15:51:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Developer for System z (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2020-10-27T15:51:50", "id": "7F939618289427F415F5FAE1B3FB138CE4BB917F17F3C723209877C015BEDE54", "href": "https://www.ibm.com/support/pages/node/262689", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:11", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Software Architect for WebSphere Software. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * Rational Software Architect 9.1.1 and earlier\n * Rational Software Architect for WebSphere Software 9.1.1 and earlier\n * Rational Software Architect RealTime Edition 9.1.1 and earlier\n\n## Remediation/Fixes\n\nUpdate the Java Development Kit and IBM SDK for Node.js used by the Cordova platform, as applicable below, in the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **Remediation/Download FixCentral Link** \n---|---|--- \nRational Software Architect| 8.0.x to 8.0.4.2 iFix1| [IBM Java Runtime Edition Version 6.0 SR16 FP3](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=8.0.0&platform=All&function=fixId&fixids=Rational-RSA-Java6SR16FP3b-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for Websphere Software| 7.5.x to 7.5.5.5 iFix1 \n8.0.x to 8.0.4.2 iFix1| [IBM Java Runtime Edition Version 6.0 SR16 FP3](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=8.0.0&platform=All&function=fixId&fixids=Rational-RSA4WS-Java6SR16FP3b-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect Standard Edition \n| 7.5.x to 7.5.5.5 iFix1| [IBM Java Runtime Edition Version 6.0 SR16 FP3](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+Standard+Edition&release=7.5.0.0&platform=All&function=fixId&fixids=Rational-RSASE-Java6SR16FP3b-ifix&includeSupersedes=0&source=fc>) \nRefer Installation Instructions given below this table. \nRational Software Architect \n \nRational Software Architect for Websphere Software| 9.0, 9.0.0.1 \n \n8.5 to 8.5.5.2| See Workarounds and Mitigations section below \nRational Software Architect \n \nRational Software Architect for Websphere Software| 9.1, 9.1.1| 1\\. See Workarounds and Mitigations section below \n \n2\\. Apply [IBM SDK for Node.js 1.1.0.14](<http://www.ibm.com/developerworks/web/nodesdk/>) to the Cordova platform in the product. \n \nInstallation instructions for applying the update to the Cordova platform in the product can be found here: \n_ \n_[_Upgrading the IBM SDK for Node.js used by Cordova_](<http://www.ibm.com/support/docview.wss?uid=swg21684946>) \n \n**Installation Instruction to update IBM Java Runtime Edition Version 6.0 SR16 FP3:** \n\n\n 1. Download the update files from Fix Central by following the link listed in the download table above \n \n\n 2. Extract the compressed files in an appropriate directory. \n \nFor example, choose to extract to `C:\\temp\\update \n \n`\n 3. Add the update repository location in IBM Installation Manager: \n \n\n 4. Start IBM Installation Manager. \n \n\n 5. On the Start page of Installation Manager, click **File > Preferences**, and then click **Repositories**. The Repositories page opens. \n \n\n 6. On the Repositories page, click **Add Repository**. \n \n\n 7. In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK. \n \nFor example, enter `C:\\temp\\updates\\repository.config`. \n \n\n 8. Click **OK** to close the Preference page. \n \n\n 9. Install the update as described in the the topic **Updating Installed Product Packages** in the [IBM Knowledge Center](<http://www.ibm.com/support/knowledgecenter/>) for your product and version.\n\n## Workarounds and Mitigations\n\nIf you are using any of the following products: \n\n * Rational Software Architect for WebSphere Software versions 8.5, 9.0, and 9.1/9.1.1\n * Rational Software Architect versions 8.5, 9.0, and 9.1/9.1.1\n \nthen the following steps can be used to remove RC4 from the list of available algorithms: \n \n1\\. Ensure the product is not running. \n \n2\\. Locate the java.security file used by the product: \n_install folder_/jdk/jre/lib/security/java.security \n \n3\\. Edit the java.security file with a text editor and locate the line: \njdk.tls.disabledAlgorithms=SSLv3 \n \n4\\. Add RC4 to the list of disabled algorithms; For example: \njdk.tls.disabledAlgorithms=SSLv3, RC4 \n \n5\\. Save the file and restart the product. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2020-09-10T15:49:00", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Software Architect for WebSphere Software (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2020-09-10T15:49:00", "id": "D23F03AB9983DD209184C6341CA20DBB1C7F8DA766136DEC3057D49A2330767D", "href": "https://www.ibm.com/support/pages/node/262257", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:09", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack affects products that use the SSL/TLS protocol as a means for secure communication. The IBM FileNet Content Manager, IBM FileNet BPM and IBM Content Foundation products can be configured to use the SSL/TLS protocol and are thus potentially affected by this attack. If using the SSL/TLS protocol with these products, please refer to the sections below to remediate this security vulnerability. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\n \n**CVSS Base Score**: 5 \n**CVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vecto**r: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM FileNet Content Manager 5.1.0, 5.2.0, 5.2.1 \nIBM Content Foundation 5.2.0, 5.2.1 \nIBM FileNet Business Process Manager 4.5.1, 5.0.0, 5.2.0\n\n## Remediation/Fixes\n\nThe RC4 \u201cBar Mitzvah\u201d Attack can be remediated by upgrading to Java Runtime Environment (JRE) v1.6.0 SR16 FP3 + IV70681 + IV71888 or higher, which is provided in the following releases in the table below. \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix Available** \n---|---|---|--- \nFileNet Content Manager| 5.1.0 \n5.2.0 \n5.2.1| PJ43167 \nPJ43169 \nPJ43169 \nPJ43172 \nPJ43172| 5.1.0.0-P8CSS-IF012 - 4/27/2015 \n5.2.0.2-P8CSS-IF004 - 4/27/2015 \n5.2.1.0-P8CSS-IF002 - 4/27/2015 \n5.2.0.3-P8CPE-IF007 - 8/4/2015 \n5.2.1.2-P8CPE-IF001 - 8/4/2015 \nIBM Content Foundation (ICF)| 5.2.0 \n5.2.1| PJ43169 \nPJ43169 \nPJ43172 \nPJ43172| 5.2.0.2-P8CSS-IF004 - 4/27/2015 \n5.2.1.0-P8CSS-IF002 - 4/27/2015 \n5.2.0.3-P8CPE-IF007 - 8/4/2015 \n5.2.1.2-P8CPE-IF001 - 8/4/2015 \nFileNet Business Process Manager| 4.5.1 \n5.0.0 \n5.2.0| PJ43170 \nPJ43171 \nPJ43174| 4.5.1.4-P8PE-IF008 - 8/4/2015 \n5.0.0.8-P8PE-IF002 - 8/4/2015 \neProcess-5.2.0-001.006 (Win, Sol, AIX, HP, HPUX only) - 8/4/2015 \n \nThese releases are available on Fix Central: <http://www.ibm.com/support/fixcentral/>\n\nIBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher (associated with the SSL/TLS protocols) and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nYou should verify that applying the configuration changes recommended below does not cause any compatibility issues. \n\n\nMitigation is to disable RC4:\n\n * Web application administrators should disable RC4 in their application's TLS configuration on the application server.\n * Web users are encouraged to disable RC4 in their browser's TLS configuration.\n \n \n**Case Foundation 5.2.1 / CPE 5.2.1 ** \n**or ** \n**Case Foundation 5.2.0 / CPE 5.2.0** \n\n\nIf using the **legacy Component Manager** you should do _either_ of the following: \n * Configure the legacy Component Manager so that it is invoked with the **-Dcom.ibm.jsse2.JSSEFIPS=true** option on the java command line for your legacy component. This is done with the **Process Task Manager** on the server where the legacy Component Manager is running.\nor \n * Obtain a Java Runtime Environment (JRE) that includes the fix for the \"Bar Mitzvah\" issue (if one is available) and ensure that any legacy Component Managers are using that JRE.\n \nOn the **Content Platform Engine**** ****(CPE) Server**, the Java Runtime Environment (JRE) is not supplied by the FileNet Content Manager, IBM Content Foundation or FileNet BPM software. The mitigation on the CPE Server side comes from the supplier of your JRE or from the application server being used to host the CPE Server software. \n \nFor **Java based Content Engine system tools** (such as FileNet Deployment Manager (FDM) and Content Engine Bulk Import Tool (CEBIT)), you should do _either_ of the following: \n * Configure each tool so that it is invoked with the **-Dcom.ibm.jsse2.JSSEFIPS=true** option on the java command line that initiates the tool. \nor \n * Obtain a Java Runtime Environment (JRE) that includes the fix for the \"Bar Mitzvah\" issue (if one is available) and ensure that any Java based Content Engine system tool is using that JRE.\n \nOn the** Content Platform Engine Client side**, the Java Runtime Environment (JRE) is not supplied by the FileNet Content Manager, IBM Content Foundation or FileNet BPM software. The mitigation on the CPE Client side comes from the supplier of your JRE or from the application server being used to host the Content or Case Foundation applications. \n \n**Process Engine 5.0 (PE 5.0)** \n\n\nOn the **PE Server**, configure the PE software so that it is invoked with the **-Dcom.ibm.jsse2.JSSEFIPS=true** option on the java command line. \nFor example: \n 1. Stop the PE Server software\n 2. Edit the .../IBM/FileNet/ProcessEngine/startpesvr.bat file (on Windows servers) or the startpesvr script (on Unix or Linux servers) and add **-Dcom.ibm.jsse2.JSSEFIPS=true** so that the java command in the batch/script file begins like this: \n\"%JAVA_HOME%\\bin\\java\" **-Dcom.ibm.jsse2.JSSEFIPS=true** -Djpeserver.useHTTPTunneling=false ...\n 3. Start the PE Server software\nFor the **Component Manager**, you should do _either_ of the following: \n * Configure the Component Manager so that it is invoked with the **-Dcom.ibm.jsse2.JSSEFIPS=true** option on the java command line for running the component. This is done with the **Process Task Manager** on the server where the Component Manger is running. \nor \n * Obtain a Java Runtime Environment (JRE) that includes the fix for the \"Bar Mitzvah\" issue (if one is available) and ensure that any Component Managers are using that JRE.\n \nOn the** Process Engine Client side**, the Java Runtime Environment (JRE) is not supplied by the FileNet BPM software. The mitigation on the PE Client side comes from the supplier of your JRE used to run your PE applications. \n \n**Process Engine 4.5.1 (PE 4.5.1) ** \n\n\nFor the **Component Manager**, you should do _either_ of the following: \n * Configure the Component Manager so that it is invoked with the **-Dcom.ibm.jsse2.JSSEFIPS=true** option on the java command line for running the component. This is done with the **Process Task Manager** on the server where the Component Manger is running. \nor \n * Obtain a Java Runtime Environment (JRE) that includes the fix for the \"Bar Mitzvah\" issue (if one is available) and ensure that any Component Managers are using that JRE.\n \nOn the** Process Engine Client side**, the Java Runtime Environment (JRE) is not supplied by the FileNet BPM software. The mitigation on the PE Client side comes from the supplier of your JRE used to run your PE applications. \n \n**eProcess 5.2.0** \n\n\nFor the **Component Manager**, you should do _either_ of the following: \n * Configure the Component Manager so that it is invoked with the **-Dcom.ibm.jsse2.JSSEFIPS=true** option on the java command line for running the component. This is done with the **Process Task Manager** on the server where the Component Manger is running. \nor \n * Obtain a Java Runtime Environment (JRE) that includes the fix for the \"Bar Mitzvah\" issue (if one is available) and ensure that any Component Managers are using that JRE.\n \nOn the** eProcess Client side**, the Java Runtime Environment (JRE) is not supplied by the FileNet BPM software. The mitigation on the eProcess Client side comes from the supplier of your JRE used to run your eProcess applications. \n \n**Content Federation Services ** \n\n\nFor **Content Federation Services installation**: \nContent Federation Services (CFS) uses the Content Engine/Content Platform Engine (CE/CPE) Client Download API during installation. You should do all of the following for 5.2.0.2-CFS-FP002 and prior: \n 1. Make sure the \"Bar Mitzvah\" issue is addressed on the CPE server before launching the Content Federation Services (CFS) installer.\n 2. Get a Java Runtime Environment (JRE) that includes a fix for the Bar Mitzvah issue (if one is available) and launch the CFS installer program with this JRE. \n \nThe command syntax is:\n \n<Executable file name for CFS installer> LAX_VM <Java executable> \n \nFor example: \n(Windows) \n`5.1.0-CFS-WIN.EXE LAX_VM ` \n`C:\\Program Files (x86)\\Java\\NEW_JRE\\bin\\java.exe` \n \n(UNIX) \n`./5.1.0-CFS-<PLATFORM>.BIN LAX_VM /opt/NEW_JRE/jre/bin/java` \nFor Content Federation Services **Federation Administration application**: \nAt the application server where Content Federated Services Federation Administration is deployed, apply the mitigations from the application server provider. \n \n**Content Engine tools 5.0.0, 5.1.0, 5.2.0, 5.2.1** \n\n\nFor **Java based Content Engine system tools** (such as FileNet Deployment Manager (FDM) and Content Engine Bulk Import Tool (CEBIT)), you should do _either_ of the following: \n * Configure each tool so that it is invoked with the **-Dcom.ibm.jsse2.JSSEFIPS=true** option on the java command line that initiates the tool. \nor \n * Obtain a Java Runtime Environment (JRE) that includes the fix for the \"Bar Mitzvah\" issue (if one is available) and ensure that any Java based Content Engine system tool is using that JRE.\n \n \n**Content Engine Client Download API ** \n\n\nAt the application server where Content Engine Client Downloader API is deployed, apply the mitigations from the application server provider. \n \nFor httpsURLConnection, set the https.cipherSuites system property to not include the RC4 cipher suites. \n \n**Application Server Notes** \n \n**How to disable RC4 for WebSphere:** \n<http://www.ibm.com/support/docview.wss?uid=swg21701503> \n \n**How to disable RC4 for JBoss:** \nContact your provider for the instructions on how to disable RC4. \n \n**How to disable RC4 for WebLogic:** \nContact your provider for the instructions on how to disable RC4. \n \n\n\n## ", "cvss3": {}, "published": "2021-07-14T21:30:53", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM FileNet Content Manager, IBM FileNet BPM and IBM Content Foundation products (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-07-14T21:30:53", "id": "835D2A5A40C840ADDECF97F6DAF3BAC7FFF1CC2A6365101771BCDD83EB4E95A7", "href": "https://www.ibm.com/support/pages/node/260677", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:39:03", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects OpenSSH for GPFS V3.5 for Windows. Additionally, with the recent attention to RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS, this is a reminder to NOT enable weak or export-level cipher suites for IBM General Parallel File System (GPFS).\n\n## Vulnerability Details\n\nCVEID: [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \nDESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nOpenSSH for GPFS V3.5 for Windows\n\n## Remediation/Fixes\n\nIn GPFS V3.5.0.24 dated April 2015, IBM upgraded OpenSSH for GPFS on Windows to remove RC4 ciphers to address this vulnerability. System administrators should update their systems to GPFS V3.5.0.24 by following the steps below. \n \n1\\. Download the GPFS 3.5.0.24 update package dated April 2015 into any directory on your system. From IBM at [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=Windows&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=Windows&function=all>) \n \n2\\. Extract the contents of the ZIP archive so that the .msi file it includes is directly accessible to your system. \n \n3\\. Follow the instructions in the README included in the update package in order to install the OpenSSH msi package. This updated OpenSSH msi package is built to disable RC4 ciphers. \n \nIf GPFS multiclustering is configured on Windows nodes, upgrade all OpenSSL packages that may have been installed. The following can be done on a small group of nodes at each time (ensuring that quorum is maintained) to maintain file system availability: \n \na. Stop GPFS on the node \nb. Install the version of OpenSSL \nc. Restart GPFS on the node \n \nYou should verify applying this fix does not cause any compatibility issues. The fix removes RC4 stream cipher in the OpenSSH binaries. As such, RC4 cipher cannot be enabled. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nIf you enabled the RC4 stream cipher you are exposed to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \nIBM GPFS V4.1 Advanced Edition, when encrypting data at rest, by default disables RC4 stream cipher. \n \nIBM GPFS V4.1 (all Editions), when GPFS operates in NIST 800-131A mode the system is not vulnerable. \n \nIn all versions of GPFS, the cipherList configuration parameter to enable transport-level security and authentication should be set to avoid using weak ciphers. In particular, EXP-RC2-CBC-MD5, EXP-RC4-MD5, RC4-MD5 and RC4-SHA should be avoided. \n \nNote: Customers who use AUTHONLY as cipherList are not affected.\n\n## ", "cvss3": {}, "published": "2021-06-25T16:46:35", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects GPFS V3.5 for Windows (CVE-2015-2808) / Enabling weak cipher suites for IBM General Parallel File System is NOT recommended", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-06-25T16:46:35", "id": "74E497C52EEB8AD45FB3C1BCF26BE85AF9228F556103D174A27BE7A01D9231D1", "href": "https://www.ibm.com/support/pages/node/680597", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-12-02T21:37:18", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM License Metric Tool v7.5 and v7.2.2, IBM Endpoint Manager for Software Use Analysis v2.2 and IBM Tivoli Asset Discovery for Distributed v7.5 and v7.2.2\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**IBM License Metric Tool v7.5 and v7.2.2** \n**IBM Endpoint Manager for Software Use Analysis v2.2** \n**IBM Tivoli Asset Discovery for Distributed v7.5 and v7.2.2**\n\n## Remediation/Fixes\n\nFor version 7.5 (using WebSphere Application Server 7): \n\n * Please apply the fix provided in the following bulletin: <http://www-01.ibm.com/support/docview.wss?uid=swg21701503>. You can also apply newer April 2015 Cumulative Patch Update for WebSphere available in the following bulletin: <https://www-304.ibm.com/support/docview.wss?uid=swg21902260>.\n \nFor version 7.2.2 (using WebSphere Application Server 6.1): \n\n * Aplease apply the fix provided in the April 2015 Cumulative Patch Update for WebSphere available in the following bulletin: <https://www-304.ibm.com/support/docview.wss?uid=swg21902260>. Please mind that you need to contact IBM Support in order to obtain the fix.\n\n## Workarounds and Mitigations\n\n**For version 7.2.2**: \n\n 1. Login to WebUI as administrator\n 2. On the task panel to the left expand **Security** item and click **SSL certificate and key management**.\n 3. In the **Related Items** group in the main panel click **SSL configurations**.\n 4. For each of the following 3 items (ILMTsecure, ILMTsecure_with_client_auth and NodeDefaultSSLSettings):\n * Click item on the list\n * In the **Additional Properties** group click** Quality of protection (QoP) settings**.\n * In **Cipher suites** area, on **Selected ciphers** group select all items containing string \"RC4\" (you can Control-click to select multiple items) and click **<< Remove** button.\n * Click **OK** button.\n * Click **Save** in **Messages** pane.\n * Server restart is not required.\n**For version 7.5**: \n\n 1. Login to WebUI as administrator.\n 2. On the task panel to the left expand **Settings **item and click **WebSphere Administrative Console**.\n 3. Click **Launch WebSphere administrative console** button in the main panel.\n 4. Login to WebSphere console.\n 5. Proceed with instructions provided for v7.2.2, starting from Step 2.\n \n**For version 2.2**: \n\n 1. Locate jetty.xml file in server installation (<SUA_install_dir>\\TEMA\\config\\jetty.xml).\n 2. Replace ExcludeCipherSuites element with the one provided below. Make sure you replace whole existing element.\n 3. Restart server.\n \nNote: You need to repeat the task each time you switch between HTTP and HTTPS settings. \n\n \nExcludeCipherSuites element: \n \n<Set name=\"ExcludeCipherSuites\"> \n<Array type=\"java.lang.String\"> \n<!-- default --> \n<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> \n<Item>SSL_DHE_DSS_WITH_AES_128_CBC_SHA</Item> \n<Item>SSL_DHE_DSS_WITH_AES_256_CBC_SHA</Item> \n<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> \n<Item>SSL_DHE_DSS_WITH_RC4_128_SHA</Item> \n<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> \n<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> \n<Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item> \n<Item>SSL_DHE_RSA_WITH_AES_256_CBC_SHA</Item> \n<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> \n<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> \n<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> \n<Item>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA</Item> \n<Item>SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA</Item> \n<Item>SSL_RSA_WITH_DES_CBC_SHA</Item> \n<!-- RC4 --> \n<Item>PCT_SSL_CIPHER_TYPE_1ST_HALF</Item> \n<Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item> \n<Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> \n<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> \n<Item>SSL_RSA_WITH_RC4_128_MD5</Item> \n<Item>SSL_RSA_WITH_RC4_128_SHA</Item> \n<Item>SSL2_RC4_128_EXPORT40_WITH_MD5</Item> \n<Item>SSL2_RC4_128_WITH_MD5</Item> \n<Item>SSL2_RC4_64_WITH_MD5</Item> \n<Item>TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5</Item> \n<Item>TLS_DH_Anon_WITH_RC4_128_MD5</Item> \n<Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA</Item> \n<Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256</Item> \n<Item>TLS_DHE_DSS_WITH_RC4_128_SHA</Item> \n<Item>TLS_DHE_DSS_WITH_RC4_128_SHA256</Item> \n<Item>TLS_DHE_PSK_WITH_RC4_128_SHA</Item> \n<Item>TLS_DHE_PSK_WITH_RC4_128_SHA256</Item> \n<Item>TLS_ECDH_Anon_WITH_RC4_128_SHA</Item> \n<Item>TLS_ECDH_Anon_WITH_RC4_128_SHA256</Item> \n<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item> \n<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA256</Item> \n<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item> \n<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA256</Item> \n<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item> \n<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256</Item> \n<Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA</Item> \n<Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA256</Item> \n<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item> \n<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA256</Item> \n<Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item> \n<Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item> \n<Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA256</Item> \n<Item>TLS_KRB5_WITH_RC4_128_MD5</Item> \n<Item>TLS_KRB5_WITH_RC4_128_SHA</Item> \n<Item>TLS_KRB5_WITH_RC4_128_SHA256</Item> \n<Item>TLS_PSK_WITH_RC4_128_SHA</Item> \n<Item>TLS_PSK_WITH_RC4_128_SHA256</Item> \n<Item>TLS_RSA_EXPORT_WITH_RC4_40_MD5</Item> \n<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_MD5</Item> \n<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA</Item> \n<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256</Item> \n<Item>TLS_RSA_PSK_WITH_RC4_128_SHA</Item> \n<Item>TLS_RSA_PSK_WITH_RC4_128_SHA256</Item> \n<Item>TLS_RSA_WITH_RC4_128_MD5</Item> \n<Item>TLS_RSA_WITH_RC4_128_SHA</Item> \n<Item>TLS_RSA_WITH_RC4_128_SHA256</Item> \n</Array> \n</Set> \n--- \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.2.2;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {}, "published": "2022-08-19T18:23:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM License Metric Tool v7.5 and v7.2.2, IBM Endpoint Manager for Software Use Analysis v2.2 and IBM Tivoli Asset Discovery for Distributed v7.5 and v7.2.2 - CVE-2015-2808", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-08-19T18:23:31", "id": "AB73DF1DED880AA827EA4E5E91B8DBA3690CE7E70C1A60103A9F51A1BFEFA864", "href": "https://www.ibm.com/support/pages/node/260987", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:38:38", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Power Hardware Management Console.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nPower HMC V7.7.8.0 \nPower HMC V7.7.9.0 \nPower HMC V8.1.0.0 \nPower HMC V8.2.0.0\n\n## Remediation/Fixes\n\nThe Following fixes are available on IBM Fix Central at <http://www-933.ibm.com/support/fixcentral/>\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nPower HMC| V7.7.8.0 SP2| MB03906| Apply eFix MH01518 \nPower HMC| V7.7.9.0 SP2| MB03907| Apply eFix MH01519 \nPower HMC | V8.8.1.0 SP1| MB03908| Apply eFix MH01520 \nPower HMC| V8.8.2.0 SP1| MB03910| Apply eFix MH01521 \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n**Note**: \n1\\. For unsupported releases IBM recommends upgrading to a fixed, supported release of the product. \n2\\. After applying the PTF, you should restart the HMC. \n3\\. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called \"PERCS\" and \"IH\". End Of Service date for managing all other server models was 2013.05.31. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2021-09-23T01:31:39", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Power Hardware Management Console (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-09-23T01:31:39", "id": "055F14D4453D23442196CA3BC1C6E739FCA613AD1E84456CB7B5A48478285193", "href": "https://www.ibm.com/support/pages/node/646259", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:35:17", "description": "## Abstract\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Operations Analytics Predictive Insights which is consuming WebSphere Application Server 8.5.5.1\n\n## Content\n\n**Vulnerability Details**\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**Affected Products and Versions**\n\nOperations Analytics Predictive Insights 1.3.1 and earlier\n\n**Remediation/Fixes **\n\n \n\n\n_<Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Operations Analytics Predictive Insights_| _1.3.1 and earlier_| _None_| See work around \n \n_For 1.3.1 and earlier IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \n**Workarounds and Mitigations** \n \n \nInstallation Instructions \n\\------------------------------------ \nAs the user that installed the Predictive Insights UI component, typically scadmin \n1\\. Stop the UI server used by Operations Analytics Predictive Insights \n<UI_HOME>/bin/pi.sh -stop \nwhere <UI_HOME> is typically /opt/IBM/scanalytics/UI \n2\\. cd <UI_HOME>/ibm-java-x86_64-70/jre/lib/security/ \n3\\. Create a copy of java.security file \ncp java.security java.security_orig \n4\\. Edit UI_HOME/ibm-java-x86_64-70/jre/lib/security/java.security file. \nAdd RC4 to jdk.tls.disabledAlgorithms variable. \nFor example \nvi <UI_HOME>/ibm-java-x86_64-70/jre/lib/security/java.security and change this line: \njdk.tls.disabledAlgorithms=SSLv3 \nto \njdk.tls.disabledAlgorithms=SSLv3,RC4 \n5\\. cd <UI_HOME>/wlp/usr/servers/piserver/ \n6\\. Create a copy of jvm.options file \ncp jvm.options jvm.options_orig \n7\\. Edit <UI_HOME>/wlp/usr/servers/piserver/jvm.options file. \nAdd this line: \n-Djsse.enableCBCProtection=true \n8\\. start UI server \n<UI_HOME>/bin/pi.sh -start \n \n \n \nRemoval Instructions \n\\------------------------------------ \nAs the user that installed the Predictive Insights UI component, typically scadmin \n1\\. Stop the UI server used by Operations Analytics Predictive Insights \n<UI_HOME>/bin/pi.sh -stop \nwhere <UI_HOME> is typically /opt/IBM/scanalytics/UI \n2\\. cd <UI_HOME>/ibm-java-x86_64-70/jre/lib/security/ \n3\\. Replace java.security file with the original \nmv java.security_orig java.security \n4\\. cd <UI_HOME>/wlp/usr/servers/piserver/ \n5\\. Replace jvm.options file with the original \nmv jvm.options_orig jvm.options \n6\\. start UI server \n<UI_HOME>/bin/pi.sh -start \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSJQQ3\",\"label\":\"IBM Operations Analytics - Predictive Insights\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"1.2;1.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-09-25T21:21:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Operations Analytics Predictive Insights (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-09-25T21:21:12", "id": "A9D664B8F8F70501F9E08DDB9E7EFC7FB73C0E0ECB305043842B889103AE9C45", "href": "https://www.ibm.com/support/pages/node/261939", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:36:56", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Tivoli Storage Productivity Center.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**DESCRIPTION: **The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n\n\n## Affected Products and Versions\n\nIBM Spectrum Control 5.2.8 through 5.2.9 (only for upgrade) \nTivoli Storage Productivity Center 5.2.5.1 through 5.2.7 (only for upgrade) \nTivoli Storage Productivity Center 5.2.0 through 5.2.5 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.6 \nTivoli Storage Productivity Center 4.2.0 through 4.2.2.191 \nTivoli Storage Productivity Center 4.1.x \nTotalStorage Productivity Center 3.3.x \n \nThe versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine. \n \nSystem Storage Productivity Center is affected if it has one of the versions listed above installed on it.\n\n## Remediation/Fixes\n\nThe solution is to apply an appropriate Tivoli Storage Productivity Center fix maintenance for each named product as soon as practicable. See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>) for links to the fixes. \n\nIt is always recommended to have a current backup before applying any upgrade procedure.\n\n \n \n**Affected Version**| **APAR**| **Fixed Version**| **Availability** \n---|---|---|--- \n5.2.x | IT08318| 5.2.5.1 \nSee important additional steps for APAR IT15332.| April 2015 \n5.1.x| IT08318| 5.1.1.7| April 2015 \n4.2.2.x| IT08539| 4.2.2.195 (FP9)| May 2015 \n**Note:** For Tivoli Storage Productivity Center 4.1.x or TotalStorage Productivity Center 3.3.x, IBM recommends upgrading to a fixed, supported release of the product. \n \n**Additional steps for Tivoli Storage Productivity Center 5.1.x and 5.2.x** \n \n**Important: **For Tivoli Storage Productivity Center 5.2.5.1 through 5.2.7 and IBM Spectrum Control 5.2.8 through 5.2.9 that have been upgraded from an earlier version, verify that the file RC4_ENABLE does not exist in the Data directory. If it exists, it must be deleted and the Data server restarted. This has been resolved with the fix for APAR IT15332 in IBM Spectrum Control 5.2.10. \n \nExample: \nIBM\\TPC\\Data\\RC4_ENABLE \n--- \n \nThe following steps will complete the configuration of WebSphere Application server to remove the RC4 cipher from the default enabledCiphers. \n \nFrom a command window: \n\n 1. cd \"C:\\Program Files\\IBM\\TPC\\ewas\\profiles\\WebServerProfile\\bin\"\n 2. wsadmin.bat -connType NONE -c \"$AdminTask modifySSLConfig {-alias NodeDefaultSSLSettings -scopeName (cell):WebServerCell:(node):WebServerNode -securityLevel HIGH -enabledCiphers {SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA}}\"\n \nExpected output: \n\"WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.\" \n \nIf the output instead indicates an error, check for typos. If the command completed successfully: \n\n\n 1. Stop the TPCWebServer \n<TPC install dir>/scripts/stopTPCWeb.bat \nor \nWindows Services panel \"IBM WebSphere Application Server v8.0 - TPCWebServer\"\n 2. Restart the TPCWebServer \n<TPC install dir>/scripts/startTPCWeb.bat \nor \nWindows Services panel \"IBM WebSphere Application Server v8.0 - TPCWebServer\"\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-02-22T19:27:34", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli Storage Productivity Center (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-02-22T19:27:34", "id": "381ED3699651F44D736C9F0F7D611B0779505D220D566224222133A89182FBAF", "href": "https://www.ibm.com/support/pages/node/262141", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:24", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Rational DOORS Web Access. \n\n## Vulnerability Details\n\nRational DOORS Web Access is affected by the following vulnerabilities disclosed in and corrected by the JRE critical patch updates: \n\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational DOORS Web Access version 9.6.1.x, 9.6.0.x, 9.5.2.x, 9.5.1.x, 9.5.0.x, 1.5.0.x, 1.4.0.x\n\n## Remediation/Fixes\n\nThe only solution is to upgrade the JRE. You can upgrade the JRE after installing Rational DOORS Web Access. \n\nTo obtain the updated version of the IBM JRE, [_contact IBM Support_](<https://www-947.ibm.com/support/servicerequest/Home.action?category=2>). Support can help identify the latest JRE that is compatible with your operating system and platform. Publicly available versions of the Oracle JRE are not supported with Rational DOORS Web Access.\n\n \n \nThe following table presents Rational DOORS Web Access versions and the compatible versions of IBM JRE. \n \n**Rational DOORS Web Access**| **IBM JRE** \n---|--- \n1.4.0.x| 6.0.16.3 \n1.5.0.x| 6.0.16.3 \n9.5.0.x| 6.0.16.3 \n9.5.1.x| 6.0.16.3 \n9.5.2.x| 6.0.16.3 \n9.6.0.x| See \"Workarounds and Mitigations\" \n9.6.1.x| See \"Workarounds and Mitigations\" \nTo install the updated JRE in Rational DOORS Web Access, review the help topic: \n[Upgrading the Rational DOORS Web Access JRE](<http://www.ibm.com/support/knowledgecenter/SSYQBZ_9.6.0/com.ibm.doors.install.doc/topics//t_upgrading_dwa_jre.html>)\n\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n_For versions for Rational DOORS Web Access that are earlier than version 1.4.0.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nFor Rational DOORS Web Access versions 1.4.0.x - 9.5.2.x, upgrade the JRE, as described in \"Remediations/Fixes\". \n\nFor versions 9.6.0.x - 9.6.1.x, disable the RC4 cipher suite in your Java 7 installation: \n1\\. Open the following file in a text editor: `jre/lib/security/java.security` \n2\\. Add RC4 to `jdk.tls.disabledAlgorithms`\n\n \nFor example: \n` \njdk.tls.disabledAlgorithms=SSLv3, RC4, D5, SHA1, RSA keySize < 1024 \n` \nThe minimum entries that are required for the POODLE and Bar Mitzvah vulnerabilities are the following: \n\n \n` \njdk.tls.disabledAlgorithms=SSLv3, RC4 \n` \n \nUsers who enabled SP800-131a for Rational DOORS Web Access are not affected. \n \nYou should verify that applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2020-05-01T08:19:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational DOORS Web Access (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2020-05-01T08:19:24", "id": "3C1DE59A419F46B66A4E4DDAEC65BDCC256D9DD82067BADAF8246DE10A3AE64F", "href": "https://www.ibm.com/support/pages/node/261753", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:08", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM Installation Manager and IBM Packaging Utility\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Installation Manager and IBM Packaging Utility versions 1.8.2.1 and earlier.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM Installation Manager and IBM Packaging Utility_| _1.7.4.x_| _None_| [_1.7.4.2 IBM Installation Manager Remediation_](<http://www.ibm.com/support/docview.wss?uid=swg24039825>) \n[_1.7.4.2 IBM Packaging Utility Remediation_](<http://www.ibm.com/support/docview.wss?uid=swg24039827>) \n\n\n_Please note that the 1.7.4.2 fix is intended for upgrade of 1.7.4.1 and earlier versions which continue support on platforms that are NOT supported by 1.8 or later versions._\n\n \n_Users running 1.7.4.1 or earlier version on platforms that ARE supported by 1.8.x version, should upgrade to 1.8.2.1 and implement the work around described below._ \n_Installation Manager and IBM Packaging Utility_| _1.8.x_| _None_| _See 1.8.x work around below_ \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\n \n_IBM Installation Manager 1.8.x work around_: \n \nTo work around the RC4 Bar Mitzvah security vulnerability in IBM Installation Manager version 1.8.x, update the **java.security** file to add the **RC4** string to the list of disabled TLS algorithms identified by **jdk.tls.disabledAlgorithms** java property. \n \nFor example: \n** jdk.tls.disabledAlgorithms**=SSLv3, **RC4** \n \nYou will find the **java.security** file in the following folder, by platform: \nAIX Platforms: \n<Installation Manager install_dir>/eclipse/jre_<version>/jre/lib/security/ \nHP-UX Platforms: \n<Installation Manager install_dir>/eclipse/jre_<version>/jre/lib/security/ \nLinux and Solaris Platforms: \n<Installation Manager install_dir>/eclipse/jre_<version>/jre/lib/security/ \nWindows Platforms: \n<Installation Manager install_dir>\\eclipse\\jre_<version>\\jre\\lib\\security\\ \nMac OSX Platforms: \n<Installation Manager install_dir>/eclipse/jre_<version>/jre/Contents/Home/lib/security/ \n \n \n_IBM Packaging Utility 1.8.x work around_: \n \nTo work around the RC4 Bar Mitzvah security vulnerability in IBM Packaging Utility version 1.8.x, update the **java.security** file to add the **RC4** string to the list of disabled TLS algorithms identified by **jdk.tls.disabledAlgorithms** java property. \n \nFor example: \n** jdk.tls.disabledAlgorithms**=SSLv3, **RC4** \n \nYou will find the **java.security** file in the following folder, by platform: \nAIX Platforms: \n<Packaging Utility install_dir>/jre/lib/security/ \nLinux and Solaris Platforms: \n<Packaging Utility install_dir>/jre/lib/security/ \nWindows Platforms: \n<Packaging Utility install_dir>\\jre\\lib\\security\\ \nMac OSX Platforms: \n<Packaging Utility install_dir>/jre/Contents/Home/lib/security/ \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2021-10-25T12:12:53", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects the IBM Installation Manager and IBM Packaging Utility (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-10-25T12:12:53", "id": "A89F1187EBB4D71E87F412A322E2529123CF9AAAB43003376056C4FAE55E8A3D", "href": "https://www.ibm.com/support/pages/node/262565", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:36:38", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 that is used the following IMS\u2122 Enterprise Suite components: Connect API for Java, SOAP Gateway, and Explorer for Development. This bulletin also addresses the The RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS client and server vulnerability. \n \nThe Bar Mitzvah Attack exploits a previously known vulnerability in the RC4 component of the SSL/TLS communication protocols. This exploit allows the attacker to partially decrypt information sent between two computer systems across a network. This can be a serious security issue because RC4 reportedly protects as much as 30 percent of Internet SSL traffic and decrypted material may include passwords, credit card numbers, browser cookies, etc. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nExplorer for Development of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier.\n\nThe SOAP Gateway component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier.\n\nConnect API for Java component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier.\n\n## Workarounds and Mitigations\n\n1\\. Disabling RC4. This can be achieved by adding RC4 to the list of disabled algorithms defined by the jdk.tls.disabledAlgorithms security property in java.security file \n\n\n2\\. Not explicit enabling the RC4 cipher suite(s)\n\n \n\n\n3\\. For HttpsURLConnection, set https.cipherSuites system property to not include RC4 cipher suites.\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2022-06-01T13:05:44", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IMS\u2122 Enterprise Suite: Connect API for Java, SOAP Gateway, and Explorer for Development (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-06-01T13:05:44", "id": "E1C25EDBD5D1F3C1DFA8BCAFA8B8963C347E1B9A63ADCFDFCD905869C3B39E93", "href": "https://www.ibm.com/support/pages/node/261065", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:58", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Webshere Application Server 8.5.5 is shipped as a component of IBM Tivoli/Security Key Lifecycle Manager.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**_Affected Products_**\n\n| **Versions** \n---|--- \nIBM Tivoli Key Lifecycle Manager (TKLM)| 1.0.x, 2.0.0.x, 2.0.1.x \nIBM Security Key Lifecycle Manager (SKLM)| 2.5.0.x \n \n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Key Lifecycle Manager| _1.0.0.7_| _IV72557_| [_1.0.0-TIV-TKLM-FP0007_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Tivoli+Key+Lifecycle+Manager&release=1.0.0&platform=All&function=fixId&fixids=1.0.0-TIV-TKLM-FP0007&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM Tivoli Key Lifecycle Manager| _2.0.0.9_| _IV72552_| [_2.0.0-ISS-TKLM-FP0009_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Tivoli+Key+Lifecycle+Manager&release=2.0.0&platform=All&function=fixId&fixids=2.0.0-ISS-TKLM-FP0009&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM Tivoli Key Lifecycle Manager| _2.0.1.7_| _IV72553_| [_2.0.1-ISS-TKLM-FP0007_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Tivoli+Key+Lifecycle+Manager&release=2.0.1.0&platform=All&function=fixId&fixids=2.0.1-ISS-TKLM-FP0007&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM Security Key Lifecycle Manager| _2.5.0.5_| _IV72549_| [_2.5.0-ISS-SKLM-FP0005_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Tivoli+Key+Lifecycle+Manager&release=2.5.0&platform=All&function=fixId&fixids=2.5.0-ISS-SKLM-FP0005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\n \n\n\nThere are multiple workaround cases:\n\n**_Case 1:_**** **TKLM/SKLM configuration file has the **TransportListener.ssl.ciphersuites** property set with RC4 cipher suites. \n\n**_Workaround_**: Remove RC4 ciphers and set only non-RC4 ciphers in this property. If only one cipher is mentioned which is RC4 and user is unsure about which ciphers to use then comment out this property or specify JSSE_ALL and move to Case 2.\n\n \n\n\n**_Case 2_****:** TKLM/SKLM configuration file does not have the **TransportListener.ssl.ciphersuites** property specified or **TransportListener.ssl.ciphersuites** property is set to a value of JSSE_ALL.\n\n \n\n\n**_Workaround_**: Specify this property with non-RC4 ciphers or create a custom Cipher suite group with no RC4 ciphers by logging into Websphere Application Server. Users can create custom cipher suites in the WAS console UI from SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings\n\n \n\n\n**_Case 3_****:** TKLM/SKLM configuration file has the **TransportListener.ssl.ciphersuites** property set to cipher suites which does not include RC4 cipher suites \n\n \n\n\n**_Workaround_**: Users are safe from this vulnerability and nothing needs to be done. \n\n \n\n\nName of TKLM/SKLM config file for TKLM v1.x to v2.0.x is TKLMgrConfig.properties and for SKLM v2.5.x it is SKLMConfig.properties\n\n \n\n\nFor details, see link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21883570_](<http://www-01.ibm.com/support/docview.wss?uid=swg21883570>)\n\n \n\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2018-06-16T21:24:03", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli/Security Key Lifecycle Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T21:24:03", "id": "33FDCFA5298EFD130804981B26E90E9A0EB95D5AF55B19E3B0A1A56C7DC9D188", "href": "https://www.ibm.com/support/pages/node/263345", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:12", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM InfoSphere Optim Performance Manager.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 4.1 through 4.1.1 \n \nIBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 5.1 through 5.3.1 \n\n\n## Remediation/Fixes\n\n \n\n\n**_OPM Version_**| **_Download URL_** \n---|--- \n4.1 - 5.1.1.1| [Replace JRE](<http://www.ibm.com/support/docview.wss?uid=swg21640535>) (V6 SR16-Fix Pack 4) \n5.2 \u2013 5.3| [Replace JRE](<http://www.ibm.com/support/docview.wss?uid=swg21640535>) (V7 SR9) \n5.3.1| [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Optim+Performance+Manager&release=5.3.1.0&platform=All&function=all>) (Interim Fix 8409) or see Workarounds and Mitigations \nFor OPM versions 4.1 through 5.3, you must replace the IBM Runtime Environment, Java\u2122 Technology Edition (JRE) that is installed with OPM, with the latest IBM Runtime Environment, Java\u2122 Technology Edition. Detailed instructions are available here:[__\u201cUpdating the __](<http://www.ibm.com/support/docview.wss?uid=swg21640535>)[__IBM Runtime Environment, Java\u2122 Technology Edition__](<http://www.ibm.com/support/docview.wss?uid=swg21640535>)[__ for InfoSphere Optim Performance Manager__](<http://www.ibm.com/support/docview.wss?uid=swg21640535>)_\u201d_. \n\nFor OPM version 5.3.1, installing the OPM Interim Fix changes the Java Security configuration of the web console server to disallow RC4 cipher suites for HTTPS connections (using the SSL/TLS protocol). If you are not able to install the OPM Interim Fix, follow the Workarounds and Mitigation section below. \n\n## Workarounds and Mitigations\n\nFor OPM 5.3.1 disable the RC4 cipher suite by adding \"RC4\" to the list of disabled algorithms defined by the jdk.tls.disabledAlgorithms security property in java.security file. \n\nEdit the java.security file that is located in the InfoSphere Optim Performance Manager installation directory:\n\n \n \n` `` /``jre/lib/security``/``java.security` \n \nAdd the following line and save the file: \n \n` `` jdk.tls.disabledAlgorithms=RC4` \n \nIf the jdk.tls.disabledAlgorithms property was already enabled (without a \"#\" character at the beginning of the line), i.e.: \n \n` jdk.tls.disabledAlgorithms=SSLv3` \n \nthen append the text _\", RC4\"_ to the end of the line and save the file. \n \n` jdk.tls.disabledAlgorithms=SSLv3``**, RC4**` \n \nRestart the OPM Web Console server for this change to take effect. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2021-07-08T21:30:52", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM InfoSphere Optim Performance Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-07-08T21:30:52", "id": "F02D72DEE5DE583089D60AF63C6CC0F95B683C27779E590310FE393171FB9761", "href": "https://www.ibm.com/support/pages/node/261267", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:40:09", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" attack may affect \"Extension for Terminal-based Applications\" (a.k.a FTE ) that are shipped with Rational Functional Tester.\n\n## Vulnerability Details\n\n**CVEID**: [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n \n**Description**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. \n \nThis vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \n**CVSS Base Score**: 5 \n**CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Functional Tester version 8.0.0.0 and later.\n\n## Remediation/Fixes\n\n**Vendor Fixes:** \n \n\n\n**Product**| **Version**| **APAR**| **Remediation/First fix** \n---|---|---|--- \nRFT| 8.0.0.x| None| Download the [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-XNdcFmzrxPkn>) and apply it. \nRFT| 8.1.0.x and 8.1.1.x| None| Download the [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-XNdcFmzrxPkn>) and apply it. \nRFT| 8.2.0.x, 8.2.1.x, and 8.2.2.x| None| Download the [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-XNdcFmzrxPkn>) and apply it. \nRFT| 8.3.x| None| Download the [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-XNdcFmzrxPkn>) and apply it. \nRFT| 8.5.x and 8.5.1.x| None| Download the [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-XNdcFmzrxPkn>) and apply it. \nRFT| 8.6.x| None| Download the [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-XNdcFmzrxPkn>) and apply it. \nRFT| 8.6.0.x| None| Download the [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-XNdcFmzrxPkn>) and apply it. \n \nYou must verify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the setting, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-09-29T20:06:32", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Functional Tester's Extension for Terminal-based Applications (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-09-29T20:06:32", "id": "0ABE587D899C01C38CFC18FEE64504050E29A27D31F2123114BDF58FE58540F1", "href": "https://www.ibm.com/support/pages/node/261181", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:40:24", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM SDK for Node.js\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects IBM SDK for Node.js v1.1.0.13 and previous releases.\n\n## Remediation/Fixes\n\nThe fix for this vulnerability is included in IBM SDK for Node.js v1.1.0.14 and subsequent releases. \n \nIBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from [_here_](<http://www.ibm.com/developerworks/web/nodesdk/>). \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin.\n\n## ", "cvss3": {}, "published": "2018-08-09T04:20:36", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM\u00ae SDK for Node.js\u2122 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-08-09T04:20:36", "id": "78CEBDE778F45C0D956C8148A7CC8A3A3DE769FC93B79AD55671A99265734EEE", "href": "https://www.ibm.com/support/pages/node/260865", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:40:46", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attach for SSL/TLS affects IBM Rational Business Developer.\n\n## Vulnerability Details\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n \n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRBD version 9.1.1 and earlier\n\n## Remediation/Fixes\n\nPlease upgrade your SDK to the following interim fix level below: \n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \nRational Business Developer| v7.5.1.x \nv8.0.1.x| [IBM Java Platform Standard Edition Version 6 SR16 FP3 iFix (IV70681 + IV71888) ](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=All&platform=All&function=fixId&fixids=Rational-RBD-Java6SR16FP3b-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nRational Business Developer| v8.5.0 \nv8.5.1.x \nv9.0 \nv9.0.1.x \nv9.1.1| None \n \n## Workarounds and Mitigations\n\nIf you are using RBD v8.5.0 v8.5.1.x v9.0 v9.0.1.x and v9.1.1, then the following steps can be used to remove RC4 from the list of available algorithms: \n \n1\\. Ensure the product is not running. \n \n2\\. Locate the java.security file used by the project: \n<install_root>/jdk/jre/lib/security/java.security \n \n3\\. Edit the java.security file with a text editor and add RC4 as one of disabled algorithms, For example \njdk.tls.disabledAlgorithms=SSLv3,RC4 \n \n4\\. Save the file and restart the product\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Rational Business Developer (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-08-03T04:23:43", "id": "6A1B2447B148213283ED97D305A2011E0CBF947C1F684FCF29DCB3ECDA2DA458", "href": "https://www.ibm.com/support/pages/node/263689", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:39:34", "description": "## Summary\n\nThe RC4 Bar Mitzvah Attack for SSL/TLS affects IBM Netezza Platform Software. \n\n## Vulnerability Details\n\n**CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Netezza Platform Software 7.0.4.8-P1 and earlier (all 7.0.4 releases) \nIBM Netezza Platform Software 7.0.2.16-P1 and earlier (all 7.0.2 releases) \n \n \n**Unaffected Products and Versions** \nIBM Netezza Platform Software 7.1 and later (all 7.1 releases) \nIBM Netezza Platform Software 7.2 and later (all 7.2 releases) \n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM Netezza Platform Software| 7.0.2.16-P2| \n| [Link to IBM Fix Central](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/Netezza+NPS+Software+and+Clients&release=NPS_7.0.2&platform=All&function=fixId&fixids=7.0.2.16-P2-IM-Netezza-NPS-fp94703&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \nIBM Netezza Platform Software| 7.0.4.8-P2| \n| [Link to IBM Fix Central](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/Netezza+NPS+Software+and+Clients&release=NPS_7.0.4&platform=All&function=fixId&fixids=7.0.4.8-P2-IM-Netezza-NPS-fp94705&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\nFor all 7.0.0 and 6.0.8 IBM Netezza Platform Software releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2019-10-18T03:10:29", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Netezza Platform Software (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-10-18T03:10:29", "id": "E1F3D2076B9E621659558245E39C382D26F7FC3BB34480F61E4B4F78FEC4A45A", "href": "https://www.ibm.com/support/pages/node/261829", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:40:54", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Developer for i, Rational Developer for AIX and Linux, and Rational Developer for Power Systems Software.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Product Name**\n\n| **Versions Affected** \n---|--- \nRational Developer for Power Systems Software| 8.5, 8.5.1 \nRational Developer for i| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1 \nRational Developer for AIX and Linux, AIX COBOL Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1 \nRational Developer for AIX and Linux, C/C++ Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1 \n \n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \nRational Developer for Power Systems Software| 8.5.1| \n\n * None. \nRational Developer for i| 9.0 through to 9.1| \n\n * For **Modernization Tools- Java Edition** using Cordova, apply [IBM SDK for Node.js 1.1.0.14](<http://www.ibm.com/developerworks/web/nodesdk/>) to the Cordova platform in the product. \n \nInstallation instructions for applying the update to the Cordova platform in the product can be found here: \n \n[Upgrading the IBM SDK for Node.js used by Cordova](<http://www.ibm.com/support/docview.wss?uid=swg21684946>) \nRational Developer for AIX and Linux| 9.0 through to 9.1| \n\n * For all versions using Cordova, apply [IBM SDK for Node.js 1.1.0.14](<http://www.ibm.com/developerworks/web/nodesdk/>) to the Cordova platform in the product. \n \nInstallation instructions for applying the update to the Cordova platform in the product can be found here: \n \n[Upgrading the IBM SDK for Node.js used by Cordova](<http://www.ibm.com/support/docview.wss?uid=swg21684946>) \n \n## Workarounds and Mitigations\n\nIn addition to the fixes supplied above, if you are using any of the following products: \n\n\n * Rational Developer for Power Systems Software 8.5\n * Rational Developer for i 9.0, and 9.1\n * Rational Developer for AIX and Linux 9.0, and 9.1\n \nthen the following steps can be used to remove RC4 from the list of available algorithms: \n \n1\\. Ensure the product is not running. \n \n2\\. Locate the java.security file used by the product: \n\nRational Agent Controller: _install folder_/AgentController/jre/lib/security/java.security \nRational Application Developer for WebSphere Software: _install folder_/jdk/jre/lib/security/java.security \nRational Build Utility: _install folder_/jdk/jre/lib/security/java.security \n3\\. Edit the java.security file with a text editor and locate the line: \n\njdk.tls.disabledAlgorithms=SSLv3 \n \n4\\. Add RC4 to the list of disabled algorithms; For example: jdk.tls.disabledAlgorithms=SSLv3, RC4 \n \n5\\. Save the file and restart the product. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Developer for i, Rational Developer for AIX and Linux, and Rational Developer for Power Systems Software (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-08-03T04:23:43", "id": "EB0E4910AC8F107362FCFB92B342825670B7BE56EAB4A6B67E42EC18A46BB8D1", "href": "https://www.ibm.com/support/pages/node/261831", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:15", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Content Collector for SAP Applications.\n\n## Vulnerability Details\n\n**CVEID:**** **[**CVE-2015-2808**](<https://vulners.com/cve/CVE-2015-2808>)\n\n**DESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".[](<https://vulners.com/cve/CVE-2015-2808>)\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications 2.2 \n\nIBM Content Collector for SAP Applications 3.0\n\nIBM Content Collector for SAP Applications 4.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Content Collector for SAP Applications| 2.2.0.2| HE12301| Apply JRE update JRE-6.0.16.3.IV70681+IV71888, which is available from Fix Central. \n \n**Note:** ICCSAP V2.2.0 has reached end of support, and is no longer available for download. \n \nFor IBM Content Collector for SAP Applications V3.0 and V4.0, follow the guidance in the **Workarounds and Mitigations** section below.\n\n \n \nYou should verify that applying this fix does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \nIn particular, consult the system documentation of your SAP software on how to disable the RC4 cipher there. \n\n## Workarounds and Mitigations\n\nThe simplest way to remediate this vulnerability is to configure for FIPS140-2, Suite B or SP800-131 standards because they do not use RC4 stream ciphers. For details about how to activate this configuration, see the topic \"Configuring Content Collector for SAP for US government security standards\" in IBM Knowledge Center: \n\n * For Content Collector for SAP V3.0: <http://www.ibm.com/support/knowledgecenter/SSRW2R_3.0.0/com.ibm.iccsap.doc/doc/s_government.dita>\n * For Content Collector for SAP V4.0: <http://www.ibm.com/support/knowledgecenter/SSRW2R_4.0.0/doc/s_government.dita>\n \nAlternatively, you can selectively disable the RC4 cipher for Java 7, which is used by IBM Content Collector for SAP Applications V3.0 and V4.0: \n\n * Edit the java.security file in <ICCSAP_HOME>/java/jre/lib/security and turn off RC4 by adding \njdk.tls.disabledAlgorithms=SSLv3,RC4 \n \nFor IBM Content Collector for SAP Applications V4.0: \n\n * If you use the bundled version of WebSphere Application Server, follow the guidance in [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) \n\n * If you use the bundled version of IBM\u00ae DB2\u00ae LUW, follow the guidance in [Security Bulletin: Vulnerability in RC4 stream cipher affects IBM\u00ae DB2\u00ae LUW (CVE-2015-2808)](<http://www-01.ibm.com/support/docview.wss?uid=swg21717865>). \n\n \nYou should verify that applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T12:10:59", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Content Collector for SAP Applications (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T12:10:59", "id": "F4E65AC5DB3551A22803D01DA8C5EB6C6BAABCDEEB925820962D535E6FA7AA12", "href": "https://www.ibm.com/support/pages/node/262583", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:53", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects Rational Automation Framework.\n\n## Vulnerability Details\n\n**CVEID:** [**CVE-2015-2808**](<https://vulners.com/cve/CVE-2015-2808>) \n** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. \nThis vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \n**CVSS Base Score**: 5 \n**CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2, 3.0.1.2.1, 3.0.1.3, 3.0.1.3.1 and 3.0.1.3.2 on all supported platforms.\n\n## Remediation/Fixes\n\nUpgrade to [RAF 3.0.1.3 ifix3](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Automation+Framework&release=3.0.1.3i3&platform=All&function=all>) or later. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Automation Framework (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:50", "id": "338C66CF52C825252C99256ED6F0C09751740A5D7CB0D5B32297FE6E716F57DD", "href": "https://www.ibm.com/support/pages/node/262071", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:54", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM\u00ae SDK Java\u2122 Technology Edition, Version 6.0.16.2, that is supplied with specific versions of Rational Lifecycle Integration Adapter for HP ALM. \n\n## Vulnerability Details\n\n**CVEID:**[](<https://vulners.com/cve/CVE-2015-2808>)** **[CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION****:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n** \nCVSS** Base Score: 5 ** \nCVSS** Temporal Score: See [](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100851>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score** \nCVSS** Environmental Score*: Undefined** \nCVSS** Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n## Affected Products and Versions\n\nIBM Rational Lifecycle Integration Adapter for HP ALM 1.1.2 and 1.1.2.1\n\n## Remediation/Fixes\n\n \nThe fix is available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Lifecycle+Integration+Adapters+Tasktop+Edition&release=1.1.3.1&platform=All&function=fixId&fixids=Rational-RLIA_Tasktop-JavaPatch-Java60163&includeSupersedes=0>). \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \nTo update IBM Rational Lifecycle Integration Adapter with a corrected JRE, follow the instructions below. Depending on how you deployed the products, and depending on your usage scenarios, you might need to upgrade the IBM SDK, Java Technology Edition in IBM WebSphere Application Server and Apache Tomcat. Be sure to upgrade all the components that you use in your deployment uses. \n \n**NOTE**: IBM SDK, Java Technology Edition is only included in IBM Rational Lifecycle Integration Adapter version 1.1.2 and 1.1.2.1. Previous versions of the Rational Lifecycle Integration Adapter Standard Edition HP Adapter were released as WAR files only. Please consult with the application server documentation for updating the IBM SDK, Java Technology Edition. \n \n**Upgrading the JRE for a** **WebSphere Application Server**** installation \n**If your products are deployed on WebSphere Application Server, [_Java SDK Upgrade Policy for the IBM WebSphere Application Server_](<http://www.ibm.com/support/docview.wss?uid=swg21138332>) lists IBM SDK, Java Technology Edition upgrades that are available. Also check the [_Product Security Incident Response Blog_](<https://www.ibm.com/blogs/psirt/>) for any recent security bulletins for WebSphere Application Server that may have fixpacks or interim fixes for the JRE. \n \n**Upgrading the **IBM SDK, Java Technology Edition** for a Tomcat installations**\n\n1\\. Stop the Rational Lifecycle Integration Adapter server. \n \n**Note**: The applications may be running in different application server instances or using a delegated converter. \n\n2\\. Go to the original installation directory, and rename the /jre folder \n \n<InstallDir>/server/jre \n \nto \n \n<InstallDir>/server/jre-Original \n \nThis ensures that the original JRE is kept as a backup in the event a restore is required._ \n \n_Example (Linux):` \nmv <OrigInstallDir>/server/jre <OrigInstallDir>/server/jre-Original `\n\n3\\. Extract the new JRE archive provided by support to the Installation directory. \n \nExample (Linux): ` \nunzip <newInsallZip> -d <InstallDir>/server/`\n\n4\\. Remove the Apache Tomcat temporary files in the following directories: \n \n`<OrigInstallDir>/server/tomcat/temp \n<OrigInstallDir>/server/tomcat/work/Catalina/localhost`\n\n5\\. Restart the Rational Lifecycle Integration Adapter server\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Lifecycle Integration Adapter for HP ALM (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:50", "id": "0CE78FD0AA4F9E438951AED1255152FA47A49E273E383BFE64802175FB795345", "href": "https://www.ibm.com/support/pages/node/262223", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:56", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Directory Administrator.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Product**\n\n| **Version** \n---|--- \nRational Directory Administrator | 6.0 - 6.0.0.2_iFix01 \n \n## Remediation/Fixes\n\n**Product**\n\n| **Download link** \n---|--- \nIBM Rational Directory Administrator 6.0 and above| [RDA 6.0.0.2 iFix02](<http://www-01.ibm.com/support/docview.wss?uid=swg24039789>) \n \nNOTE: You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Directory Administrator (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:46", "id": "00A16E14D7639C8B5304A2836D463F4F99B05D32D6DC7281FABDC120AA4136A5", "href": "https://www.ibm.com/support/pages/node/261347", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:56", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Performance Tester. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nRational Performance Tester versions 8.2.*, 8.3.*, 8.5.*, 8.6.* and 8.7.\n\n## Remediation/Fixes\n\nDownload Java from one of the links below. Edit java.security and disable RC4 by adding it to the list of disabled algorithms. For example, \n\n \njdk.tls.disabledAlgorithms=SSLv3, RC4 \n\n\nFor a default installation the file java.security can be found as indicated below.\n\nWindows: C:\\Program Files\\IBM\\SDP\\jdk\\jre\\lib\\security.\n\nLinux: /opt/IBM/SDP/jdk/jre/lib/security.\n\n \n \n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRPT| 8.7| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRPT| 8.6 - 8.6.x| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRPT| 8.5 - 8.5.x| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRPT| 8.3 -8.3.x| None| Download[ Java 7 SR8 FP10 +IV70681 ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRPT| 8.2 - 821.x| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:49", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Performance Tester (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:49", "id": "303EF0ECC50ED23852CB44CDE2C5B9687CD44CD10B3AECBD882DD8AF16627BA6", "href": "https://www.ibm.com/support/pages/node/261913", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Rational Directory Server and Administrator.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Product**\n\n| **Version** \n---|--- \nRational Directory Server (Tivoli) | 5.2 - 5.2.1_iFix006 \nRational Directory Server (Apache)| 5.1.1 - 5.1.1.2_iFix007 \n \n## Remediation/Fixes\n\n \n\n\n**Product**| **Download link** \n---|--- \nIBM Rational Directory Server 5.2 (Tivoli) and above| [RDS 5.2.1 iFix07](<http://www-01.ibm.com/support/docview.wss?uid=swg24039818>) \nIBM Rational Directory Server 5.1.1 (Apache) and above| [RDS 5.1.1.2 iFix08](<http://www-01.ibm.com/support/docview.wss?uid=swg24039817>) \n \nNOTE: You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n_For __Rational Directory Server and Administrator, versions prior to 5.2 (Tivoli) and 5.1.1 (Apache)__ __IBM recommends upgrading to supported version of the product._\n\n## Workarounds and Mitigations\n\nFor IBM Tivoli Directory Server, certain configuration changes are required to mitigate this issue. \n \n1\\. Go to the **tdsadmin **Instance folder \n\n\na. For Windows based system: Go to folder location `C:\\idsslapd-tdsadmin\\etc` \n \nb. For UNIX based system: Go to folder location `<RDS Install Location>/Instance/idsslapd-tdsadmin/etc` \n2\\. Take a backup of the file **ibmslapd.conf** \n \n3\\. Open the file for editing. \n \n4\\. Search for **ibm-slapdSslCipherSpec** \n \n5\\. Under this attribute, comment all ciphers that start with RC4. Your sample **ibmslapd.conf **should look like this \n\n\n`#ibm-slapdSslCipherSpec: RC4-128-MD5`\n\n`#ibm-slapdSslCipherSpec: RC4-128-SHA`\n\n`ibm-slapdSslCipherSpec: AES`\n\n`ibm-slapdSslCipherSpec: AES-128`\n\n`ibm-slapdSslCipherSpec: TripleDES-168`\n\n`ibm-slapdSslCipherSpec: DES-56`\n\n`#ibm-slapdSslCipherSpec: RC4-40-MD5`\n\n`#ibm-slapdSslCipherSpec: RC2-40-MD5`\n\n \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Directory Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:46", "id": "39260C4459A850B23421A419691F8C7107560E2D42FA5FC92CB5EC47066032C6", "href": "https://www.ibm.com/support/pages/node/261349", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:58", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Build Forge.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current source \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nBuildForge Versions: 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.3, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.3.5, 7.1.3.6, 8.0, 8.0.0.1, 8.0.0.2.\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\n**Use the following configuration to disable RC4.**\n\n**Apache:** Configure ssl.conf under buildforge_installpath/server/apache/conf/ssl/ssl.conf\n\n \nAdd **!RC4** to disable RC4 and remove any lines that explicitly enable RC4, for example: \ni.e. old \n\nSSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT\n\nnew\n\nSSLCipherSuite ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT\n\n**update Bfclient.conf change the cipher group lines as following**\n\n# OpenSSL configuration bf_ssl_cipher_group=ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT\n\n \n# JSSE configuration \nbf_ssl_cipher_group=ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLV3:!EXPORT \n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:40", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Build Forge (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:40", "id": "655AA9588C05E45EDBF47B61DB21BD026125DDFFD69D2C70BD1C5AF2170BF2DF", "href": "https://www.ibm.com/support/pages/node/260627", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:50:48", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects MegaRAID Storage Manager. MegaRAID Storage Manager has addressed the vulnerability.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects MegaRAID Storage Manager. MegaRAID Storage Manager has addressed the vulnerability.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack.\"\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nProduct | Affected Version \n---|--- \nMegaRAID Storage Manager | 15.03.01.00 \n \n## Remediation/Fixes:\n\nIt is recommended to update to the firmware level listed below, or a later version. Firmware updates are available through IBM Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nProduct | Fixed Version \n---|--- \nMegaRAID Storage Manager \nibm_utl_msm_15.05.01.51_linux_32-64 \nibm_utl_msm_15.05.01.51_windows_32-64 | 15.05.01.51 \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations:\n\nNone.\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n22 March 2016: Original version published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects MegaRAID Storage Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T02:25:02", "id": "86D995E73BA4BDC3330D3CB68C5C2C56FC15C38B79FB0E59DD5BC66B83F871EC", "href": "https://www.ibm.com/support/pages/node/868396", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:50:58", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah Attack\" for SSL/TLS affects IBM BladeCenter S SAS RAID Module Firmware.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah Attack\" for SSL/TLS affects IBM BladeCenter S SAS RAID Module Firmware.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack.\"\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nProduct | Affected Version \n---|--- \nIBM BladeCenter S SAS RAID Module Firmware | 1.0.0 - 1.3.3 \n \n## Remediation/Fixes:\n\nFirmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nYou should verify applying this fix does not cause any compatibility issues.\n\nProduct | Fixed Version \n---|--- \nIBM BladeCenter S SAS RAID Module Firmware \nWindows: ibm_fw_bcsw_s0cl-1.3.4.012_windows_noarch \nLinux: ibm_fw_bcsw_s0cl-1.3.4.012_linux_noarch | 1.3.4.012 | \n \n## Workarounds and Mitigations:\n\nNone.\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n19 January 2016: Original version published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter S SAS RAID Module Firmware (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T02:25:02", "id": "9AC0D44462568B3C1D2B49E169E36F5F0CCF3B057CB532A9784D6557E8A7E0A1", "href": "https://www.ibm.com/support/pages/node/868436", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:02", "description": "## Summary\n\nThe RC4 Bar Mitzvah Attack for SSL/TLS affects IBM Flex System Manager (FSM).\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 Bar Mitzvah Attack for SSL/TLS affects IBM Flex System Manager (FSM).\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack.\"\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\n * Flex System Manager 1.1.x.x\n * Flex System Manager 1.2.0.x\n * Flex System Manager 1.2.1.x\n * Flex System Manager 1.3.0.x\n * Flex System Manager 1.3.1.x\n * Flex System Manager 1.3.2.x\n * Flex System Manager 1.3.3.x\n * Flex System Manager 1.3.4.x\n\n## Remediation/Fixes:\n\nProduct | VRMF | APAR | SMIA Remediation \n---|---|---|--- \nFlex System Manager | 1.3.4.x | IT09493 | Navigate to the [Support Portal](<https://www.ibm.com/support/entry/portal/support/>) and search for technote [ 761981453](<http://www-01.ibm.com/support/docview.wss?uid=nas777e5323a516f40f286257f03006ae4b5>) for instructions on installing updates for the FSM and Agents. \nFlex System Manager | 1.3.3.x | IT09493 | Verify that [ IT05161](<https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098586>) (POODLE) remediation has been completed, then install [ fsmfix1.3.3.0_IT09493](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT09493>). \nInstructions for verifying installation of IT05161 can be found [ here](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>). \nFlex System Manager | 1.3.2.x | IT09493 | Verify that [ IT05161](<https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098586>) (POODLE) remediation has been completed, then install [ fsmfix1.3.2.0_IT09493](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT09493>). \nInstructions for verifying installation of IT05161 can be found [ here](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>). \nFlex System Manager | 1.3.1.x | IT09493 | IBM is no longer providing code updates for this release. Upgrade to [ FSM 1.3.4.0](<http://www.ibm.com/support/fixcentral/systemx/quickorder?parent=Flex+System+Manager+Node&product=ibm/systemx/7955&&platform=All&function=fixId&fixids=FSMApplianceUpdate-1-3-3&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager | 1.3.0.x | IT09493 | IBM is no longer providing code updates for this release. Upgrade to [ FSM 1.3.4.0](<http://www.ibm.com/support/fixcentral/systemx/quickorder?parent=Flex+System+Manager+Node&product=ibm/systemx/7955&&platform=All&function=fixId&fixids=FSMApplianceUpdate-1-3-3&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager | 1.2.x.x | IT09493 | IBM is no longer providing code updates for this release. Upgrade to [ FSM 1.3.4.0](<http://www.ibm.com/support/fixcentral/systemx/quickorder?parent=Flex+System+Manager+Node&product=ibm/systemx/7955&&platform=All&function=fixId&fixids=FSMApplianceUpdate-1-3-3&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager | 1.1.x.x | IT09493 | Effective April 30, 2015, IBM has discontinued service for these version/release/modification/fix levels. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations:\n\nNone\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n30 September 2015: Original Version Published \n02 December 2015: Added Remediations for 1.3.4\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System Manager (FSM) (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T02:10:01", "id": "BBB45447303903C342A10E3A8B39D810E495D6F7779D3396B27EF80B8C84CEA8", "href": "https://www.ibm.com/support/pages/node/867936", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:03", "description": "## Summary\n\nThe RC4 Bar Mitzvah Attack for SSL/TLS affects IBM Systems Director Storage Control.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 Bar Mitzvah Attack for SSL/TLS affects IBM Systems Director Storage Control.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack.\"\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected products and versions\n\nFrom the IBM System Director command line enter smcli lsver to determine the level of IBM Systems Director installed.\n\nAffected Product and Version(s) | Product and Version shipped as a component \n---|--- \nIBM Systems Director Storage Control 4.2.1.0 | IBM Systems Director 6.2.1.0 \nIBM Systems Director Storage Control 4.2.1.0 | IBM Systems Director 6.2.1.2 \nIBM Systems Director Storage Control 4.2.1.1 | IBM Systems Director 6.3.0.0 \nIBM Systems Director Storage Control 4.2.2.0 | IBM Systems Director 6.3.1.0 \nIBM Systems Director Storage Control 4.2.2.1 | IBM Systems Director 6.3.1.1 \nIBM Systems Director Storage Control 4.2.3.0 | IBM Systems Director 6.3.2.0 \nIBM Systems Director Storage Control 4.2.3.1 | IBM Systems Director 6.3.2.1 \nIBM Systems Director Storage Control 4.2.3.2 | IBM Systems Director 6.3.2.2 \nIBM Systems Director Storage Control 4.2.4.0 | IBM Systems Director 6.3.3.0 \nIBM Systems Director Storage Control 4.2.4.1 | IBM Systems Director 6.3.3.1 \nIBM Systems Director Storage Control 4.2.6.0 | IBM Systems Director 6.3.5.0 \nIBM Systems Director Storage Control 4.2.7.0 | IBM Systems Director 6.3.6.0 \n \n## Remediation/Fixes:\n\nFollow the instructions mentioned under <http://www-947.ibm.com/support/entry/portal/support/> and search for Tech note 746690234 to apply the fix.\n\n## Workarounds and Mitigations:\n\nNone\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n29 June 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Systems Director Storage Control (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T02:10:01", "id": "4735C8E6304811CA2B3351582F67C39E1B9E5F73904FCAFBACB30E3F11E60CDC", "href": "https://www.ibm.com/support/pages/node/867532", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:04", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM Flex System Chassis Management Module.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM Flex System Chassis Management Module.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack.\"\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nProduct | Affected Version \n---|--- \nIBM Flex System Chassis Management Module (CMM) | 2PET12U - 2.5.3 \n \n## Remediation/Fixes:\n\nFirmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/>\n\nYou should verify applying the fix does not cause any compatibility issues.\n\nProduct | Fixed Version \n---|--- \nIBM Flex System Chassis Management Module (CMM) | 2PET12W - 2.5.4 \n \n## Workarounds and Mitigations:\n\nNone.\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n23 November 2015: Original version published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System Chassis Management Module (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T02:10:01", "id": "EA15F4B5EA3E1517D0BE7109420B23E06AAA47A4D13175A44ECF222719F99F39", "href": "https://www.ibm.com/support/pages/node/868154", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:14", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM Fabric Manager.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM Fabric Manager.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\n * IBM Fabric Manager 4.1.00.24 and prior versions.\n\n## Remediation/Fixes:\n\nIBM recommends updating to version 4.1.02.0031 or later. Firmware updates are available through IBM Fix Central - <http://www.ibm.com/support/fixcentral/> .\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations:\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\nThe use of RC4 by IFM can be avoided by disabling RC4 in your web browser and on any CMM, AMM, IMM1, and IMM2 managed by IFM.\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n06 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Fabric Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:55:01", "id": "529213275AB0084481F4027FC9CD99DBED29847032C18D70158670101E71F495", "href": "https://www.ibm.com/support/pages/node/866740", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:14", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM System Networking RackSwitch.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM System Networking RackSwitch.\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\nProduct | Version \n---|--- \nIBM System Networking RackSwitch G8124-E | Prior to 7.9.13.0 \nIBM System Networking RackSwitch G8264 | Prior to 7.9.13.0 \nIBM System Networking RackSwitch G8264-T | Prior to 7.9.13.0 \nIBM System Networking RackSwitch G8332 | Prior to 7.7.19.0 \nIBM System Networking RackSwitch G8316 | Prior to 7.9.13.0 \nIBM System Networking RackSwitch G8000 | Prior to 7.1.9.0 \n \nRefer also to The following IBM Systems products are not affected by the vulnerability in RC4 stream cipher (CVE-2015-2808) Flash (Alert) in Related Information.\n\n## Remediation/Fixes\n\nFirmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\nProduct | Fix Version \n---|--- \nIBM System Networking RackSwitch G8124-E | 7.9.13.0 \nIBM System Networking RackSwitch G8264 | 7.9.13.0 \nIBM System Networking RackSwitch G8264-T | 7.9.13.0 \nIBM System Networking RackSwitch G8332 | 7.7.19.0 \nIBM System Networking RackSwitch G8316 | 7.9.13.0 \nIBM System Networking RackSwitch G8000 | 7.1.9.0 \n \n## Workarounds and Mitigations\n\nNone.\n\n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information** \n[FLASH (Alert) IBM Systems products not affected by RC4 stream cipher](<http://www-01.ibm.com/support/docview.wss?uid=isg3T1022180>) \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n09 June 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM System Networking RackSwitch (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:55:01", "id": "13082A17C05F943A7E41222B89472F369AE63DF75081D66F2264C638D9916E28", "href": "https://www.ibm.com/support/pages/node/867354", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:16", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects Integrated Management Module 2 (IMM2).\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects Integrated Management Module 2 (IMM2).\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\nAll IMM2 firmware releases prior to v4.90 for these systems:\n\n * System x3100 M4, type 2582\n * System x3100 M5, type 5457\n * System x3250 M4, type 2583\n * System x3250 M5, type 5458\n * System x3300 M4, type 7382\n * System x3500 M4, type 7383\n * System x3530 M4, type 7160\n * System x3550 M4, type 7914\n * System x3630 M4, type 7158\n * System x3650 M4 BD, type 5466\n * System x3650 M4 HD, type 5460\n * System x3650 M4, type 7915\n * System x3750 M4, types 8752, 8718\n * System x3750 M4, types 8722, 8733\n * System x3850 X6, Type 3837\n * System x3950 X6, Type 3837\n * iDataPlex dx360 M4, types 7912, 7913\n * iDataPlex dx360 M4 Water Cooled, types 7918, 7919\n * NeXtScale nx360 M4, type 5455\n * Flex System x220 Compute Node, types 7906, 2585\n * Flex System x222 Compute Node, type 7916\n * Flex System x240 Compute Node, types 8737, 8738, 7863, 8956\n * Flex System x440 Compute Node, type 7917\n * Flex System x880 Compute Node, types 4259,7903\n * Flex System Manager Node, types 8731, 8734, 7955\n\n## Remediation/Fixes\n\nFirmware updates are available at IBM Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nIt is recommended to update the following affected systems to Integrated Management Module 2 v4.97 (1AOO66M) or above:\n\n * System x3100 M4, type 2582\n * System x3100 M5, type 5457\n * System x3250 M4, type 2583\n * System x3250 M5, type 5458\n * System x3300 M4, type 7382\n * System x3500 M4, type 7383\n * System x3530 M4, type 7160\n * System x3550 M4, type 7914\n * System x3630 M4, type 7158\n * System x3650 M4 BD, type 5466\n * System x3650 M4 HD, type 5460\n * System x3650 M4, type 7915\n * System x3750 M4, types 8752, 8718\n * System x3750 M4, types 8722, 8733\n * System x3850 X6, Type 3837\n * System x3950 X6, Type 3837\n * iDataPlex dx360 M4, types 7912, 7913\n * iDataPlex dx360 M4 Water Cooled, types 7918, 7919\n * NeXtScale nx360 M4, type 5455\n\nIt is recommended to update the following affected systems to Integrated Management Module 2 v4.90 (1AOO66O) or above:\n\n * Flex System x220 Compute Node, types 7906, 2585\n * Flex System x222 Compute Node, type 7916\n * Flex System x240 Compute Node, types 8737, 8738, 7863, 8956\n * Flex System x440 Compute Node, type 7917\n * Flex System x880 Compute Node, types 4259,7903\n * Flex System Manager Node, types 8731, 8734, 7955\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nPlace the IMM2 into NIST-131A cryptomode to disable all RC4-based ciphers.\n\nFor standalone systems, the IMM2 can be put in the NIST131A mode using the CLI or Web:\n\n 1. IMM CLI: \nsystem> cryptomode -set NIST\n 2. IMM Web: Navigate to \"IMM Management\" -> \"Security\" -> \"Cryptography Management\" and then choose \"NIST SP 800-131A Compliance Mode\" and click applying\n\nFor Flex systems NIST-131A mode is configured in the CMM.\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n17 April 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Integrated Management Module 2 (IMM2) (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:55:01", "id": "3CA859EBF8BCF3A4B3213DE2269D57C7107B791A6068854FB3FA0849F01DF648", "href": "https://www.ibm.com/support/pages/node/867170", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:20", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects Flex System Chassis Management Module (CMM).\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects Flex System Chassis Management Module (CMM).\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\n * 2PET10A\n * 2PET10B\n * 2PET10C\n * 2PET10D\n * 2PET10E\n * 2PET10F\n * 2PET10G\n * 2PET10H\n * 2PET10I\n * 2PET10K\n * 2PET10M\n * 2PET10P\n * 2PET10Q\n * 2PET12D\n * 2PET12E\n * 2PEO12E\n * 2PET12F\n * 2PET12G\n * 2PET12H\n * 2PET12I\n * 2PEO12I\n * 2PET12K\n * 2PEO12O\n * 2PET12O\n * 2PETE6L\n * 2PET12P\n * 2PEO12P\n * 2PET12R\n * 2PEO12R\n * 2PETE5O\n\n## Remediation/Fixes:\n\nNone\n\n## Workarounds and Mitigations:\n\nTo disable RC4 in the chassis, put CMM into the TLS 1.2 mode or NIST 800-131A mode:\n\nFrom Web: \n[ http://pic.dhe.ibm.com/infocenter/flexsys/information/topic/com.ibm.acc.cmm.doc/cmm_ui_configure_NIST_compliance.html](<http://pic.dhe.ibm.com/infocenter/flexsys/information/topic/com.ibm.acc.cmm.doc/cmm_ui_configure_NIST_compliance.html>)\n\nFrom CLI: \n[ http://pic.dhe.ibm.com/infocenter/flexsys/information/topic/com.ibm.acc.cmm.doc/cli_command_crypto.html](<http://pic.dhe.ibm.com/infocenter/flexsys/information/topic/com.ibm.acc.cmm.doc/cli_command_crypto.html>)\n\nNote: The steps above will also change the configuration of any IMM2 or FSP in the chassis to TLS 1.2 mode or NIST 800-131A mode.\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n28 April 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Flex System Chassis Management Module (CMM) (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:55:01", "id": "AF02761E74AD07AEA127ACA8B498561189AC8DCD6872AC805154474D6CE7B6E0", "href": "https://www.ibm.com/support/pages/node/866686", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:28", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware.\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\nIBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware versions 9.1.0.xx, 9.1.1.xx, 9.1.2.xx, and 9.1.3.xx.\n\n## Remediation/Fixes\n\nFirmware updates are available at IBM Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nIt is recommended to apply the following fix for IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware: qlgc_fw_flex_9.1.5.03.00_anyos_noarch version 9.1.5.03.00 (or a later version).\n\n## Workarounds and Mitigations\n\nNone.\n\n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n[Subscribe to Security Bulletins](<http://www.ibm.com/support/mynotifications/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n05 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware. (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:55:01", "id": "AEA9186AAE3F26B06583CD167C84248C6540B24189EEC7058E5A70A44891CC48", "href": "https://www.ibm.com/support/pages/node/867376", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:55:53", "description": "## Summary\n\nA weak cipher is available for TLS and SSL connections used by IBM API Connect..\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM API Connect V5.0.0.0 - V5.0.6.1\n\n## Remediation/Fixes\n\nThe issue is resolved by APAR LI79525 in IBM API Connect [V5.0.6.2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.6.2&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:07:35", "type": "ibm", "title": "Security Bulletin: Weak Cipher available in IBM API Connect (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:07:35", "id": "834DC5A8449DFEED5F26C4B6BC084254D5384FAE17158CC4D42A9531AD284C66", "href": "https://www.ibm.com/support/pages/node/561383", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:49:06", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects TXSeries for Multiplatforms.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nTXSeries for Multiplatforms V7.1, V8.1 and V 8.2\n\n## Remediation/Fixes\n\n \nDownload the respective APAR from IBM Fix Central based on the TXSeries for Multiplatforms version that you have installed. \n \n\n\nTXSeries for Multiplatforms Version | APAR \n---|--- \n7.1| IV73492 \n8.1 | IV73594 \n8.2| IV73500 \n \n## Workarounds and Mitigations\n\nTXSeries for Multiplatforms provides an optional configurable capability to enable SSL for its IPIC communication protocol. RC4 stream cipher is enabled in the default configuration. \n\nTXSeries V7.1.0.4 or higher will support disabling RC4 when it is configured with GSKit version 8.x. The instructions below provide guidance to disable RC4 stream cipher.\n\n \n\n\n**_TXSeries for Multiplatforms V7.1_**\n\nIf you are on TXSeries for Multiplatforms V7.1, you need to upgrade to Fixpack 4 or higher. Lower fix pack levels do not support disabling RC4.\n\nSteps to disable RC4 (TXSeries V7.1.0.4 or higher)\n\n1\\. Stop the TXSeries region.\n\n2\\. If you have not configured your region to use GSKit version 8.x, set the below variable in the region\u2019s environment file. CICS_GSKIT_VERSION=8\n\nIf your region is already configured with GSKit version 8.x then go to step 3.\n\n(By Default TXSeries 7.1 support GSKit version 7.x. Refer to the TXSeries infocenter for further configuration details.)\n\n3\\. Set the below environment variable in the region\u2019s environment file. CICS_SP800_131MODE=\u201dSP800_131MODE\u201d. This will enable SSL FIPS processing mode which will in turn disable RC4 stream cipher. \n\n4\\. Restart the TXSeries region.\n\n**_TXSeries for Multiplatforms V8.1 and V8.2_**\n\nSteps to disable RC4 (TXSeries V8.1.0.0 or higher)\n\n1\\. Stop the TXSeries region. \n\n2\\. Set the below environment variable in the regions environment file \n\nCICS_SP800_131MODE=\u201dSP800_131MODE\u201d. This will enable FIPS processing mode which will in turn disable RC4 stream cipher.\n\n3\\. Restart the TXSeries region.\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects TXSeries for Multiplatforms. (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-08-03T04:23:43", "id": "425D172129BCAE4456CF300C4333C895F0E829F96F33151F464CF26A70D2C2D8", "href": "https://www.ibm.com/support/pages/node/710397", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:33", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM ToolsCenter.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM ToolsCenter.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\n * All ToolsCenter v9.xx releases\n\n## Remediation/Fixes:\n\nNone\n\n## Workaround(s) & Mitigation(s):\n\nDisable RC4 in the settings of the target managed endpoints (CMM or IMM).\n\nYou should verify applying the configuration changes do not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:45:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM ToolsCenter (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:45:01", "id": "C9B40655AE15CEBCF1084DE4473987D1F9C8D3CC052CA001CC3099FA7BAA1D2F", "href": "https://www.ibm.com/support/pages/node/866624", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:36", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM BladeCenter Advanced Management Module.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects IBM BladeCenter Advanced Management Module.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\nIBM BladeCenter Advanced Management Module Firmware versions v3.66K (BPET66K, BBET66K, BPEO66K) and previous versions are affected.\n\nThis applies to the following hardware products:\n\n * BladeCenter Advanced Management Module, Option 25R5778\n * BladeCenter T Advanced Management Module, Option 32R0835\n * IBM BladeCenter(TM)-E: Type 1881, 7967, 8677\n * IBM BladeCenter(TM)-H: Types 1886, 7989, 8852\n * IBM BladeCenter(TM)-HT: Types 8740, 8750\n * IBM BladeCenter(TM)-S: Types 1948, 7779, 8886\n * IBM BladeCenter(TM)-T: Types 8720, 8730\n\n## Remediation/Fixes:\n\nYou should verify applying this fix does not cause any compatibility issues.\n\nFix Central: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct | Version \n---|--- \nBladeCenter Advanced Management Module \u2014 IBM BladeCenter T Chassis | Update to v3.66N (BBET66N) \nBladeCenter Advanced Management Module \u2014 BladeCenter OEM Chassis | Update to v3.66N (BPEO66N) \nBladeCenter Advanced Management Module \u2014 All other IBM BladeCenter Chassis | Update to v3.66N (BPET66N) \n \n## Workaround(s) & Mitigation(s):\n\nNone\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n30 April 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:45:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter Advanced Management Module (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:45:01", "id": "8198E97AE083DDBA31003F2C6968297427DF569497350A3FFEB888A4B0C4EC48", "href": "https://www.ibm.com/support/pages/node/866560", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:38", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects System x IMM.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects System x IMM.\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)\n\n**Description:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/101851> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\nThe following IMM code levels may exhibit this issue:\n\n * All versions 1.00 to 1.47\n\nThe following platforms may be affected:\n\n * System x3500 M2, Type 7839, any model\n * System x3500 M3, Type 7380, any model\n * System x3550 M2, Type 4198, any model\n * System x3550 M2, Type 7946, any model\n * System x3550 M3, Type 4254, any model\n * System x3550 M3, Type 7944, any model\n * System x3630 M3, Type 7377, any model\n * System x3650 M2, Type 4199, any model\n * System x3650 M2, Type 7947, any model\n * System x3650 M3, Type 4255, any model\n * System x3650 M3, Type 5454, any model\n * System x3650 M3, Type 7945, any model\n * System x3690 X5, Type 7147, any model\n * System x3690 X5, Type 7148, any model\n * System x3690 X5, Type 7149, any model\n * System x3690 X5, Type 7192, any model\n * System x3850 X5, Type 7143, any model\n * System x3850 X5, Type 7145, any model\n * System x3850 X5, Type 7146, any model\n * System x3850 X5, Type 7191, any model\n * System x3950 X5, Type 7143, any model\n * System x3950 X5, Type 7145, any model\n * System x iDataPlex dx360 M2, Types 6380, any model\n * System x iDataPlex dx360 M2, Types 7321, any model\n * System x iDataPlex dx360 M2, Types 7323, any model\n * System x iDataPlex dx360 M3, Types 6391, any model\n\n## Remediation/Fixes\n\nIt is recommended to update IMM to version 1.48 YUOOG8C or later. Firmware updates are available through IBM Fix Central: <http://www.ibm.com/support/fixcentral/>.\n\nIn addition to updating to the recommended firmware version, the following configuration change is required using one of the two options described below:\n\n> Through the IMM Web interface, on the IMM Security page, select \"High Security Mode\" in the \"Cryptography Management\" section.\n> \n> -OR-\n> \n> Use the following ASU command: asu set imm.ssl_cipher \"high security mode\"\n\nAfter the configuration change, restart the IMM for the configuration to take effect.\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:45:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects System x Integrated Management Module (IMM) (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T01:45:01", "id": "4AE3E3EEA80FE70FD2BEFA58D839E4D034ECF8EEB7C9EB560442080C6A363A28", "href": "https://www.ibm.com/support/pages/node/866606", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:39:04", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Application Developer for WebSphere Software.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Application Developer 9.1.1 and earlier\n\n## Remediation/Fixes\n\nUpdate the Java Development Kit of the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nRational Application Developer| 8.0| PI38888| \n\n * Apply [IBM SDK Java Technology Edition Critical Patch Update - \"RC4 Bar Mitzvah Attack for SSL/TLS\"](<http://www.ibm.com/support/docview.wss?uid=swg24039857>) \nRational Application Developer| 8.5 through 9.1.1| PI38888| \n\n * For all versions, apply [IBM SDK Java Technology Edition Critical Patch Update - April 2015, RC4 Bar Mitzvah Attack for SSL/TLS, and Logjam vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24040408>).\n * For WebSphere Application Server, see [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>) \nRational Application Developer| 9.1 through to 9.1.1| PI38888| \n\n * For all versions, apply [IBM SDK Java Technology Edition Critical Patch Update - April 2015, RC4 Bar Mitzvah Attack for SSL/TLS, and Logjam vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24040408>).\n * For Cordova, Apply [IBM SDK for Node.js 1.1.0.14](<http://www.ibm.com/developerworks/web/nodesdk/>) to the Cordova platform in the product. \n \nInstallation instructions for applying the update to the Cordova platform in the product can be found here: \n \n[Upgrading the IBM SDK for Node.js used by Cordova](<http://www.ibm.com/support/docview.wss?uid=swg21684946>) \nRational Build Utility| 8.0| PI38888| \n\n * Apply [IBM SDK Java Technology Edition Critical Patch Update - \"RC4 Bar Mitzvah Attack for SSL/TLS\"](<http://www.ibm.com/support/docview.wss?uid=swg24039857>) \nRational Build Utility| 8.5 through to 9.1.1| PI38888| \n\n * For use on Windows or Linux: apply [IBM SDK Java Technology Edition Critical Patch Update - April 2015, RC4 Bar Mitzvah Attack for SSL/TLS, and Logjam vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24040408>).\n * For use on System z:\n * Version 8.5, 9.0 and 9.1: Apply the latest [Java Technology Edition, V7.0.0](<http://www-03.ibm.com/systems/z/os/zos/tools/java/>). \nRational Agent Controller| 7.0 through to 9.1.1| PI38888| \n\n * Apply [Rational Agent Controller FixPack 2 (9.1.1.2) for 9.1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg24040414>) \n \n## Workarounds and Mitigations\n\nIf you are using any of the following products: \n\n\n * Rational Agent Controller versions 8.3.5, 8.3.6, 9.0, 9.1\n * Rational Application Developer for WebSphere Software versions 8.5, 9.0, and 9.1\n * Rational Build Utility versions 8.5, 9.0, and 9.1\n \nthen the following steps can be used to remove RC4 from the list of available algorithms: \n \n1\\. Ensure the product is not running. \n \n2\\. Locate the java.security file used by the product: \n\n\nRational Agent Controller: _install folder_/AgentController/jre/lib/security/java.security \nRational Application Developer for WebSphere Software: _install folder_/jdk/jre/lib/security/java.security \nRational Build Utility: _install folder_/jdk/jre/lib/security/java.security \n3\\. Edit the java.security file with a text editor and locate the line: \n\n\njdk.tls.disabledAlgorithms=SSLv3 \n \n4\\. Add RC4 to the list of disabled algorithms; For example: \n\n\njdk.tls.disabledAlgorithms=SSLv3, RC4 \n \n5\\. Save the file and restart the product. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2020-02-05T00:09:48", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Application Developer for WebSphere Software (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2020-02-05T00:09:48", "id": "B337019A876E3EE0E7052D2F918C3C08F3161254BAE357DA67B570E349570C0D", "href": "https://www.ibm.com/support/pages/node/261219", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:11", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Data Server Manager. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Data Server Manager Base Edition V1.1.0.0 \n\nIBM Data Server Manager Enterprise Edition V1.1.0.0\n\n## Remediation/Fixes\n\nV1.1.0.0\n\n| [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/Data+Server+Manager&release=1.1.0.0&platform=All&function=all>) (Interim Fix 1715) or see Workarounds and Mitigation below. \n---|--- \n \n## Workarounds and Mitigations\n\nDisable the RC4 cipher suite by adding \"RC4\" to the list of disabled algorithms defined by the jdk.tls.disabledAlgorithms security property in java.security file. \n \nEdit the java.security file that is located in the IBM Data Server Manager installation directory: \n` \n/java/jre/lib/security/java.security` \n \nAdd the following line and save the file: \n` \njdk.tls.disabledAlgorithms=RC4` \n \nIf the jdk.tls.disabledAlgorithms property was already enabled (without a \"#\" character at the beginning of the line), i.e.: \n` \njdk.tls.disabledAlgorithms=SSLv3` \n \nthen append the text _\", RC4\"_ to the end of the line and save the file. \n` \njdk.tls.disabledAlgorithms=SSLv3``**, RC4**` \n \nRestart the DSM Web Console server for this change to take effect. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2018-06-16T13:10:37", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Data Server Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T13:10:37", "id": "CA367890F60839B8FD6EBF2BA5CFCE86D86E7769E0EBE3BDBB16CD188DB19396", "href": "https://www.ibm.com/support/pages/node/261311", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:12", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects various Optim data server tools desktop products.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Data Studio client 4.1.1 and earlier \n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW 4.1.1 and earlier\n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS 4.1.1 and earlier\n\nInfoSphere Data Architect 9.1.2 and earlier\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of the Optim data server tools to the following code level or higher: \n \nIBM Data Studio client 4.1.1 APAR 4 \n[download 4.1.1 APAR 4](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Studio&release=4.1.1&platform=All&function=all>) \n \nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW 4.1.1 APAR 4 \n[download 4.1.1 APAR 4](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Optim+Query+Workload+Tuner+for+DB2+for+Linux+UNIX+and+Windows&release=4.1.1&platform=All&function=all>) \n \nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS 4.1.1 APAR 4 \n[download 4.1.1 APAR 4](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Optim+Query+Workload+Tuner+for+DB2+z/OS&release=4.1.1&platform=All&function=all>) \n \nIBM also recommends updating to the latest version of the IBM SDK, Java\u2122 Technology Edition that is installed with the client.and that contains the latest security patches. \n \n\n\n**Product**| **Version**| **IBM SDK** \n---|---|--- \nIBM Data Studio client \n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW\n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS\n\n| 3.1.0, 3.1.1| Java 6 [Windows 32-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=311-DS-32-JDK-Windows-6SR16FP3&source=SAR>) \n \nJava 6 [Windows 64-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=311-DS-64-JDK-Windows-6SR16FP3&source=SAR>) \n \nJava 6 [Linux 32-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=310-DS-32-JDK-Linux-6SR16FP3&source=SAR>) \n \nJava 6 [Linux 64-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=310-DS-64-JDK-Linux-6SR16FP3&source=SAR>) \nIBM Data Studio client \n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW\n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS\n\n| 3.2, 4.1.0, 4.1.0.1, 4.1.1| Java 7 [Windows 64-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=411-DS-64-JDK-Windows-71SR2FP10&source=SAR>) \nInfoSphere Data Architect| 7.6, 8.1| Java 6 [Windows 32-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=311-DS-32-JDK-Windows-6SR16FP3&source=SAR>) \n \nJava 6 [Windows 64-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=311-DS-64-JDK-Windows-6SR16FP3&source=SAR>) \n \nJava 6 [Linux 32-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=310-DS-32-JDK-Linux-6SR16FP3&source=SAR>) \n \nJava 6 [Linux 64-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=310-DS-64-JDK-Linux-6SR16FP3&source=SAR>) \nInfoSphere Data Architect| 8.5, 9.1, 9.1.1, 9.1.2| Java 7 [Windows 64-bit](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FIBM+Data+Studio&fixids=411-DS-64-JDK-Windows-71SR2FP10&source=SAR>) \n \n \nDetailed instructions for updating the IBM SDK, Java\u2122 Technology Edition are provided in the tech-note \u201c[Updating the IBM SDK, Java Technology Edition for Optim Data Server Tools Desktop Products](<http://www-01.ibm.com/support/docview.wss?uid=swg21691806>)\u201d. \n\n## Workarounds and Mitigations\n\nThe following mitigation applies to: \n \n\n\n**Product**| **Version** \n---|--- \nIBM Data Studio client| 3.2, 4.1.0, 4.1.0.1, 4.1.1 \nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW| 3.2, 4.1.0, 4.1.0.1, 4.1.1 \nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS| 3.2, 4.1.0, 4.1.0.1, 4.1.1 \nInfoSphere Data Architect| 8.5, 9.1, 9.1.1, 9.1.2 \n \nTo disable the RC4 stream cipher in the JVM environment of the product, modify the** java.security** file. \n \nThe java.security file is located in the security folder relative to the product install directory (for example: C:\\Program Files\\IBM\\DS4.1.1\\jdk\\jre\\lib\\security\\java.security). \n \nOpen the file and add the following property at the end of the file: \n \n**jdk.tls.disabledAlgorithms=RC4** \n \nIf there is an existing entry already, append to it using a comma to separate each algorithm. For example: \n \n**jdk.tls.disabledAlgorithms=****SSLv3,RC4** \n \n_Note_: editing the java.security file may require administrator privileges. \n \nRestart the product to pick up the security configuration updates. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \nFor earlier versions, IBM recommends upgrading to the latest supported version of the product. \n\n## ", "cvss3": {}, "published": "2018-06-16T13:10:36", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects various Optim data server tools desktop products (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T13:10:36", "id": "D54ACDD44659432ACAC652FC15700D423BFBDEA9A5F9BF09E9EF57AAD0B72583", "href": "https://www.ibm.com/support/pages/node/261259", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:12", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM DB2 Recovery Expert for Linux, UNIX, and Windows\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM DB2 Recovery Expert for Linux, UNIX, and Windows V3.1 - V4.1\n\n## Remediation/Fixes\n\nReplace existing JRE with JRE V7 SR9-Fix Pack 1 (<http://www-01.ibm.com/support/docview.wss?uid=swg21639279>). \n\nYou can replace the IBM Runtime Environment, Java\u2122 Technology Edition that is installed with IBM DB2 Recovery Expert for Linux, UNIX, and Windows with the latest IBM Runtime Environment, Java\u2122 Technology Edition following the detailed instructions provided in the tech-note \"[_Updating the JRE for DB2 Recovery Expert for Linux, UNIX and Windows_](<http://www-01.ibm.com/support/docview.wss?uid=swg21644942>)\".\n\n## Workarounds and Mitigations\n\nDisabling RC4. This can be achieved by adding RC4 to the list of disabled algorithms defined by the security property \n\n_jdk.tls.disabledAlgorithms _\n\nlocated in the file _<RE install directory>/jre/lib/security/java.security _.\n\nAlternatively, the RC4 cipher can be disabled within the IBM WebSphere Application Server Liberty Profile** **component that is embedded with Recovery Expert by adding the property definition \n\n_com.ibm.jsse2.sp800-131=transition_\n\nin the file _<RE install directory>/Config/dswebserver.properties_\n\n \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. ** **\n\n## ", "cvss3": {}, "published": "2018-06-16T13:10:36", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM DB2 Recovery Expert for Linux, UNIX, and Windows (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T13:10:36", "id": "BDD09DC99F92259DA1EC4EA1111BFCD2837C26C6E19B09E7B530EDEC8D6C298D", "href": "https://www.ibm.com/support/pages/node/261255", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:29", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Cognos Mobile app on Android.\n\n## Vulnerability Details\n\n**CVEID**: [CVE-2015-2808](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2808>) \n**DESCRIPTION**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Mobile app on Android version 10.2.2.1.1 and earlier\n\n## Remediation/Fixes\n\nThe recommended solution is to update the app to the latest version as soon as practical. \n \nThe fix has been released as part of the IBM Cognos Mobile app on Android version 10.2.2.1.2 [](<https://play.google.com/store/apps/details?id=com.ibm.cogmob.artoo>) \n<https://play.google.com/store/apps/details?id=com.ibm.cogmob.artoo> \n \nYou should verify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone known. Update the app\n\n## ", "cvss3": {}, "published": "2018-06-15T23:13:40", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Cognos Mobile app on Android (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T23:13:40", "id": "1DAE041F25466A8D147EB9622409BA9A37A230F6FB76AD4E091BED7B3A6CE8FB", "href": "https://www.ibm.com/support/pages/node/262671", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:31", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Cognos Business Intelligence Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n \nIBM Cognos Business Intelligence Server 10.2.2 \nIBM Cognos Business Intelligence Server 10.2.1.1 \nIBM Cognos Business Intelligence Server 10.2 \nIBM Cognos Business Intelligence Server 10.1.1 \nIBM Cognos Business Intelligence Server 10.1 \nIBM Cognos Business Intelligence Server 8.4.1\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\n \nThe RC4 cipher suites must be disabled using Cognos Configuration by performing the following actions: \n \n1) Start Cognos Configuration \n \n2) Navigate to Security/Cryptography/Cognos \n \n3) Open the supported cipher suites selection dialog \n \n4) Select all cipher suites that have RC4 in the the name and remove them from the Current Values List. Select OK to save the new list. \n \n5) Save and restart your service using Cognos Configuration. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n\n## ", "cvss3": {}, "published": "2018-06-15T23:13:39", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Cognos Business Intelligence Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T23:13:39", "id": "06C9EAD36600EA57C900FE580274C435820888C18E5273F4E2CD3FBF1E1682C4", "href": "https://www.ibm.com/support/pages/node/261171", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:48", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects OpenPages GRC Platform with Application Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nOpenPages GRC Platform with Application Server 6.2.0, 6.2.1, 7.0 (embedded application server versions)\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nThe embedded application server can be reconfigured to only accept known good ciphers and avoid this issue. Please note that this remediation changes the list of cipher suites accepted by the application server. As a result, there is a chance SSL connectivity issues could arise in your environment . While no issues have been found in internal testing, we encourage you to test this configuration on a test system in your environment prior to using it in production. \n\nMitigation Steps:\n\n 1. Stop all servers. For details on stopping services, see the \u201cStarting and Stopping Servers\u201d chapter in the _IBM\u00ae OpenPages\u00ae GRC Platform Administrator\u2019s Guide._\n 2. Log into the Windows console of the primary application server as an administrator.\n 3. Launch regedit.exe\n 4. Navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\OpenPagesAdminServer\\Parameters\n 5. Right-click on the Parameters key and select Export.\n 6. Create a backup directory (you will be repeating this export with other keys).\n 7. Save the export as OpenPagesAdminServer\n 8. Select the current value for CmdLine\n 9. Paste it into a text editor such as Notepad\n 10. Move to the very end of the string and you will find the text \"weblogic.Server\"\n 11. Insert the string \"-Dweblogic.security.SSL.protocolVersion=TLS1\" before \"weblogic.Server\". \n \nFor example, change: \n \n-Djava.security.policy=\"C:\\oracle\\middleware\\wlserver_10.3\\server\\lib\\weblogic.policy\" weblogic.Server \n \nto: \n \n-Djava.security.policy=\"C:\\oracle\\middleware\\wlserver_10.3\\server\\lib\\weblogic.policy\" **-Dweblogic.security.SSL.protocolVersion=TLS1** weblogic.Server \n \n\n 12. Copy the string from your editor and use it to replace the current contents of the CmdLine setting.\n 13. Navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\OpenPagesServer1\\Parameters\n 14. Right-click on the Parameters key and select Export.\n 15. Save the export as OpenPagesServer1 in the backup directory\n 16. Repeat steps 8 through 12 for this key.\n 17. If you have additional node installed (for example OpenPagesServer2) repeat the process of exporting and adding \"-Dweblogic.security.SSL.protocolVersion=TLS1\" for each node.\n 18. Repeat the process for the workflow servers by editing: \n\\- HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\InterstageBPMAdminServer\\Parameters \n\\- HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\InterstageBPMCS1\\Parameters \n\\- Any additional nodes installed (i.e. InterstageBPMCS2)\n 19. Close Registry Editor\n 20. Navigate to the file <OpenPages_Home>\\OpenPagesDomain\\config\\config.xml \n \n \nFor example: \n \nC:\\OpenPages\\OpenPagesDomain\\config\\config.xml \n \n\n 21. Make a backup copy of the file\n 22. Edit the file in Notepad of similar text editor. \n 23. Locate the following section: \n \n<server> \n<name>OpenPagesAdminServer</name> \n<ssl> \n<name>OpenPagesAdminServer</name> \n<enabled>true</enabled> \n \n\n 24. Add the following below the <enabled>true</enabled> line: \n \n \n<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite> \n<jsse-enabled>true</jsse-enabled> \n \n\n 25. Look further down the file for the section: \n \n \n<server> \n<name>_ServerName_-OpenPagesServer1</name> \n<max-message-size>2000000000</max-message-size> \n<ssl> \n<enabled>true</enabled> \n \n\n 26. Add the following below the <enabled>true</enabled> line: \n \n \n<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite> \n \n\n 27. In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look something like the following: \n \n \n<ssl> \n<enabled>true</enabled> \n<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite> \n<listen-port>7010</listen-port> \n<server-private-key-alias>mystrongcert</server-private-key-alias> \n<server-private-key-pass-phrase-encrypted>{AES}123456abce=</server-private-key-pass-phrase-encrypted> \n<jsse-enabled>true</jsse-enabled> \n</ssl> \n \n \n\n 28. Make the same changes to any additional nodes you have configured. (i.e. _ServerName_-OpenPagesServer2)\n 29. Save and close config.xml\n 30. Navigate to the file <Fujitsu_Home>\\InterstageBPM\\IBPMDomain\\config\\config.xml \n \n \nFor example: \n \nC:\\Fujitsu\\InterstageBPM\\IBPMDomain\\config\\config.xml \n \n\n 31. Make a backup copy of the file\n 32. Edit the file in Notepad of similar text editor. \n 33. Locate the following section: \n \n<server> \n<name>AdminServer</name> \n<ssl> \n<name>AdminServer</name> \n<enabled>true</enabled> \n \n\n 34. Add the following below the <enabled>true</enabled> line: \n \n \n \n<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite> \n \n\n 35. In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look like the following: \n \n \n<ssl> \n<enabled>true</enabled> \n<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite> \n<listen-port>49902</listen-port> \n<jsse-enabled>true</jsse-enabled> \n</ssl> \n \n\n 36. Look further down the file for the section: \n \n \n<server> \n<name>_ServerName_-InterstageBPMCS1</name> \n<max-message-size>2000000000</max-message-size> \n<ssl> \n<enabled>true</enabled> \n \n\n 37. Add the following below the <enabled>true</enabled> line: \n \n \n<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite> \n \n\n 38. In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look something like the following: \n \n \n<ssl> \n<enabled>true</enabled> \n<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite> \n<listen-port>49952</listen-port> \n<jsse-enabled>true</jsse-enabled> \n</ssl> \n \n \n\n 39. Make the same changes to any additional nodes you have configured. (i.e. _ServerName_-InterstageBPMCS2)\n 40. Save and close config.xml\n 41. You may now restart services. \n 42. Once services restart, connect to the application via secure connection to validate that you can connect. \n \n\n \n \n \n\n\n## ", "cvss3": {}, "published": "2018-06-15T22:37:00", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects OpenPages GRC Platform with Application Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T22:37:00", "id": "ADC50833DE0A3D841EF5E4556B1E32AF2826952FD359D02B27840B2DAC3F23C7", "href": "https://www.ibm.com/support/pages/node/264153", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:49", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Cognos Insight\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n \nCognos Insight 10.2 \nCognos Insight 10.2.1 \nCognos Insight 10.2.2 \n\n## Remediation/Fixes\n\n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040712>) \n[Cognos Insight Standard Edition 10.2 Fix Pack 1 Interim Fix 4](<http://www-01.ibm.com/support/docview.wss?uid=swg24040712>) \n \n[Cognos Insight Standard Edition 10.2.1 Fix Pack 2 Interim Fix 4](<http://www-01.ibm.com/support/docview.wss?uid=swg24040711>) \n \n[Cognos Insight Standard Edition 10.2.2 Fix Pack 4](<http://www-01.ibm.com/support/docview.wss?uid=swg24040540>) \n\n\n## Workarounds and Mitigations\n\nTo mitigate the vulnerability in the xulrunner embedded browser: \n \n1.1) Locate Cognos Insight installation directory. \n1.2) For all directories matching <installation_directory>\\plugins\\com.ibm.cognos.isv.xulrunner.win32.* \n1.3) Open file <installation_directory>\\plugins\\com.ibm.cognos.isv.xulrunner.win32.*\\xulrunner\\greprefs.js with a text editor \n1.4) For each RC4 cipher which is set to 'true' change the value to 'false' \n \ne.g. \n \nline: \n \npref(\"security.ssl3.rsa_rc4_128_md5\", true); \n \nbecomes: \n \npref(\"security.ssl3.rsa_rc4_128_md5\", false); \n \n \n \nTo fully mitigate the risk to this vulnerability, IBM recommended that Cognos Insight customers pick up the latest Cognos TM1 fixes. These fixes disable RC4 ciphers on TM1 Server . \n \n[IBM Cognos TM1 9.5.2 Fix Pack 3 Interim Fix 7](<http://www-01.ibm.com/support/docview.wss?uid=swg24039812>) \n \n[IBM Cognos TM1 10.1.1.2 Interim Fix 4](<http://www-01.ibm.com/support/docview.wss?uid=swg24039813>) \n \n[IBM Cognos TM1 10.2.0.2 Interim Fix 4](<http://www-01.ibm.com/support/docview.wss?uid=swg24039814>) \n \n[IBM Cognos TM1 10.2.2 FP3](<http://www.ibm.com/support/docview.wss?uid=swg24039764>) \n \n \n \nIBM also highly recommends that if Cognos Insight connects to any TM1 Planning Service , the following steps should be performed: \n \n \n2.1) Start Cognos Configuration \n \n2.2) Navigate to Security/Cryptography/Cognos \n \n2.3) Open the supported cipher suites selection dialog \n \n2.4) Select all cipher suites that have RC4 in the the name and remove them from the Current Values List. Select OK to save the new list. \n \n2.5) Save and restart your service using Cognos Configuration. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.. \n \n \n \n \n\n\n## ", "cvss3": {}, "published": "2018-06-15T22:36:59", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Cognos Insight (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T22:36:59", "id": "B529694E1646D2AAED4AD4A6CE4C587933AE79F44C68C59FC8FED83B02451AEB", "href": "https://www.ibm.com/support/pages/node/264033", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:49", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Cognos Controller\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Controller 10.2.1 \nIBM Cognos Controller 10.2 \nIBM Cognos Controller 10.1.1 \nIBM Cognos Controller 10.1 \nIBM Cognos Controller 8.5.1 \nIBM Cognos Controller 8.5\n\n## Remediation/Fixes\n\n[IBM Cognos Controller 10.2.1 FP1 IF1](<http://www.ibm.com/support/docview.wss?uid=swg24040667>) \n \n[IBM Cognos Controller 10.2 FP1 IF2](<http://www.ibm.com/support/docview.wss?uid=swg24040665>) \n \n[IBM Cognos Controller 10.1.1 FP3 IF4](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Cognos&product=ibm/Information+Management/Cognos+8+Controller&release=10.1.1&platform=Windows+32-bit,+x86&function=fixId&fixids=10.1.1-BA-CNTRL-Win32-IF004>) \n \n[IBM Cognos Controller 10.1 IF4](<http://www.ibm.com/support/docview.wss?uid=swg24040668>) \n \n[IBM Cognos Controller 8.5.1 FP1 IF1](<http://www.ibm.com/support/docview.wss?uid=swg24040669>) \n \nUsers of IBM Cognos Controller 8.5 are advised to contact IBM Customer Support.\n\n## Workarounds and Mitigations\n\nThe RC4 cipher suites must be disabled using Cognos Configuration by performing the following actions: \n \n1) Start Cognos Configuration \n \n2) Navigate to Security/Cryptography/Cognos \n \n3) Open the supported cipher suites selection dialog \n \n4) Select all cipher suites that have RC4 in the the name and remove them from the Current Values List. Select OK to save the new list. \n \n5) Save and restart your service using Cognos Configuration. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n\n## ", "cvss3": {}, "published": "2018-06-15T22:36:45", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Cognos Controller (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T22:36:45", "id": "D051492C328048A4B83BDEE41811D722F3ED3F871B633F6DF5CE3210A7C60B64", "href": "https://www.ibm.com/support/pages/node/262781", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:50", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Algo Credit Limits.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nAlgo Credit Limits 4.7 and earlier\n\n## Remediation/Fixes\n\nA fix has been created for version 4.5.0.05 and 4.7.0.03 of the named product. Download and install the fix as soon as practicable. Fix and installation instructions are provided at the URL listed below. \n \nFor versions prior to 4.7.0 IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \n \n\n\nPatch Number| Download URL \n---|--- \nACLM 4.7.0.03 FP7| [_ACL 4.7.0.03 FP7 Solaris Oracle_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0007:0&includeSupersedes=0&source=fc&login=true>) \n[_ACL 4.7.0.03 FP7 Solaris DB2_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0007:0&includeSupersedes=0&source=fc&login=true>) \n[_ACL 4.7.0.03 FP7 RedHat Oracle_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHESOra-fp0007:0&includeSupersedes=0&source=fc&login=true>) \n[_ACL 4.7.0.03 FP7 AIX Oracle_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIXOra-fp0007:0&includeSupersedes=0&source=fc&login=true>) \n[_ACL 4.7.0.03 FP7 Window GUI Oracle_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinOra-fp0007:0&includeSupersedes=0&source=fc&login=true>) \n[_ACL 4.7.0.03 FP7 Window GUI DB2_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0007:0&includeSupersedes=0&source=fc&login=true>) \nACLM-TFOLC 4.5.0.05 IF9| [_ACL-TFOLC 4.5.0.05 IF9_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.5.0.5-Algo-CreditLimits-if0009-cs:0&includeSupersedes=0&source=fc&login=true>) \n \n \nAs the length of the server key size are increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted. \n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nTo disable the RC4 stream cipher in your Algo Credit Limits server installation,** **edit $ACLM_HOME/jlib/platform/jre/jre/lib/security/java.security. Find the line **jdk.tls.disabledAlgorithms=SSLv3 **and change it to **jdk.tls.disabledAlgorithms=SSLv3,RC4** \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2018-06-15T22:36:19", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Algo Credit Limits (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T22:36:19", "id": "1298B65FFCDE5A2CA1721D1320276E01494F651B0FB18D9D35ECD85A4A368D63", "href": "https://www.ibm.com/support/pages/node/261127", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:50", "description": "## Summary\n\nIBM WebSphere Application Server, IBM HTTP Server, IBM DB2, IBM SPSS Modeler, IBM Cognos Business Intelligence Server, IBM SPSS Collaboration and Deployment Services and IBM WebSphere MQ are shipped as components of IBM Predictive Maintenance and Quality. Information about a security vulnerability affecting IBM WebSphere Application Server, IBM HTTP Server, IBM DB2, IBM SPSS Modeler, IBM Cognos Business Intelligence Server, IBM SPSS Collaboration and Deployment Services and IBM WebSphere MQ has been published their respective security bulletins.\n\n## Vulnerability Details\n\nPlease consult the [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes. \n \nPlease consult the [_Security Bulletin: Vulnerability in RC4 stream cipher affects IBM HTTP Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701072>) for vulnerability details and information about fixes. \n \n \nPlease consult the [_Security Bulletin: Vulnerability in RC4 stream cipher affects IBM DB2 (CVE-2015-2808)_](<https://www-304.ibm.com/support/docview.wss?uid=swg21717865>) for vulnerability details and information about fixes. \n \nPlease consult the [_Security Bulletin: Vulnerability in RC4 stream cipher affects IBM SPSS Modeler (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21882559>) for vulnerability details and information about fixes. \n \nPlease consult the [_Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Cognos Business Intelligence Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21715530>) for vulnerability details and information about fixes. \n \nPlease consult the [_Security Bulletin: Vulnerability in RC4 stream cipher in IBM SDK Java Technology Edition, Versions 1.6 and 1.7 affects IBM SPSS Collaboration and Deployment Services (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21883440&myns=swgimgmt&mynp=OCSS69YH&mync=E&cm_sp=swgimgmt-_-OCSS69YH-_-E>) for vulnerability details and information about fixes. \n \nPlease consult the [_Security Bulletin: Vulnerability in RC4 stream cipher affects IBM WebSphere MQ (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21883551&myns=swgws&mynp=OCSSFKSJ&mync=E&cm_sp=swgws-_-OCSSFKSJ-_-E>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Predictive Maintenance and Quality 1.0 \n \n \n \n \n \n \n \nIBM Predictive Maintenance and Quality 2.0 \n \n \n \n \n \n \nIBM Predictive Maintenance and Quality 2.5| IBM WebSphere Application Server v8.0 \nIBM HTTP Server v8.0 \nIBM DB2 Enterprise Server Edition 9.7.0.7 \nIBM SPSS Modeler Server 15.0 \nIBM Cognos Business Intelligence Server 10.2 \nIBM SPSS Collaboration and Deployment Services 5.0 \nIBM WebSphere MQ 7.5 \n \nIBM WebSphere Application Server v8.5.5 \nIBM HTTP Server v8.0 \nIBM DB2 Enterprise Server Edition 10.1.0.3 \nIBM SPSS Modeler Server 16.0 \nIBM Cognos Business Intelligence Server 10.2.1 \nIBM SPSS Collaboration and Deployment Services 6.0 \nIBM WebSphere MQ 7.5.0.2 \n \nIBM WebSphere Application Server v8.5.5.3 \nIBM HTTP Server v8.5.5.3 \nIBM DB2 Enterprise Server Edition 10.5.0.4 \nIBM SPSS Modeler Server 16.0.0.1 \nIBM Cognos Business Intelligence Server 10.2.2 \nIBM SPSS Collaboration and Deployment Services 6.0.0.1 \nIBM WebSphere MQ 7.5.0.4 \n \n## ", "cvss3": {}, "published": "2018-06-15T22:36:45", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, IBM HTTP Server, IBM DB2, IBM SPSS Modeler, IBM Cognos Business Intelligence Server, IBM SPSS Collaboration and Deployment Services and IBM WebSphere MQ s", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T22:36:45", "id": "B1B58BDE39A65D50071D269BF6F095CFE15DD4C48288607879D00FC024234C78", "href": "https://www.ibm.com/support/pages/node/262735", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:49", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM WebSphere Application Server that is used by WebSphere Business Modeler Publishing Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere Business Compass 6.2.0.3 \n\n_For earlier unsupported versions of the product, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Remediation/Fixes\n\nConsult the security bulletin [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:07", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Business Modeler Publishing Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:03:07", "id": "05118ACD2332F0143FAE51F2AACD9CAE1FCBDE786C7601994039C60E7BA5E948", "href": "https://www.ibm.com/support/pages/node/265315", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:51", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM WebSphere Application Server that is used by WebSphere Business Compass.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere Business Compass 7.0.0.4 \n\n_For earlier unsupported versions of the product, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Remediation/Fixes\n\nConsult the security bulletin [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:06", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Business Compass (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:03:06", "id": "3DF285A3FF90C43EDD69CB416687365F4283BAAFBD885E9CE272832E25FD0FE0", "href": "https://www.ibm.com/support/pages/node/265313", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:52", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM WebSphere MQ.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM WebSphere MQ v8.0 (maintenance levels prior to 8.0.0.3) \n\nIBM WebSphere MQ v7.5\n\nIBM WebSphere MQ v7.1\n\nIBM WebSphere MQ v7.0.1\n\nIBM WebSphere MQ for HP OpenVMS v6.0\n\nIBM WebSphere MQ for HP NonStop Server v5.3.1\n\nIBM MQ Appliance M2000\n\n## Remediation/Fixes\n\nIBM WebSphere MQ for OVMS \n\n * Apply fix for [APAR IT08302](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+MQ&release=All&platform=All&function=aparId&apars=IT08302>)\n \nIBM WebSphere MQ for distributed platforms (server) \n\n * Apply fix pack [8.0.0.3](<http://www-01.ibm.com/support/docview.wss?uid=swg27043086#8003>)\n * Apply fix pack 7.5.0.7 when available\n * Apply fixpack [7.1.0.7](<http://www-01.ibm.com/support/docview.wss?uid=swg21965293>)\n * Apply fix pack [7.0.1.13](<http://www-01.ibm.com/support/docview.wss?uid=swg21960691>)\n\n## Workarounds and Mitigations\n\n**_All Platforms_** \nIBM strongly recommends immediately changing any channel definitions that use any of the following RC4 MQ CipherSpecs to use a stronger encryption algorithm; \n\n\n * RC4_SHA_US\n * TLS_RSA_WITH_RC4_128_SHA\n * RC4_MD5_US\n * TLS_RSA_WITH_RC4_128_MD5\n * RC4_56_SHA_EXPORT1024\n * RC4_MD5_EXPORT\n * TLS_RSA_EXPORT_WITH_RC4_40_MD5\n * ECDHE_ECDSA_RC4_128_SHA256\n * ECDHE_RSA_RC4_128_SHA256\n * TLS_RSA_WITH_RC4_128_SHA256\n \n \nNote that IBM might need to deprecate the use of weaker algorithms in response to a security vulnerability, for example MQ CipherSpecs that are not certified as FIPS 140-2 compliant via future product maintenance. \n \nThe IBM WebSphere MQ 8.0.0.3 fixpack deprecates the use of a number of CipherSpecs that are considered to be weak, this includes the use of RC4. \n \nFurther details on the MQ CipherSpecs that are currently available can be found [_here_](<http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm>). \n \n**_IBM WebSphere MQ for IBM i_** \nIBM recommends that customers review [_system value QSSLCSL_](<http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzakz/rzakzqsslcsl.htm>) to prevent the use of the RC4 cipher. \n\n**_IBM WebSphere MQ for _****_UNIX, Linux, Windows &_****_ _****_IBM MQ Appliance M2000_**\n\nOn other distributed platforms, enabling [_FIPS mode_](<http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q010140_.htm>) on a queue manager prevents weak ciphers including RC4 from being accepted by inbound connections and also from being used by outbound connections.\n\n \n \nYou should verify that applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher exposes you to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:59", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM WebSphere MQ (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:59", "id": "25AFF68E9A96D7AE0D7F783CBA9309DFC54F95418F9DACB06812E4022188E71F", "href": "https://www.ibm.com/support/pages/node/262621", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:53", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM PureApplication System.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM PureApplication System V1.0 \nIBM PureApplication System V1.1 \nIBM PureApplication System V2.0 \nIBM PureApplication System V2.1\n\n## Remediation/Fixes\n\nThe PureSystems Managers on all IBM PureApplication Systems types are affected. The solution is to upgrade the IBM PureApplication System to the following Interim Fix (iFix) level: \n \nIBM PureApplication System V2.1 and IBM PureApplication System V2.0: \n\nUpgrade to IBM PureApplication System V2.1.0.0 Interim Fix 2 \nIBM PureApplication System V1.1 and earlier: Contact IBM customer support for upgrade options. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:00", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM PureApplication System (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:03:00", "id": "54E7DEE72999592D01C06A6D90C1A60E40C59BB021F0E905E0CBBF378065E589", "href": "https://www.ibm.com/support/pages/node/263031", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:53", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects WebSphere eXtreme Scale version 7.1.0, 7.1.1, 8.5, and 8.6.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere eXtreme Scale V7.1.0 \n\nWebSphere eXtreme Scale V7.1.1\n\nWebSphere eXtreme Scale V8.5\n\nWebSphere eXtreme Scale V8.6\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nWebSphere eXtreme Scale| 7.1.0| PI39113| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all>) \nWebSphere eXtreme Scale| 7.1.1| PI39105| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all>) \nWebSphere eXtreme Scale| 8.5.0| PI39105| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.5.0.3&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.5.0.3&platform=All&function=all>) \nWebSphere eXtreme Scale| 8.6| None| No fix required, the remediation is to change java.security so that it has RC4 is one of the disabled algorithms. See Workarounds and Mitigation section below. \n \nVerify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nFor WebSphere eXtreme Scale versions 7.1.0, 7.1.1 and 8.5 stand-alone environments, apply the appropriate fix to upgrade your JDK. These fixes update the Java 6 to the appropriate version where RC4 can be turned off. Follow the instructions for disabling RC4 algorithm. For WebSphere eXtreme Scale V8.6 stand-alone environment, the Java shipped already supports disabling of the RC4 algorithm. You only need to change the` java.security` file as described. \n \n**Disable RC4 algorithm**\n\n 1. Edit the` java.security` file and turn off RC4 by adding the following setting: `jdk.tls.disabledAlgorithms=SSLv3,RC4`\n 2. When you run WebSphere eXtreme Scale in a WebSphere Application Server profile, follow the instructions for WebSphere Application Server described here: <http://www-01.ibm.com/support/docview.wss?uid=swg21701503>\n 3. When you run WebSphere eXtreme Scale in a WebSphere Application Server Liberty profile versions V8.5.0.0 through 8.5.5.5 Full Profile and you are configured for FIPS140-2, Suite B or SP800-131, your SSL communication for Liberty is not affected by this vulnerability. If you are not running in a WebSphere Application Server Liberty profile that is configured for one of these security options, you can either enable FIPS 140-2 in Liberty or update the profile by following the instructions described here: [_http://www-01.ibm.com/support/docview.wss?uid=swg21701503_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>). \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:58", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere eXtreme Scale (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:58", "id": "F496B3D9EAEDF14B9DF4D0E0144A0D4807910FF339C97BD1102F40BE3101470F", "href": "https://www.ibm.com/support/pages/node/262767", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:54", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM WebSphere MQ Internet Pass-Thru.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM WebSphere MQ Internet Pass-Thru - SupportPac MS81\n\n## Remediation/Fixes\n\nReplace/upgrade MQIPT installations to [IBM WebSphere MQ Internet Pass-Thru 2.1.0.2](<http://www.ibm.com/services/forms/preLogin.do?source=passthru>) or later.\n\n## Workarounds and Mitigations\n\nIBM strongly recommends immediately changing any routes that use any of the following RC4 CipherSuites or do not explicitly specify a CipherSuite to use a stronger encryption algorithm; \n\n * * SSL_DH_anon_EXPORT_WITH_RC4_40_MD5\n * SSL_DH_anon_WITH_RC4_128_MD5 \n * SSL_DHE_DSS_WITH_RC4_128_SHA \n * SSL_ECDH_anon_WITH_RC4_128_SHA \n * SSL_ECDH_ECDSA_WITH_RC4_128_SHA \n * SSL_ECDH_RSA_WITH_RC4_128_SHA \n * SSL_ECDHE_ECDSA_WITH_RC4_128_SHA \n * SSL_ECDHE_RSA_WITH_RC4_128_SHA \n * SSL_KRB5_EXPORT_WITH_RC4_40_MD5 \n * SSL_KRB5_EXPORT_WITH_RC4_40_SHA \n * SSL_KRB5_WITH_RC4_128_MD5 \n * SSL_KRB5_WITH_RC4_128_SHA \n * SSL_RSA_EXPORT_WITH_RC4_40_MD5 \n * SSL_RSA_WITH_RC4_128_MD5 \n * SSL_RSA_WITH_RC4_128_SHA \n * Note that IBM may need to deprecate the use of weaker algorithms in response to a security vulnerability. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:59", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM WebSphere MQ Internet Pass-Thru (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:59", "id": "8F167BA93EB10576002984D4374CEF7417072033139BD2102795912C8F884835", "href": "https://www.ibm.com/support/pages/node/262625", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:54", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Integration Designer and WebSphere Integration Developer.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects IBM Integration Designer and WebSphere Integration Developer.\n\n## Remediation/Fixes\n\nTo fully mitigate these vulnerabilities, an additional fix (JR53201) is required for the following product versions: \n\n\n * [WebSphere Integration Developer V7.0.0.5](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FWebSphere+Integration+Developer&fixids=7.0.0.5-WS-IID-IFJR53201&source=SAR>)\n * [IBM Integration Designer V7.5.1.2](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=7.5.1.2-WS-IID-IFJR53201&source=SAR>)\n * [IBM Integration Designer V8.0.1.3](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.0.1.3-WS-IID-IFJR53201&source=SAR>)\n * [IBM Integration Designer V8.5.0.1](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.0.1-WS-IID-IFJR53201>)\n * [IBM Integration Designer V8.5.5.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.5.0-WS-IID-IFJR53201>)\n * [IBM Integration Designer V8.5.6.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.6.0-WS-IID-IFJR53201>)\n\n## Workarounds and Mitigations\n\nIf you are using any of the following products: \n\n\n * IBM Integration Designer V8.5.0.1\n * IBM Integration Designer V8.5.5.0\n * IBM Integration Designer V8.5.6.0\n \nthen the following steps can be used to remove RC4 from the list of available algorithms: \n \n**Prerequisite:** Before removing RC4 from the list of available algorithms, you must first install the FREAK: Factoring Attack on RSA-EXPORT keys fix. See [this document](<http://www.ibm.com/support/docview.wss?uid=swg21700896>) for more information. \n \n1\\. Ensure that the product is not running. \n \n2\\. Locate the java.security file used by the product from the following location: \n_install folder_/jdk/jre/lib/security/java.security \n \n3\\. Edit the java.security file with a text editor and locate the line: \njdk.tls.disabledAlgorithms=SSLv3 \n \n4\\. Add RC4 to the list of disabled algorithms, for example: \njdk.tls.disabledAlgorithms=SSLv3, RC4 \n \n5\\. Save the file and restart the product. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:58", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Integration Designer and WebSphere Integration Developer (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:58", "id": "06A938A9405F7BF9E46A2E52C72C10C55E742A907CC5F8EB0671145C5B443CD5", "href": "https://www.ibm.com/support/pages/node/261923", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:55", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects WebSphere DataPower XC10 Appliance Version 2.1. WebSphere DataPower XC10 Appliance Version 2.5 is not affected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack.\" \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere DataPower XC10 Appliance V2.1\n\n## Remediation/Fixes\n\nThe only remediation is to apply the following fixes: \n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \n \nWebSphere DataPower XC10 Appliance| 2.1| \nIT08240| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all>) \n \nVerify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nFor WebSphere DataPower XC10 Appliance Version 2.1 will need to apply the appropriate fix. This will disable the RC4 algorithm used on the appliance.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:58", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere DataPower XC10 Appliance V2.1 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:58", "id": "B0322560C1846B605A089B18FF01990EB98EE066C468D4AE47B259A4253CCE00", "href": "https://www.ibm.com/support/pages/node/262765", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:55", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM WebSphere Cast Iron Solution(CVE-2015-2808)\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \nDESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects all versions of the product \nWebSphere Cast Iron v 7.0,0,x, \nWebSphere Cast Iron v 6.4.0.x \nWebSphere Cast Iron v 6.3.0.x \nWebSphere Cast Iron v 6.1.0.x \nWebSphere Cast Iron v 6.0.0.x \n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nCast Iron Appliance| 7.*| LI78552| [iFix 7.0.0.2-CUMUIFIX-011](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=7.0.0.2&platform=All&function=fixId&fixids=7.0.0.2-WS-WCI-20150420-1128_H10_64-CUMUIFIX-011.scrypt2,7.0.0.2-WS-WCI-20150420-1128_H10_64-CUMUIFIX-011.vcrypt2,7.0.0.2-WS-WCI-20150420-1128_H10_64-CUMUIFIX-011.32bit.sc-linux,7.0.0.2-WS-WCI-20150420-1128_H10_64-CUMUIFIX-011.32bit.sc-win,7.0.0.2-WS-WCI-20150420-1128_H10_64-CUMUIFIX-011.sc-linux,7.0.0.2-WS-WCI-20150420-1128_H10_64-CUMUIFIX-011.sc-win,7.0.0.2-WS-WCI-20150420-1521_H8_64-CUMUIFIX-011.32bit.studio,7.0.0.2-WS-WCI-20150420-1521_H8_64-CUMUIFIX-011.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.4.0.x| LI78552| [iFix 6.4.0.1-CUMUIFIX-028](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.4.0.1&platform=All&function=fixId&fixids=6.4.0.1-WS-WCI-20150420-1612_H6-CUMUIFIX-028.scrypt2,6.4.0.1-WS-WCI-20150420-1612_H6-CUMUIFIX-028.vcrypt2,6.4.0.1-WS-WCI-20150420-1706_H5-CUMUIFIX-028.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.3.0.x| LI78552| [iFix 6.3.0.2-CUMUIFIX-013](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.3.0.2&platform=All&function=fixId&fixids=6.3.0.2-WS-WCI-20150420-1521_H4-CUMUIFIX-013.scrypt2,6.3.0.2-WS-WCI-20150420-1521_H4-CUMUIFIX-013.vcrypt2,6.3.0.2-WS-WCI-20150420-1606_H5-CUMUIFIX-013.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.1.0.x| LI78552| [iFix 6.1.0.15-CUMUIFIX-020](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.1.0.15&platform=All&function=fixId&fixids=6.1.0.15-WS-WCI-20150420-1501_H3-CUMUIFIX-020.vcrypt2,6.1.0.15-WS-WCI-20150420-1501_H3-CUMUIFIX-020.scrypt2,6.1.0.15-WS-WCI-20150420-1525_H5-CUMUIFIX-020.studio&includeSupersedes=0>) \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nCustomers on Cast Iron v6.0.0.x should contact IBM Support for migrating to one of the remediated releases. \n\nAppliance is upgraded with script changes.\n\n \nFor Studio and Secure connectors, to disable the RC4 stream cipher do the following: \n \nStudio \nGo to the the location studio is installed \n<installation directory>\\jre\\lib\\security\\java.security \nAdd RC4 to the list of disabled TLS algorithms specified by the property jdk.tls.disabledAlgorithms. For example: \njdk.tls.disabledAlgorithms=SSLv3, RC4 \n \n \nFor Secure connectors \nGo to the the location where secure connector is installed \nWindows: <installation directory>\\jre\\jre\\lib\\security\\java.security \nLinux : <installation directory>\\jre\\lib\\security\\java.security \n \nAdd RC4 to the list of disabled TLS algorithms specified by the property jdk.tls.disabledAlgorithms. For example: \njdk.tls.disabledAlgorithms=SSLv3, RC4 \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:58", "type": "ibm", "title": "Security Bulletin:Vulnerability in RC4 stream cipher affects IBM WebSphere Cast Iron Solution (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:58", "id": "17F901C3FEA725FC15B2387D43D90FAABF26EE57375E75CD49ABE4E696534914", "href": "https://www.ibm.com/support/pages/node/262261", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:56", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d attack for SSL/TLS affects IBM WebSphere Application Server that is used by server products in WebSphere Dynamic Process Edition.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nWebSphere Dynamic Process Edition 6.1, 6.2, 7.0 \n\nIf you are using an unsupported version, IBM strongly recommends to upgrade.\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes. WebSphere Application Server is used by WebSphere Process Server, WebSphere Business Services Fabric, and WebSphere Business Monitor.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:57", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects server products in WebSphere Dynamic Process Edition (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:57", "id": "B8AC08083636CED19696E4D6DC903C037B1DDFCA059E987F58E692CAC3A74AF0", "href": "https://www.ibm.com/support/pages/node/261485", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:56", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM MQ Light.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \nDESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe vulnerabilities affect users of IBM MQ Light V1.0 and V1.0.0.1 on all platforms.\n\n## Remediation/Fixes\n\nNone.\n\n## Workarounds and Mitigations\n\n1\\. You must download and install the appropriate MQ Light Server for your platform as shown below: \n\n 1. **Platform**| **License Type**| **APAR**| **URL** \n---|---|---|--- \nWindows| Developer| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-developer-L150408-IT08000&includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-developer-L150408-IT08000&includeSupersedes=0>) \nWindows| Production| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-production-L150408-IT08000&includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-production-L150408-IT08000&includeSupersedes=0>) \nLinux| Developer| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-developer-L150408-IT08000&includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-developer-L150408-IT08000&includeSupersedes=0>) \nLinux| Production| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-production-L150408-IT08000&includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-production-L150408-IT08000&includeSupersedes=0>) \nMac| Developer| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Mac-x64-developer-L150408-IT08000&includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Mac-x64-developer-L150408-IT08000&includeSupersedes=0>) \n \nThe following link describes how to re-use the data from your existing installation: \n<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm> \n \n2\\. Disable the RC4 stream cipher by editing the following file: \nWindows - <installation directory>\\runtime\\java\\jre\\lib\\security\\java.security \nLinux - <installation directory>/runtime/java/jre64/jre/lib/security \nMac - <installation directory>/runtime/java/jre64/Contents/Home/lib/security \n \nAdd RC4 to the list of disabled TLS algorithms specified by the property jdk.tls.disabledAlgorithms. For example: \n`jdk.tls.disabledAlgorithms=SSLv3, RC4` \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:56", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM MQ Light (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:56", "id": "E05B37B5238BFA24F4212FFF10F151DD7202964D47568F4EF0439907C7DCE3DF", "href": "https://www.ibm.com/support/pages/node/261361", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d attack for SSL/TLS affects IBM WebSphere Application Server that is used by WebSphere Lombardi Edition (WLE) and IBM Business Process Manager.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\n * * IBM Business Process Manager V7.5.x through V8.5.6.0\n * WebSphere Lombardi Edition V7.2.0.x\n \n \n_For__ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:56", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:56", "id": "32C184B7AD6EDED2AF74EDBAFA0BD1F7B5DC8B659D8C4035079B542325469AD7", "href": "https://www.ibm.com/support/pages/node/261469", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:58", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects WebSphere Service Registry and Repository.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nWebSphere Service Registry and Repository versions 7.0, 7.5, 8.0, and 8.5.\n\n## Remediation/Fixes\n\nUsers are already protected from this issue if they: \n\n * Have already applied WebSphere Application Server Interim Fix PI36563 to mitigate against the \"FREAK: Factoring Attack on RSA-EXPORT keys\". This fix removes RC4 from the default cipher lists.\n * **AND** are not using a custom WebSphere Application Server cipher list that includes the RC4 cipher\n \n\n\nIf WebSphere Application Server Interim Fix PI36563 has not yet been applied, users should follow the advice contained in the following linked WebSphere Application Server security bulletin: [](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>.\n\nIf a custom cipher list is being used, users should verify that RC4 is not one of the listed ciphers, and remove it if it is. \n\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n\n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www-03.ibm.com/systems/z/advantages/security/integrity_sub.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:55", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Service Registry and Repository (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:55", "id": "A1C5908805ACC66A08E8B3945FAB1356AAD38F16B35C2E541F9EE57AB84FBD3F", "href": "https://www.ibm.com/support/pages/node/261185", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:59", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM WebSphere Service Registry and Repository component of IBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server 2.5\n\n## Remediation/Fixes\n\nUsers are already protected from this issue if they: \n\n * Have already applied WebSphere Application Server Interim Fix PI36563 to mitigate against the \"FREAK: Factoring Attack on RSA-EXPORT keys\". This fix removes RC4 from the default cipher lists.\n * **AND** are not using a custom WebSphere Application Server cipher list that includes the RC4 cipher\n \n\n\nIf WebSphere Application Server Interim Fix PI36563 has not yet been applied, users should follow the advice contained in the following linked WebSphere Application Server security bulletin: [](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)[http://www.ibm.com/support/docview.wss?uid=swg21698613](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>).\n\nIf a custom cipher list is being used, users should verify that RC4 is not one of the listed ciphers, and remove it if it is. \n\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:55", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:55", "id": "11AABFFCA8A409D96250872B3540DF7695263F35782F971F9C6C12345872931B", "href": "https://www.ibm.com/support/pages/node/261571", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:59", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM WebSphere Real Time\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects IBM WebSphere Real Time Version 3 Service Refresh 8 Fix Pack 10 and earlier releases\n\n## Remediation/Fixes\n\nNone. The fix for this vulnerability is targeted for inclusion in IBM WebSphere Real Time Version 3 Service Refresh 9 and subsequent releases. \n \nThe APAR for this fix is [IV71888](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV71888>).\n\n## Workarounds and Mitigations\n\nModify the security property `jdk.tls.disabledAlgorithms` in the [java.security file](<http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/securityprops.html>) to disable the RC4 algorithm, for example: \n \n` jdk.tls.disabledAlgorithms=SSLv3, RC4` \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:54", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM\u00ae WebSphere Real Time (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:54", "id": "DC0C4514CD21C010016C93DB05C5EB0724B1BFE4A884FEC263704A98CF7C8CB1", "href": "https://www.ibm.com/support/pages/node/261143", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:55:03", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM CICS Transaction Gateway.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \nThe vulnerability in CICS TG can be closed by configuring CICS TG to use updated releases of Java. Updated JREs containing the Java fix for CVE-2015-2808, for use with CICS TG, can be found at: \n[http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other software&query.product=ibm~WebSphere~CICS Transaction Gateway for Multiplatforms&query.release=All&query.platform=All ](<http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=All&query.platform=All>)\n\n## Affected Products and Versions\n\nCICS Transaction Gateway for Multiplatforms and Desktop Edition V9.1 and earlier.\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nThe use of RC4 stream ciphers by CICS Transaction Gateway can be prevented by configuring CICS TG to only accept more secure cipher suites, This can be done by listing the acceptable cipher suites using the ciphersuites parameter in the ctg.ini file, or by adding the acceptable cipher suites to the \"Use only these ciphers\" suites in the \"SSL settings\" section of the CICS TG configuration tool \nSee the [CICS TG for Multiplatforms Knowledge Center](<http://www-01.ibm.com/support/knowledgecenter/SSZHFX_8.0.0/ctgwin/ccl11rss01.html?lang=en>) for more details.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:56", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM CICS Transaction Gateway (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:56", "id": "3DFEA15BF11806408F2986400E2862AA843E82180A4AA3FC77574EC959A22588", "href": "https://www.ibm.com/support/pages/node/261405", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:55:03", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects WebSphere Application Server which is used by IBM Business Monitor.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects IBM Business Monitor.\n\n## Remediation/Fixes\n\nConsult the security bulletin [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:57", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Business Monitor (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-15T07:02:57", "id": "2B0D483DB3B1DF4CEA8FF90CC051E2C440CEDF91CA9B82958FCE95FF1C18E0D9", "href": "https://www.ibm.com/support/pages/node/261725", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:46:38", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Tivoli Monitoring.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following components of IBM Tivoli Monitoring (ITM) are affected by the RC4 \"Bar Mitzvah\" vulnerability: \n\n * * Tivoli Enterprise Portal Server (TEPS) \n * embedded WebSphere Application Server \u2013 ITM versions 6.20 through 6.30 FP4\n * IBM HTTP Server (IHS) - ITM versions 6.23 through 6.30 FP4\n * Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol - ITM versions 6.20 through 6.30 FP4\n * Tivoli Enterprise Management Server (TEMS) - when LDAP is configured - ITM versions 6.20 through 6.30 FP4.\n\n## Remediation/Fixes\n\n**\n\n## _Management Server_\n\n** \n \nIf LDAP is configured for user authentication on the management server, a patch with the remediation will need to be installed. The appropriate patch below should be installed on each management server (hub and remote) where the LDAP client is configured: \n\n\n * 6.30: Install 6.3.0-TIV-ITM-FP0004-IV72812\n * 6.23: Install 6.2.3-TIV-ITM-FP0005-IV72812\n * 6.22: Install 6.2.2-TIV-ITM-FP0009-IV72812\n * 621/6.20: IBM recommends upgrading to a fixed, supported version/release of the product as listed above..\n \nThe following link contains information about accessing the patches above: _ \n__<http://www.ibm.com/support/docview.wss?uid=swg24039910>_ \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n \n \n**\n\n## _Portal Server_\n\n** \n \n**\n\n### _embedded WebSphere Application Server:_\n\n** \n \nYou should verify applying this fix does not cause any compatibility issues. **_Fix_**| **_VMRF_**| **_Remediation/First Fix_** \n---|---|--- \n6.X.X-TIV-ITM_EWAS_ALL_20150731| 6.3.0.x| [__http://www.ibm.com/support/docview.wss?uid=swg24040392__](<http://www.ibm.com/support/docview.wss?uid=swg24040392>) \nPatch to upgrade the embedded WebSphere Application Server (eWAS) shipped as part of the IBM Tivoli Monitoring portal server to version 8.0.0.10 plus additional Interim Fixes referred to as Interim Fix Block 2__.__ \nTechnote| 6.2.3.x| __<http://www.ibm.com/support/docview.wss?uid=swg21633720>__ \nContains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.23. The link gives instructions to install** **eWAS 7.0 Fix Pack 33 (7.0.0.37) and Interim Fix block 1 \nTechnote| 6.2.2.x| [_http://www.ibm.com/support/docview.wss?uid=swg21509259_](<http://www.ibm.com/support/docview.wss?uid=swg21509259>) \nContains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.22. The link gives instructions are to install** **eWAS 6.1 Fix Pack 47 (6.1.0.47) and Interim Fix block 2. \n \nFor IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above. \n \n**\n\n### _IBM HTTP Server (IHS):_\n\n** \nUpdate the configuration for the IBM HTTP Server (IHS) included as part of IBM Tivoli Monitoring portal server for versions 6.23 through 6.30 FP1. Note: Portal Server versions 6.20 through 6.22 FP9 are not affected and do not need the change below. \n \nEdit the IBM HTTP Server configuration file httpd.conf: \nWindows: Edit the file <install_dir>/IHS/conf/httpd.conf \nITM 6.2.3 on Linux/AIX: Edit the file <install_dir>/<arch>/iu/ihs/conf/httpd.conf \nITM 6.3.0 on Linux/AIX: Edit the file install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf \n \nAdd the following directive to the httpd.conf file to disable RC4 ciphers for each context that contains \"SSLEnable\": \n \nSSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA \nSSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA \n \nStop and restart the portal server for the changes to take affect. \n \n \n**\n\n### __\n\n**Portal Server Communication with Portal Clients: \n \nPortal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true: \n\\- HTTPS is not being used \n\\- applet.html file does not have the tep.connection.protocol=http or https AND \n\\- tep.jnlp file does not have tep.connection.protocol=https \n\\- the KFW_INTERFACE_cnps_SSL is set to \"Y\" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config) \n \n \nYou should verify applying this fix does not cause any compatibility issues. **_Fix_**| **_VMRF_**| **_Remediation/First Fix_** \n---|---|--- \n6.3.0-TIV-ITM-FP0005-IV74486| 6.3.0 | [**__http://www.ibm.com/support/docview.wss?uid=swg24040448__**](<http://www.ibm.com/support/docview.wss?uid=swg24040448>) \n6.2.3-TIV-ITM-FP0005-IV74486| 6.2.3| [**__http://www.ibm.com/support/docview.wss?uid=swg24040448__**](<http://www.ibm.com/support/docview.wss?uid=swg24040448>) \n6.2.2-TIV-ITM-FP0009-IV74486| 6.2.2| [**__http://www.ibm.com/support/docview.wss?uid=swg24040448__**](<http://www.ibm.com/support/docview.wss?uid=swg24040448>) \n6.3.0-TIV-ITM-FP0006| 6.3.0.x| **__<http://www.ibm.com/support/docview.wss?uid=swg24040390>__** \nCheck link for status on availability. \n \nFor IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above. \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\n**\n\n## _Portal Server Workarounds_\n\n** \nIf the patches above are not installed, the following configuration changes can be made on the portal server to address the issue. \n \n**\n\n### _Embedded WebSphere Application Server (eWAS) Workaround:_\n\n** \nUpdate the configuration for the embedded Websphere Application Server (eWAS) included as part of IBM Tivoli Monitoring portal server. \n \n1\\. Ensure the portal server is running. \n \n2\\. Start the TEPS/e administration console using the steps in the [**Starting the TEPS/e administration console**](<http://www.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/userauthenticate_tepse_consolestart.htm>) section in the Administrator's Guide or follow the steps below: \nEnable the TEPS/e Administration Console:. \nOn Windows: Select the Tivoli Enterprise Portal server from Manage Tivoli Enterprise Monitoring Services (MTEMS), right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Administration \n \nOn UNIX/Linux: Run the command: \n$CANDLEHOME/<interp>/iw/scripts/enableISCLite.sh true \n \n. Enable TEPS/e Administration Console password. \nOn Windows: Select the Tivoli Enterprise Portal server from MTEMS, right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Password \n \nOn UNIX/Linux: Run the command: \n$CANDLEHOME/<interp>/iw/scripts/updateTEPSEPass.sh wasadmin <password> \n \n. Logon to the TEPS/e Administration Console by issuing the command: \nhttp://<teps_hostname>:15205/ibm/console. \nUse \"wasadmin\" as the userid and type in the password set in step 3 above. \n \n3\\. On the Administration Console \n\n * Go to Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP)\n * In the \"Cipher suites\" select the following ciphers from \"Select ciphers\" box and remove them with the \"<< Remove\" button.\n * SSL_RSA_WITH_RC4_128_MD5\n * SSL_RSA_WITH_RC4_128_SHA\n * SSL_DHE_DSS_WITH_RC4_128_SHA\n * Apply/Save. \n * \n**\n\n### _Portal Server Communication with Portal Clients Workaround:_\n\n** \nA configuration change is required when the portal server is configured to use the SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true: \n\n * HTTPS is not being used \n * applet.html file does not have the tep.connection.protocol=http or https AND \n * tep.jnlp file does not have tep.connection.protocol=https \n * the KFW_INTERFACE_cnps_SSL is set to \"Y\" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config) \n \nEdit the portal server configuration file: \nWindows: <install_dir>/CNPS/KFWENV \nLinux/AIX: <install_dir>/config/cq.ini \n \nAdd/modify the following variable: \nITM version 6.30 through 6.30 FP4: \n \nKFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only -Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_ \nWITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \n \nITM version 620 through 6.23 FP5: \nKFW_ORBPARM=-Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_ \nWITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \nStop and restart portal server for the changes to take affect. \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:23:36", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Monitoring (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:23:36", "id": "221573BADDA79D6BF68490001072D814021E193880E87312148C454854170DE5", "href": "https://www.ibm.com/support/pages/node/262221", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:12", "description": "## Summary\n\nVulnerability in RC4 stream cipher affects GSKit shipped with IBM Tivoli Network Manager IP Edition \nand IBM WebSphere Application Server shipped as a component of Tivoli Network Manager IP Edition. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\n**_ \nTivoli Network Manager IP Edition Interim Fixes for GSKit:_**** \nNote: **The SSL connection between Tivoli Network Manager IP Edition and Tivoli Netcool/OMNIbus is affected. Single server SSL users should upgrade to an appropriate OMNIbus fixpack to obtain the GSKit fix. Remote OMNIbus SSL connection users should install the Interim Fix below on Tivoli Network Manager IP Edition. \n\n\n**_Affected Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nTivoli Network Manager IP Edition| 3.8.0.7 | IV71123 & IV76121| <http://www.ibm.com/support/docview.wss?uid=swg24040692> \nTivoli Network Manager IP Edition| 3.9.0.4| IV71123 & IV76121| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039199>)<http://www.ibm.com/support/docview.wss?uid=swg24040692> \nTivoli Network Manager IP Edition | 4.1.0| IV71123 & IV76121| <http://www.ibm.com/support/docview.wss?uid=swg24040692> \nTivoli Network Manager IP Edition| 4.1.1.1| IV71123 & IV76121| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036690>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039199>)<http://www.ibm.com/support/docview.wss?uid=swg24040692> \n \n**_IBM WebSphere Application Server fixes:_** \n[**Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) \nNote: If TIP has been upgraded, please follow the TIP security bulletin to upgrade the appropriate IBM WebSphere version. **_Affected Product and Version(s)_**| **_Product and Version shipped as a component_** \n---|--- \nTivoli Network Manager IP Edition 3.8| Bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 5. \nTivoli Network Manager IP Edition 3.9| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Manager IP Edition 4.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Manager IP Edition 4.1.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \n \n## ", "cvss3": {}, "published": "2018-06-17T15:09:03", "type": "ibm", "title": "Security Bulletin:A security vulnerability has been identified in Tivoli Network Manager IP Edition and IBM WebSphere Application Server shipped with Tivoli Network Manager IP Edition. (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:09:03", "id": "E5543978D844005507FB55966F094307DA1862D0D17039C427B77E7779FCBCA7", "href": "https://www.ibm.com/support/pages/node/265735", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:14", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Tivoli Monitoring for Tivoli Storage Manager.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following components of IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting and Monitoring) are affected by the RC4 \"Bar Mitzvah\" vulnerability: \n\n * IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting) 6.1 - 7.1\n\n## Remediation/Fixes\n\nThe solution provided is for IBM Tivoli Monitoring for Tivoli Storage Manager versions 6.3 and 7.1. \n\nYou can either apply the security fix to IBM Tivoli Monitoring or make the configuration changes in the workaround section. \n--- \n**Table: Security Fixes for IBM Tivoli Monitoring** \n**Note: The following table provides the security fixes for IBM Tivoli Monitoring for Tivoli Storage Manager version 6.3 - 7.1** **_IBM Tivoli Monitoring for Tivoli Storage Manager Version (Reporting and Monitoring)_**| **_Fix_**| **_Remediation/First Fix_** \n---|---|--- \n**_6.3.x_**| 6.2.2-TIV-ITM-FP0009-IV72812 \n \nPrerequisite ITM 6.2.2 FP 9 must be applied first.| [**__Download IFIX__**](<http://www.ibm.com/support/docview.wss?uid=swg24039910>) \n**_7.1.x_**| 6.3.0-TIV-ITM-FP0004-IV72812 \n \nPrerequisite ITM 6.3.0 FP 4 must be applied first.| [**__Download IFIX__**](<http://www.ibm.com/support/docview.wss?uid=swg24039910>) \n \n \nNOTE: \nExtended support customers using IBM Tivoli Monitoring versions 6.2 or 6.1 for Tivoli Storage Manager should contact IBM support. \n\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\n**Configuration Changes** \n \n**Note: You only need to perform these configuration changes if you do not wish to apply the security fixes to IBM Tivoli Monitoring.** \n \n**_Portal Server_**\n\nConfiguration changes are needed on the following components on the portal server. \n\n\n**_Embedded WebSphere Application Server (eWAS)_**\n\n \n \nUpdate the configuration for the embedded Websphere Application Server (eWAS) included as part of IBM Tivoli Monitoring portal server. \n \n1\\. Ensure the portal server is running. \n \n2\\. Start the TEPS/e administration console using the steps in the [**_Starting the TEPS/e administration console_**](<http://www.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/userauthenticate_tepse_consolestart.htm>) section in the Administrator's Guide or follow the steps below: \nEnable the TEPS/e Administration Console:. \nOn Windows: Select the Tivoli Enterprise Portal server from Manage Tivoli Enterprise Monitoring Services (MTEMS), right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Administration \n \nOn UNIX/Linux: Run the command: \n$CANDLEHOME/<interp>/iw/scripts/enableISCLite.sh true \n \n. Enable TEPS/e Administration Console password. \nOn Windows: Select the Tivoli Enterprise Portal server from MTEMS, right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Password \n \nOn UNIX/Linux: Run the command: \n$CANDLEHOME/<interp>/iw/scripts/updateTEPSEPass.sh wasadmin <password> \n \n. Logon to the TEPS/e Administration Console by issuing the command: \nhttp://<teps_hostname>:15205/ibm/console. \nUse \"wasadmin\" as the userid and type in the password set in step 3 above. \n \n3\\. On the Administration Console \n\n * Go to Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of proection (QoP) \n * In the \"Cipher suites\" select the following ciphers from \"Select ciphers\" box and remove them with the \"<< Remove\" button. \n * SSL_RSA_WITH_RC4_128_MD5 \n * SSL_RSA_WITH_RC4_128_SHA \n * SSL_DHE_DSS_WITH_RC4_128_SHA\n * Apply/Save. \n \n**_IBM HTTP Server (IHS)_** \n \nUpdate the configuration for the IBM HTTP Server (IHS) included as part of IBM Tivoli Monitoring portal server for versions 6.23 through 6.30 FP1. Note: Portal Server versions 6.20 through 6.22 FP9 are not affected and do not need the change below. \n \nEdit the IBM HTTP Server configuration file httpd.conf: \nWindows: Edit the file <install_dir>/IHS/conf/httpd.conf \nITM 6.2.3 on Linux/AIX: Edit the file <install_dir>/<arch>/iu/ihs/conf/httpd.conf \nITM 6.3.0 on Linux/AIX: Edit the file install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf \n \nAdd the following directive to the httpd.conf file to disable RC4 ciphers for each context that contains \"SSLEnable\": \n \nSSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA \nSSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA \n \nStop and restart the portal server for the changes to take affect. \n \n \n \n**_Portal Server Communication with Portal Clients_** \n \nA configuration change is required when the portal server is configured to use the SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true: \n\n * HTTPS is not being used \n * applet.html file does not have the tep.connection.protocol=http or https AND \n * tep.jnlp file does not have tep.connection.protocol=https \n * the KFW_INTERFACE_cnps_SSL is set to \"Y\" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config) \n \nEdit the portal server configuration file: \nWindows: <install_dir>/CNPS/KFWENV \nLinux/AIX: <install_dir>/config/cq.ini \n \nAdd/modify the following variable: \nITM version 6.30 through 6.30 FP4: \n \nKFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only -Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_ \nWITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \n \nITM version 620 through 6.23 FP5: \nKFW_ORBPARM=-Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_ \nWITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \nStop and restart portal server for the changes to take affect. \n \n \nNOTE: \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n\n## ", "cvss3": {}, "published": "2018-06-17T15:01:53", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:01:53", "id": "D5A7B25AB9E44D2240950411FA878120A6EDD20A91791012C524AB1D974EAD12", "href": "https://www.ibm.com/support/pages/node/264169", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:15", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects the VMware GUI used by Tivoli Storage Manager for Virtual Environments: Data Protection for VMware 7.1 and Tivoli Storage FlashCopy Manager for VMware 4.1.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe VMware GUI component is affected which affects the following products and versions: \n\n * Tivoli Storage Manager for Virtual Environments: Data Protection for VMware 7.1.0.0 through 7.1.1.x\n * FlashCopy Manager for VMware 4.1.0.0 through 4.1.1.x\n\n## Remediation/Fixes\n\n**_Tivoli Storage Manager for VE: Data Protection for VMware Release_**\n\n| **_First Fixing VRMF Level_**| **_Client_** \n**_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n7.1| 7.1.2| Linux \nWindows| <http://www.ibm.com/support/docview.wss?uid=swg24039450> \n \n**_Tivoli Storage \nFlashCopy Manager for VMware Release_**| **_First Fixing VRMF Level_**| **_Client_** \n**_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n4.1| 4.1.2| Linux| <http://www.ibm.com/support/docview.wss?uid=swg24039478> \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nDirect the GUI's Liberty profile webserver to disable use of the SSLv3 and older protocols. This is done by editing the webserver configuration to set the minimum protocol to be Transport Layer Security (TLS) 1.0. \n \nUse the following procedure to edit the webserver configuration: \n \n1\\. Locate the file server.xml in its current directory: \nWindows: C:\\IBM\\tivoli\\tsm\\tdpvmware\\webserver\\usr\\servers\\veProfile \nLinux: /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile \n \n2\\. Edit the server.xml file with a text editor as follows: \na) Locate the existing line that starts with _<keyStore id=\"defaultKeyStore\" ..._ \nb) Insert the following 2 lines below it: \n_<ssl id=\"veSSLConfig\" sslProtocol=\"TLS\" keyStoreRef=\"defaultKeyStore\"/>_ \n_ <sslDefault sslRef=\"veSSLConfig\"/> _ \nc) Save the changes to server.xml \n \n3\\. In same directory as server.xml, save the jvm.options file that is attached to this bulletin and located after the Disclaimer. \n \n4\\. Restart the webserver as follows: \nWindows: \na. Click **Start > Control Panel > Administrative Tools > Services** \nb. Right-click _Data Protection for VMware Web Server_ Service and click **Restart** \n \nLinux: Issue the following command as root: \nservice webserver restart \n \nThe GUI is now operational with SSLv3 and older protocols disabled. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:01:05", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects the VMware GUI in Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:01:05", "id": "A8911B1672333C3DA91BF2CEB9A63F0B651141A12753A3B88640C9E860D0310E", "href": "https://www.ibm.com/support/pages/node/262797", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:15", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects Tivoli Storage Manager Administration Center\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nTivoli Storage Manager Administration Center 6.1, 6.2, and 6.3.\n\n## Remediation/Fixes\n\nThe recommended solution for Administration Center V6.3 is to apply the WAS fix pack. See the instructions below to obtain and install the fix pack. \n \nThe recommended solution for Administration Center V6.1 or V6.2 is to upgrade to V6.3 ( [Download Tivoli Storage Manager Administration Center V6.3)](<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/admincenter/v6r3/>) and apply the WAS fix pack. If customers are unable to do this they should contact support. \n \nThe V6.3 Administration Center can manage servers running Tivoli Storage Manager V6.1, V6.2, and V6.3. As an alternative, you can use the administrative command-line client instead of the Administration Center. \n \n**Installation Instructions** \n \n1\\. Stop the TIP/WAS server. This server cannot be running while you apply the fix pack. ([Starting and Stopping TIP](<http://www-01.ibm.com/support/knowledgecenter/SSGSG7_6.3.4/com.ibm.itsm.srv.install.doc/t_ac_start_stop.html%23t_ac_start_stop>)) \n2\\. Ensure that the IBM Update Installer is installed. The Update Installer is required to apply the fix pack. ([IBM Update Installer](<http://www-01.ibm.com/support/docview.wss?uid=swg24020212>)) \n3\\. Download the appropriate WAS Embedded fix pack package from the Downloads section of this page. \n4\\. Run the IBM Update Installer to install the fix pack. \n5\\. Start the TIP/WAS server. \n \n**Downloads** \nFor V6.3, download WAS Fix Pack 37 (7.0.0.37) \nAIX: \n[7.0.0-WS-WASEmbeded-AixPPC32-FP0000037.pak](<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/e-fix/WAS/7.0.0.37/7.0.0-WS-WASEmbeded-AixPPC32-FP0000037.pak>) \nLinux: \n[7.0.0-WS-WASEmbeded-LinuxX32-FP0000037.pak](<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/e-fix/WAS/7.0.0.37/7.0.0-WS-WASEmbeded-LinuxX32-FP0000037.pak>) \nSolaris: \n[7.0.0-WS-WASEmbeded-SolarisSparc-FP0000037.pak](<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/e-fix/WAS/7.0.0.37/7.0.0-WS-WASEmbeded-SolarisSparc-FP0000037.pak>) \nWindows: \n[7.0.0-WS-WASEmbeded-WinX32-FP0000037.pak](<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/e-fix/WAS/7.0.0.37/7.0.0-WS-WASEmbeded-WinX32-FP0000037.pak>) \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nFor WebSphere Application Server Full Profile, modifying the server's SSL configuration to disable SSLv3 can be done from either the Admin console or with an Admin task from wsadmin. \n \n**On the Admin Console** \n\n\n 1. Go to Security > SSL certificate and key management > SSL configurations \n 2. The collection of all SSL configurations is listed. For each SSL configuration in the list the SSL protocol will need to be modified to use TLS. \n 3. Select an SSL Configuration then click Quality of protection (QoP) settings under Additional Properties on the right. \n 4. On the Quality of protection (QoP) settings panel select TLS form the pull down list in the box labeled Protocol. \n 5. Apply/Save.\n \n**Using wsadmin (does not apply to WebSphere Application Server 6.0.2)** \nIf using wsadmin for each SSL Configuration the modifySSLConfig task will need to be called. \n \nTo get the list of SSL Configuration in wsadmin call \n \nwsadmin> AdminTask.listSSLConfigs('[-all true]') \n \nTo modify a SSL configuration from wsadmin call \n \nwsadmin>AdminTask.modifySSLConfig('[-alias <fill in the SSL Configuration alias> -scopeName <fill in the SSL Configuration management scope> -sslProtocol TLS]') \n \nwsadmin>AdminConfig.save() \n \nThe following is an example of what a modifySSLConfig command looks like with an alias and scope provided. \n \nwsadmin>AdminTask.modifySSLConfig('[-alias CellDefaultSSLSettings -scopeName (cell):ndcell -sslProtocol TLS ]') \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions \n\n## ", "cvss3": {}, "published": "2018-06-17T15:01:06", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli Storage Manager Administration Center (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:01:06", "id": "3F09BCDC35C9BA882706D8F2F41993FE1B21AF2D1D1C800C769DD771DABC602E", "href": "https://www.ibm.com/support/pages/node/262961", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:15", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" Attack for SSL/TLS affects Tivoli Storage Manager Operations Center\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nTivoli Storage Manager Operations Center v6.4 and v7.1.\n\n## Remediation/Fixes\n\n**TSM OC Release**\n\n| **Remediation/First Fix ** \n---|--- \n6.4| 6.4.2.100 - [ALL Operating Systems](<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/opcenter/6.4.2.100/>) (see **NOTE **below) \n7.1| 7.1.1.100 - [ALL Operating Systems](<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/opcenter/7.1.1.100/>) \n \n**NOTE:** \nFor Operations Center 6.4, you must first uninstall Operations Center, delete the cached files, and then reinstall Operations Center using the following instructions: \n \n\n\n 1. Download the Remediation Fix for Operations Center 6.4.2.100 (see above)\n 2. Open IBM Installation Manager, click Uninstall, and follow the instructions in the wizard.\n 3. Close IBM Installation Manager.\n 4. Copy the following file to a different directory: <install dir>/tsm/ui/Liberty/usr/servers \n/guiServer/serverConnection.properties \n 5. Delete the following directory: <install dir>/tsm/ui \n 6. Open IBM Installation Manager, click install, and follow the instructions in the wizard.\n 7. Close IBM Installation Manager.\n 8. Copy the serverConnection.properties file from its temporary location to the following directory: \n<install dir>/tsm/ui/Liberty/usr/servers \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions\n\n## Workarounds and Mitigations\n\nDirect the GUI's Liberty profile web server to disable use of the SSLv3 and older protocols. This is done by editing the web server configuration to set the minimum protocol to be Transport Layer Security (TLS) 1.0. \n \nUse the following procedure to edit the web server configuration: \n \nFor TSM Operations Center v6.4.2 and v7.1.0 \n\n\n 1. Locate the server.xml file in its current directory: \nWindows: C:\\Tivoli\\TSM\\ui\\Liberty\\usr\\servers\\guiServer \nAIX / Linux: /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer\n 2. Edit the server.xml file with a text editor as follows: \na) Locate the existing line that starts with _<keyStore id=\"defaultKeyStore\" ..._ \nb) Insert the following 2 lines below it:_ \n<ssl id=\"ocSSLConfig\" sslProtocol=\"TLS\" keyStoreRef=\"defaultKeyStore\"/> \n<sslDefault sslRef=\"ocSSLConfig\"/> _ \nc) Save the changes to server.xml\n 3. In same directory as server.xml, save the jvm.options file that is attached to this bulletin and located after the Disclaimer.\n 4. Restart the web server as follows: \n\n * Windows: \na. Click **Start > Control Panel > Administrative Tools > Services** \nb. Right-click _Tivoli Storage Manager Operations Center_ Service and click **Restart** \n\n * AIX / Linux: Issue the following command as root: \n\nservice web server restart \n \nFor TSM Operations Center v7.1.1 \n\n 1. Locate the bootstrap.properties file in its current directory: \nWindows: C:\\Tivoli\\TSM\\ui\\Liberty\\usr\\servers\\guiServer \nAIX / Linux: /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer\n 2. Edit the value of tsm.https.sslRef to SP800131atransition and save changes\n 3. In same directory as bootstrap.properties, save the jvm.options file that is attached to this bulletin and located after the Disclaimer.\n 4. Restart the web server as follows: \n\n * Windows: \na. Click **Start > Control Panel > Administrative Tools > Services** \nb. Right-click _Tivoli Storage Manager Operations Center_ Service and click **Restart** \n\n * AIX / Linux: Issue the following command as root: \n\nservice web server restart \n \nThe GUI is now operational with SSLv3 and older protocols disabled. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:01:06", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affect Tivoli Storage Manager Operations Center (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:01:06", "id": "EEB7ECAD0C56426C2A1407DC3C645A116206BB0DBBD075E415E54669BCD8C813", "href": "https://www.ibm.com/support/pages/node/262845", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:16", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Tivoli Netcool Service Quality Manager.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects Tivoli Netcool Service Quality Manager 4.1.4\n\n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. \nThe IBM Java Runtime Environment Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 can be downloaded from the IBM Fix Central site: \n<https://delivery04.dhe.ibm.com/sar/CMA/WSA/0527u/2/j564redist.tar.gz> \n \nTo install the patch the following procedure has to be performed on TNSQM servers: \n \n$ sap stop \n$ sapmon stop \n$ sapmgr stop \n$ cd ${WMCROOT}/java \n$ mv jre jre.old \n$ gunzip -c <location of patch>/jre564redist.tar.gz | tar -xf - \n$ sapmon start \n$ sapmgr start \n$ sap start\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:00:28", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli Netcool Service Quality Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:00:28", "id": "61468D6E23F724C645E3302DA80D9387C0B91F9325F9E43E25BD5647F1DD249B", "href": "https://www.ibm.com/support/pages/node/261551", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:16", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Tivoli Composite Application Manager for Transactions.\n\n## Vulnerability Details\n\n**CVE-ID: **[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. \n \nThis vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5.00 \nCVSS Temporal Score: [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager (ITCAM) for Transactions is affected. ITCAM for Transactions contains multiple sub components (Agents). \nBoth the Internet Service Monitor (ISM \u2013 Agent code \u2018IS\u2019) and the Robotic Response Time (RRT \u2013 Agent code \u2018T6\u2019) are affected. \n \nISM Versions: \n\u00b7 7.4 \u2013 Affected by CVE (CVE-2015-2808) \n\u00b7 7.3 \u2013 Affected by CVE (CVE-2015-2808) \n\u00b7 7.2 \u2013 Affected by CVE (CVE-2015-2808) \n \nRRT Versions: \n\u00b7 7.4 \u2013 Affected by CVE (CVE-2015-2808) \n\u00b7 7.3 \u2013 Affected by CVE (CVE-2015-2808) \n\u00b7 7.2 \u2013 Affected by CVE (CVE-2015-2808) \n\u00b7 7.1 \u2013 Affected by CVE (CVE-2015-2808)\n\n## Remediation/Fixes\n\nISM Fixes \n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_7.4.0.0-TIV-CAMIS-IF0028_| _7.4.0.0_| _None_| [__http://www.ibm.com/support/docview.wss?uid=isg400002125__](<http://www.ibm.com/support/docview.wss?uid=isg400002125>) \n_7.3.0.1-TIV-CAMIS-IF0035_| _7.3.0.1_| _None_| [__http://www.ibm.com/support/docview.wss?uid=isg400002127__](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400002127>) \n_7.2.0.3-TIV-CAMIS-IF0029_| _7.2.0.3_| _None_| [__http://www.ibm.com/support/docview.wss?uid=isg400002107__](<http://www.ibm.com/support/docview.wss?uid=isg400002107>) \nFor ISM 7.1 IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \nRRT Fixes _Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_7.4.0.0-TIV-CAMRT-IF0029_| _7.4.0.0_ \n_7.3.0.1_ \n_7.2.0.3_ \n_7.1.0.0_| _None_| [__http://www.ibm.com/support/docview.wss?uid=isg400002131__](<http://www.ibm.com/support/docview.wss?uid=isg400002131>) \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nFor ISM disable the RC4 ciphers in all monitors. To disable the RC4 ciphers, update the monitor properties: _SSLCipherSuite_ and _BridgeSSLCipherSet_. For example, to disable RC4 ciphers in the HTTPS monitor, update the https.props file to include \n \nSSLCipherSuite : \"AES:3DES:DES:!EXP\" \nBridgeSSLCipherSet : \"AES:3DES:DES:!EXP\"\n\n## ", "cvss3": {}, "published": "2018-06-17T14:59:41", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Composite Application Manager for Transactions (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T14:59:41", "id": "7D3B26A9BCC0FD8CA9AE4D5AFD3380DAA769DF627BCDA9D515FAA9AB6BAD1346", "href": "https://www.ibm.com/support/pages/node/260061", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:17", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the Enterprise Common Collector (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring).\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nEnterprise Common Collector 1.1.0 (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring v6.2.3 and v6.3.0)\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Operating System_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Tivoli zEnterprise Monitoring Agent (Enterprise Common Collector v1.1.0 component) \n\n| \n\nv6.2.3\n\n| AIX\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-AIX-IF0004&includeSupersedes=0>) \n \nLinux\u00ae on System z\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxz-IF0004&includeSupersedes=0>) \n \nLinux\u00ae on Intel\u00ae 32-bit| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxx32-IF0004&includeSupersedes=0>) \n \nLinux\u00ae on Intel\u00ae 64-bit| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxx64-IF0004&includeSupersedes=0>) \n \n32-bit Windows\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Windows32-IF0004&includeSupersedes=0>) \n \n64-bit Windows\u00ae| \n\n[_Fix Central link_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Windows64-IF0004&includeSupersedes=0>) \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:00:22", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects the Enterprise Common Collector component of the IBM Tivoli zEnterprise Monitoring Agent (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:00:22", "id": "3CF8A7AA1CDB0A8E873463D676A516030B956E859EC831618FA54389A8BE1F0A", "href": "https://www.ibm.com/support/pages/node/261087", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:17", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" for SSL/TLS may affect some configurations of WebSphere Application Server as a component of IBM Tivoli Netcool Performance Manager . \nNOTE: If you are configured for FIPS140-2, Suite B or SP800-131 in your Security>SSL certificate and key management then you are not affected by this vulnerability or your SSL communication for Liberty. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\nPlease consult the security bulletin [_Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details.\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| IBM WebSphere Application Server Version \n---|--- \nTivoli Network Performance Manager 1.4| IBM WebSphere version 8.5.0.1 (Bundled in the Jazz for Service Management version 1.1.0.2) \nTivoli Network Performance Manager 1.3.3| IBM WebSphere version 7.0.0.x (Bundled the TIP version 2.1.0.x) \nTivoli Network Performance Manager 1.3.2| IBM WebSphere version 7.0.0.x (Bundled in the TIP version 2.1.0.x) \nTivoli Network Performance Manager 1.3.1| IBM WebSphere version 7.0.0.x (Bundled in the TIP version 2.1.0.x) \n \n## Remediation/Fixes\n\nRemediation is available at the security bulletin [_Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>)\n\n## ", "cvss3": {}, "published": "2018-06-17T15:00:48", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server shipped with Tivoli Netcool Performance Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:00:48", "id": "E6BD4D9CC9EA6DE3F210166CEA8E96D2951AACB38CF97496D3C04EA57B5E2F29", "href": "https://www.ibm.com/support/pages/node/262183", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:17", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Tivoli Storage Manager FastBack for Workstations. The TSM FastBack for Workstations Central Administration Console (CAC) has a security vulnerability in the underlying IBM Webshpere and IBM WebSphere Liberty Server. Tivoli Storage Manager FastBack for Workstations (client) is affected when using WinHttp connections to a remote WebDav backup server. Since the cipher can be negotiated down to RC4 the CAC and client application are both affected.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following versions of Tivoli Storage Manager for Workstations Central Administration Console are affected: \n7.1.0.0 through 7.1.2.n \n6.3.0.0 through 6.3.1.0 \n \nThe following versions of Tivoli Storage Manger for Workstations (client) are affected: \n7.1.0.0 through 7.1.2.n \n6.3.0.0 through 6.3.1.12\n\n## Remediation/Fixes\n\n**Tivoli Storage Manager FastBack for WorkStations Central Administration Console**\n\n| **First Fixing VRMF Level**| **Client \nPlatform**| **Link to Fix / Fix Availability Target** \n---|---|---|--- \n7.1| 7.1.3.0| Windows \n\n\nx86 \n \n \n \n \n \n \nx64\n\n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3.0-TIV-FB4WKSTNS-CAC-x86_windows&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3.0-TIV-FB4WKSTNS-CAC-x86_windows&includeSupersedes=0&source=fc>) \n \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3.0-TIV-FB4WKSTNS-CAC-x64_windows&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3.0-TIV-FB4WKSTNS-CAC-x64_windows&includeSupersedes=0&source=fc>) \n6.3| 6.3.1.1| Windows| `[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=6.3.1.1-TIV-FB4WKSTNS-CAC_windows&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=6.3.1.1-TIV-FB4WKSTNS-CAC_windows&source=SAR>)` \n**Tivoli Storage Manager FastBack for WorkStations Client**| **First Fixing VRMF Level**| **Client \nPlatform**| **Link to Fix / Fix Availability Target** \n---|---|---|--- \n7.1| 7.1.3.0| Windows \n\n\nx86\n\n \n \n \n \n\n\nx64\n\n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3-TIV-FB4WKSTNS-x86_windows-FP0000&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3-TIV-FB4WKSTNS-x86_windows-FP0000&includeSupersedes=0&source=fc>) \n \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3-TIV-FB4WKSTNS-x64_windows-FP0000&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=7.1.3-TIV-FB4WKSTNS-x64_windows-FP0000&includeSupersedes=0&source=fc>) \n6.3| 6.3.1.13| Windows \n\n\nx86 \n \n \n \n \n \nx64\n\n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=6.3.1-TIV-FB4WKSTNS-x86_windows-FP0013&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=6.3.1-TIV-FB4WKSTNS-x86_windows-FP0013&includeSupersedes=0&source=fc>) \n \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=6.3.1-TIV-FB4WKSTNS-x64_windows-FP0013&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Storage+Manager+FastBack+for+Workstations&release=All&platform=Windows&function=fixId&fixids=6.3.1-TIV-FB4WKSTNS-x64_windows-FP0013&includeSupersedes=0&source=fc>) ` \n` \n \n## Workarounds and Mitigations\n\n \nTivoli Storage Manager FastBack for Workstations Central Administration Console \n\nVersion 6.3, 7.1.0 You will need to remove any of the ciphers that begin with SSL_* or TLS_* and contain RC4 in the name from your WebSphere Application Server SSL configuration. \n \nYou can view the administrative console page to change the settings, click **Security > SSL certificate and key management**. Under Configuration settings, click** Manage endpoint security configurations > {Inbound | Outbound} > ****_ssl_configuration_**. Under Related items, click **SSL configurations > **. Click on {_SSL_configuration_name_ }. Under **Additional Properties**, click **Quality of protection (QoP) settings**. \nPerform a restart on the Tivoli Integrated Portal Service after saving the setting above. \nVersion 7.1.1, 7.1.2 \n1\\. Open the java.security file for editing. The file will be located in the Tivoli Storage Manager FastBack for Workstations Central Administration Console install directory\\java\\jre\\lib\\security. \n2\\. Add the following line to the file: jdk.tls.disabledAlgorithms=RC4 \n3\\. In Control Panel -> Administrative Tools -> Service, stop and then restart the TSM FastBack for Workstations Central Administration Console service \nTivoli Storage Manager FastBack for Workstations (client): \n\nBased on the Microsoft document: (<http://support.microsoft.com/en-us/kb/245030>) \n1\\. Open the registry and look under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Schannel\\Ciphers\\ \n2\\. For any RC4 cipher create the following registry key if it does not exist: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Schannel\\Ciphers\\RC4 XXX/XXX (where examples are RC4 128/128, RC4 40/128, RC4 56/128, etc.) \n3\\. Create a DWORD value named Enabled in the above mentioned key and set its value to 0. This is a computer wide setting and will impact any application that uses the Microsoft WinHttp functions. \n \nA WebDav administrator should also be able to disable any RC4 cipher on the WebDav server which will eliminate the client vulnerability. \nAt this point the application will not allow RC4 ciphers. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:00:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli Storage Manager FastBack for Workstations (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T15:00:01", "id": "F77AF913D00FF008F39C866466CF92B3C47B41BA40E5A20F74C8BBCB097539FC", "href": "https://www.ibm.com/support/pages/node/260723", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:25", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors.\n\n## Vulnerability Details\n\n**CVE-ID: **[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. \n \nThis vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5.00 \nCVSS Temporal Score: [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nSSM 4.0.0 FP1 - FP14 and Interim Fix 14-01 \u2013 Interim Fix 14-05 \nSSM 4.0.1 FP1 \u2013 FP2 Interim Fix 01\n\n## Remediation/Fixes\n\n \n\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_4.0.1.2-TIV-SSM-IF0002_| _4.0.1.2_| _None_| [__http://www.ibm.com/support/docview.wss?uid=isg400002115__](<http://www.ibm.com/support/docview.wss?uid=isg400002115>) \n_4.0.0.14-TIV-SSM-IF0006_| _4.0.0.14_| _None_| [__http://www.ibm.com/support/docview.wss?uid=isg400002120__](<http://www.ibm.com/support/docview.wss?uid=isg400002120>) \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T14:59:41", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T14:59:41", "id": "C7611421A5FF54EB8E63ED1066FA071BD9C040E26C0C170C779049202F0816E4", "href": "https://www.ibm.com/support/pages/node/260063", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:45", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" attack for SSL/TLS affects Watson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n\nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nCVE-2015-2808 applies to the following products and versions: \n\n * Watson Explorer Foundational Components version 10.0.0.2 and earlier, version 9.0.0.6 and earlier, and version 8.2-4 and earlier\n * Watson Explorer Annotation Administration Console version 10.0.0.2 and earlier\n * Watson Explorer Analytical Components version 10.0.0.2 and earlier\n * Watson Content Analytics version 3.5.0.2 and earlier, version 3.0.0.5 and earlier, version 2.2.0.3 and earlier, and version 2.1.0.2 and earlier\n * OmniFind Enterprise Edition version 9.1.0.5 and earlier\n\n## Remediation/Fixes\n\nFollow these steps to upgrade to the required version of IBM\u00ae Runtime Environment Java\u2122 Technology Edition. \n\nThe table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>.\n\n**Affected Product**| **Affected Versions**| **Required IBM Java Runtime**| **How to acquire and apply the fix** \n---|---|---|--- \nIBM Watson Explorer Foundational Components| 10.0 through 10.0.0.2| JVM 7.0 SR9 or later| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039429>)). \nIf you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps. \n 2. Download the IBM Java Runtime, Version 7 package for your edition (Standard, Enterprise, or Advanced) and operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-<Edition>Foundational-<OS>-7SR9** or later (for example, 10.0.0.2-WS-WatsonExplorer-EEFoundational-Linux-7SR9).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700618>). \nIBM Watson Explorer| 9.0 through 9.0.0.6| JVM 7.0 SR9 or later| \n\n 1. If not already installed, install V9.0 Fix Pack 6 (see [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=9.0.0.6&platform=All&function=all>) to download V9.0.0.6 Standard Edition or Enterprise Edition[](<http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=9.0.0.5-WS-WatsonExplorer-SE-FP001&continue=1>)[](<http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=9.0.0.5-WS-WatsonExplorer-EE-FP001&continue=1>)). \nIf you upgrade to Version 9.0.0.6 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the IBM Java Runtime, Version 7 package for your edition and operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=9.0.0.4&platform=All&function=all#Others>): interim fix **9.0.0.5-WS-DataExplorer-<Edition>-<OS>-7SR9** or later (for example, 9.0.0.5-WS-DataExplorer-EE-Linux-7SR9).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700618>). \nIBM InfoSphere Data Explorer| 8.2 through 8.2-4| JVM 7.0 SR9 or later| \n\n 1. If not already installed, install V8.2 Fix Pack 4 (see [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=8.2.4.0&platform=All&function=all>) to download V8.2-4). \nIf you upgrade to Version 8.2.4.0 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the IBM Java Runtime, Version 7 package for your operating system from [Fix Central: ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=8.2.2.0&platform=All&function=all#Other>)interim fix **8.2-3-WS-DataExplorer-<OS>-7SR9** or later (for example, 8.2-3-WS-DataExplorer-Windows-7SR9).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700618>). \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 through 10.0.0.2| JVM 7.0 SR9 or later| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039429>)). \nIf you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit and 64-bit packages of IBM Java Runtime, Version 7 for IBM Watson Explorer Advanced Edition and your operating system from [Fix Central: ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>)interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-<OS>[32]-7SR9 **or later (for example, 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux32-7SR9 and 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux-7SR9).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700619>). \nIBM Watson Explorer Analytical Components| 10.0 through 10.0.0.2| JVM 7.0 SR9 or later| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)). \nIf you upgrade to Version 10.0.0.2 after you configure IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 7 for IBM Watson Explorer Advanced Edition and your operating system from [Fix Central: ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>)interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-<OS>[32|31]-7SR9** or later (for example, 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux32-7SR9 and 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux-7SR9).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700620>). \n 4. If you use WebSphere Application Server instead of the embedded web application server, follow the instructions in the security bulletin, [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21701503>). \nIBM Watson Content Analytics| 3.5 through 3.5.0.2| JVM 7.0 SR9 or later| \n\n 1. If not already installed, install V3.5 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039428>)). \nIf you upgrade to Version 3.5.0.2 after you configure IBM Java Runtime, your changes are lost and you must repeat the steps. \n 2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 7 for your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.5.0.2&platform=All&function=all>): interim fix **3.5.0.2-WT-WCA-<OS>[32|31]-7SR9** or later (for example, 3.5.0.2-WT-WCA-AIX32-7SR9 and 3.5.0.2-WT-WCA-AIX-7SR9).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700621>).\n 4. If you use WebSphere Application Server instead of the embedded web application server, follow the instructions in the security bulletin, [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21701503>). \nIBM Content Analytics with Enterprise Search| 3.0 through 3.0.0.5| JVM 6.0 SR16-FP4 or later| \n\n 1. If not already installed, install V3.0 Fix Pack 5 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24038808>)). \nIf you upgrade to Version 3.0.0.5 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 6 for your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.0.0.5&platform=All&function=all>): interim fix **3.0.0.5-WT-ICA-<OS>[32|31]-6SR16FP4** or later (for example, 3.0.0.5-WT-ICA-Linux32-6SR16FP4 and 3.0.0.5-WT-ICA-Linux-6SR16FP4).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700622>).\n 4. If you use WebSphere Application Server instead of the embedded web application server, follow the instructions in the security bulletin, [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21701503>). \nIBM Content Analytics| 2.2 through 2.2.0.3| JVM 6.0 SR16-FP4 or later| \n\n 1. If not already installed, install V2.2 Fix Pack 3 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24033352>)). \nIf you upgrade to Version 2.2.0.3 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 6 for your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=2.2.0.3&platform=All&function=all>): interim fix **2.2.0.3-WT-ICA-<OS>[32|31]-6SR16FP4** or later (for example, 2.2.0.3-WT-ICA-AIX32-6SR16FP4 and 2.2.0.3-WT-ICA-AIX-6SR16FP4).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700623>).\n 4. If you use WebSphere Application Server instead of the embedded web application server, follow the instructions in the security bulletin, [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21701503>). \nIBM Cognos Content Analytics| 2.1 through 2.1.0.2| JVM 6.0 SR16-FP4 or later| \n\n 1. If not already installed, install V2.1 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24028203>)). \nIf you upgrade to Version 2.1.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit and 64-bit packages of IBM Java Runtime, Version 6 for your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=2.1.0.2&platform=All&function=all#Others>): interim fix **2.1.0.2-WT-ICA-<OS>[32]-6SR16FP4** or later (for example, 2.1.0.2-WT-ICA-AIX32-6SR16FP4 and 2.1.0.2-WT-ICA-AIX-6SR16FP4).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21959215>). \nIBM OmniFind Enterprise Edition| 9.1 through 9.1.0.5| JVM 6.0 SR16-FP4 or later| \n\n 1. If not already installed, install V9.1 Fix Pack 5 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24035824>)). \nIf you upgrade to Version 9.1.0.5 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 6 for your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+OmniFind+Enterprise+Edition&release=9.1.0.5&platform=All&function=all>): interim fix **9.1.0.5-WT-OEE-<OS>[32|31]-6SR16FP4** or later (for example, 9.1.0.5-WT-OEE-Windows32-6SR16FP4 and 9.1.0.5-WT-OEE-Windows-6SR16FP4).\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700624>).\n 4. If you use WebSphere Application Server instead of the embedded web application server, follow the instructions in the security bulletin, [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21701503>). \n \n**Note: **The IBM Java Runtime versions referenced in this security bulletin include the fixes for the vulnerabilities identified in [](<http://www.ibm.com/support/docview.wss?uid=swg21700625>)[Vulnerability in IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700625>) (the \u201cFREAK: Factoring attack on RSA-EXPORT keys\"). \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T13:04:51", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Watson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T13:04:51", "id": "FA2F2201782B1543085C54AF885559335008FF5E107BC8B64162CFD984471A77", "href": "https://www.ibm.com/support/pages/node/261049", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:49:06", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Rational Service Tester.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nRational Service Tester versions 8.2.*, 8.3.*, 8.5.*, 8.6.* and 8.7.\n\n## Remediation/Fixes\n\nDownload Java from one of the links below. Edit java.security and disable RC4 by adding it to the list of disabled algorithms. For example, \n \njdk.tls.disabledAlgorithms=SSLv3, RC4 \n \nFor a default installation the file java.security can be found as indicated below. \nWindows: C:\\Program Files\\IBM\\SDP\\jdk\\jre\\lib\\security. \nLinux: /opt/IBM/SDP/jdk/jre/lib/security. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRST| 8.7| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.6 - 8.6.x| None| Download[ Java 7 SR8 FP10 +IV70681 ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.5 - 8.5.x| None| Download[ Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.3 - 8.3.x| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.2 - 8.2.1.x| None| Download [Java 7 SR8 FP10 +IV70681 ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:49", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Service Tester (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:49", "id": "D30F02319749539738BDC24DA7238A5443EBA8AA8D4D5B3F5A3B14A493E63BE1", "href": "https://www.ibm.com/support/pages/node/261915", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Tivoli/Security Directory Server.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * IBM Tivoli Directory Server 6.0, 6.1, 6.2, 6.3\n * IBM Security Directory Server 6.3.1, 6.4\n\n## Remediation/Fixes\n\nAffected Releases\n\n| Fixes Available \n---|--- \nIBM Tivoli Directory Server 6.0| [6.0.0.73-ISS-ITDS-IF0074](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.0.0.74&platform=All&function=all>) \nIBM Tivoli Directory Server 6.1| [6.1.0.67-ISS-ITDS-IF0067](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.1.0.67&platform=All&function=all>) \nIBM Tivoli Directory Server 6.2| [6.2.0.43-ISS-ITDS-IF0043](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.43&platform=All&function=all>) \nIBM Tivoli Directory Server 6.3| [6.3.0.36-ISS-ITDS-IF0036](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.36&platform=All&function=all>) \nIBM Security Directory Server 6.3.1| [6.3.1.10-ISS-ISDS-IF0010](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.3.1.10&platform=All&function=all>) \nIBM Security Directory Server 6.4| [6.4.0.1-ISS-ISDS-IF0001](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.4.0.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nFor each instance of the server, remove the following lines from the server configuration file at /home/<instance name>/<instance name>-idsldap/etc/**ibmslapd.conf, **and restart the server. \n \n[under dn: cn=SSL,cn=Configuration] \nibm-slapdSslCipherSpec: RC4-128-MD5 \nibm-slapdSslCipherSpec: RC4-128-SHA \nibm-slapdSslCipherSpec: DES-56 \nibm-slapdSslCipherSpec: RC4-40-MD5 \nibm-slapdSslCipherSpec: RC2-40-MD5 \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:58", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli/Security Directory Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T21:23:58", "id": "1709290AEBE9A32DD527BD83623D24D35E893CA90E205405818A823706EDF26B", "href": "https://www.ibm.com/support/pages/node/262699", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:51:34", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah Attack\" for SSL/TLS affects IBM Sterling B2B Integrator and IBM Sterling File Gateway. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling B2B Integrator 5.2 \n \nIBM Sterling File Gateway 2.2 \n \nSterling Integrator 5.1 \n \nSterling File Gateway 2.1\n\n## Remediation/Fixes\n\nProduct & Version\n\n| \n\nRemediated Fix \n \n---|--- \nSterling Integrator 5.1 or \nSterling File Gateway 2.1| \n\n 1. Upgrade Sterling Integrator to 5104 and apply Generic Interim Fix 5104_6. \n \n\n 2. For Linux, AIX and Windows, go to the [_Fix Central for IBM Java fixes_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/Java&release=All&platform=All&function=all>) to download IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and subsequent releases. \n \nFor Solaris and HP-UX, refer to the Java vendor to find the appropriate version that addresses RC4 \u201cBar Mitzvah\u201d vulnerability. \n \n\n 3. Make configuration changes specified in Workarounds and Mitigations section below** \n** \nIBM Sterling B2B Integrator 5.2 or \nIBM Sterling File Gateway 2.2| \n\n 1. Upgrade Sterling Integrator to 5.2.5.0. \n \n\n 2. Make configuration changes specified in Workarounds and Mitigations section below \n \n \n## Workarounds and Mitigations\n\nThe following table provides instructions on how to make configuration changes to both Sterling B2B Integrator 5.2 and 5.1. After making the necessary changes, you will need to stop and restart Sterling B2B Integrator in order for these changes to take effect. \n\nIf you use:| Then do this: \n---|--- \nSterling B2B Integrator 5.1 or 5.2 or \nSterling File Gateway 2.1 or 2.2| Put following entries in customer_overrides.properties \n \nsecurity.WeakCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \n\nsecurity.StrongCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA\n\nsecurity.AllCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \n\n\nIBM recommends the use of strong ciphers in the configuration for adapters and services. \n \nSterling Integrator 5.1 or \nSterling File Gateway 2.1| \n\n 1. Upgrade to Sterling Integrator 5104_6 if Sterling Integrator version is lower than 5104_6\n \n\n 2. Put following entries in customer_overrides.properties\nsecurity.dashboardCipherSuite=strong \nSterling B2B Integrator 5.2 or \nSterling File Gateway 2.2| For IBM\u00ae SDK Java\u2122 Technology Edition, Version 7, add the property jdk.tls.disabledAlgorithms=RC4 to the end of java.security file located in <Your_Sterling_Integrator_Install_Dirrectory>/ jdk/jre/lib/security \nWSMQ adapters and services \nMQFTE adapters and services \nCD:Server adapters and services \nMEIG Message Configuration Adapter| IBM recommends the use of strong ciphers in the configuration for adapters and services and not to use the cipher with RC4. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-16T19:43:48", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T19:43:48", "id": "9F29D9D10D3CEAA19A952AE9E38FD1337B38048AA1260F1780276A9D077CA74C", "href": "https://www.ibm.com/support/pages/node/261061", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:51:39", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Tealeaf Customer Experience.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tealeaf Customer Experience: v8.0-v9.0.1\n\n## Remediation/Fixes\n\nProduct \n\n| \n\nVRMF \n\n| \n\nRemediation/First Fix \n \n---|---|--- \n \nIBM Tealeaf Customer Experience\n\n| \n\n9.0.1A \n\n| PCA: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1A_IBMTealeaf_PCA-3724-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1A_IBMTealeaf_PCA-3724-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.5091_9.0.1A_IBMTealeaf_CXUpgrade_FixPack4`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.5091_9.0.1A_IBMTealeaf_CXUpgrade_FixPack4>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n9.0.1\n\n| `PCA: `[`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1_IBMTealeaf_PCA-3673-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1_IBMTealeaf_PCA-3673-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.1097_IBMTealeaf_CXUpgrade_FixPack4`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1.1097_IBMTealeaf_CXUpgrade_FixPack4>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n9.0.0, 9.0.0A \n\n| You can contact the [_Technical Support_](<http://www.ibm.com/software/marketing-solutions/tealeaf/support>) team for guidance. \n \nIBM Tealeaf Customer Experience \n\n| \n\n8.8 \n\n| `PCA: `[`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8_IBMTealeaf_PCA-3625-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8_IBMTealeaf_PCA-3625-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8.0.9034_IBMTealeaf_CXUpgrade_FixPack8`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8.0.9034_IBMTealeaf_CXUpgrade_FixPack8>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n8.7 \n\n| `PCA: `[`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7_IBMTealeaf_PCA-3615-4_SecurityRollup_FixPack`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7_IBMTealeaf_PCA-3615-4_SecurityRollup_FixPack>) \nTealeaf CX: [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7.1.8830_IBMTealeaf_CXUpgrade_FixPack9`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7.1.8830_IBMTealeaf_CXUpgrade_FixPack9>) \n \nIBM Tealeaf Customer Experience \n\n| \n\n8.6 and earlier \n\n| You can contact the [_Technical Support_](<http://www.ibm.com/software/marketing-solutions/tealeaf/support>) team for guidance. \nFor v9.0.0, 9.0.0A, and versions before v8.7, IBM recommends upgrading to a later supported version of the product. \nYou should verify applying these fixes do not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nPCA: In addition to applying the fix pack above, you must update the /opt/tealeaf/etc/httpd.conf file by: \n\n * adding (or changing if already present) a line beginning \"SSLProtocol\" so that it reads\n`SSLProtocol All -SSLv2 -SSLv3`\n * changing the line beginning \u201cSSLCipherSuite\u201d by replacing the string \u201cRC4+RSA\u201d with \u201c!RC4\u201d so that it reads:\n`SSLCipherSuite ALL:!ADH:!EXP:!RC4:+HIGH:+MEDIUM` \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-16T19:44:47", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tealeaf Customer Experience (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T19:44:47", "id": "C5EAD94AFB25C0B3AC1232FF6BD674F833897104B75A6BC23442F602C49C49F7", "href": "https://www.ibm.com/support/pages/node/264891", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:51:48", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects InfoSphere Replication Dashboard.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nVersions 11.3.3, 11.3, 10.2.1, 10.2, 10.1 and 9.7 of InfoSphere Data Replication Dashboard are affected.\n\n## Remediation/Fixes\n\nThe recommended solution is to upgrade the product to the latest version. InfoSphere Data Replication Dashboard supports only the latest version so customers must install the latest version. The vulnerability fixes require upgrading the product to version 11.3.3.0-b312 or higher. Download the latest version of InfoSphere Data Replication Dashboard from [_http://www-01.ibm.com/support/docview.wss?uid=swg24023065_](<http://www-01.ibm.com/support/docview.wss?uid=swg24023065>) \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n_For versions 11.3.3, 11.3, 10.2.1, 10.2, 10.1 and 9.7 IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone known.\n\n## ", "cvss3": {}, "published": "2018-06-16T14:14:55", "type": "ibm", "title": "Security Bulletin:Vulnerability in RC4 stream cipher affects InfoSphere Replication Dashboard (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T14:14:55", "id": "60433903B8499C4322427D70EA00197BECEA206FA41B1F1949C4E6DFBCD29E8C", "href": "https://www.ibm.com/support/pages/node/264295", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:51:50", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects OpenSSL. OpenSSL is used by IBM InfoSphere Master Data Management. IBM InfoSphere Master Data Management has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID: **[**_CVE-2015-2808_**](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION: **The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThese vulnerabilities are known to affect the following offerings: \n \nIBM Initiate Master Data Service versions 8.1, 9.0, 9.2, 9.5, 9.7, 10.0, 10.1 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM Initiate Master Data Service Patient Hub versions 9.5, 9.7 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM Initiate Master Data Service Provider Hub versions 9.5, 9.7 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM InfoSphere Master Data Management Patient Hub version 10.0 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM InfoSphere Master Data Management Provider Hub version 10.0 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Enterprise Integrator Toolkit_ component) \n \nIBM InfoSphere Master Data Management Standard/Advanced Edition version 11.0 (impacts [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and [_Enterprise Integrator Toolkit_](<http://pic.dhe.ibm.com/infocenter/initiate/v9r5/topic/com.ibm.release_notes.doc/topics/r_release_notes_GAenterprise_integrator_toolkit.html>) component) \n \nIBM InfoSphere Master Data Management Standard/Advanced Edition version 11.3 (impacts [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component) \n \nIBM InfoSphere Master Data Management Standard/Advanced Edition version 11.4 (impacts [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component)\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Initiate Master Data Service | \n\n8.1\n\n| None| [8.1.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=8.1.042215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.0\n\n| None| [9.0.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.0.042215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.2\n\n| None| [9.2.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.2.042215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.5\n\n| None| [9.5.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.5.042215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Patient Hub| \n\n9.5\n\n| None| [9.5.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.5.042215_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Provider Hub| \n\n9.5\n\n| None| [9.5.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.5.042215_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.7\n\n| None| [9.7.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.7.042215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Patient Hub \n| \n\n9.7\n\n| None| [9.7.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.7.042215_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Provider Hub| \n\n9.7\n\n| None| [9.7.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.7.042215_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| \n\n10.0\n\n| None| [10.0.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.0.042215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM InfoSphere Master Data Management Patient Hub | \n\n10.0\n\n| None| [10.0.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=10.0.042215_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM InfoSphere Master Data Management Provider Hub| \n\n10.0\n\n| None| [10.0.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=10.0.042215_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| \n\n10.1\n\n| None| [10.1.042215](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.1.042215_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>)_ _ \nIBM InfoSphere Master Data Management Standard/Advanced Edition| \n\n11.0\n\n| None| [11.0-FP03](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/InfoSphere+Master+Data+Management&release=All&platform=All&function=fixId&fixids=11.0.0.3-MDM-SAE-FP03IF001&includeSupersedes=0&source=fc>) \nIBM InfoSphere Master Data Management Standard/Advanced Edition| \n\n11.3\n\n| None| [11.3-FP02](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Master+Data+Management&release=All&platform=All&function=fixId&fixids=11.3.0.2-MDM-SE-AE-FP02IF001&includeSupersedes=0&source=fc>) \nIBM InfoSphere Master Data Management Standard/Advanced Edition| \n\n11.4\n\n| None| [11.4-FP02](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Master+Data+Management&release=All&platform=All&function=fixId&fixids=11.4.0.2-MDM-SE-AE-FP02IF003&includeSupersedes=0&source=fc>) \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone known\n\n## ", "cvss3": {}, "published": "2018-06-16T14:01:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM InfoSphere Master Data Management (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T14:01:24", "id": "C50FF070A20ABD3F0B4EE852D4B83CD940072690A44147C24C79AA0ABFB03AA2", "href": "https://www.ibm.com/support/pages/node/261489", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:10", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM InfoSphere Optim Configuration Manager. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM InfoSphere Optim Configuration Manager for DB2 for Linux, UNIX, and Windows V2.1.0.0 through 3.1.0.1. \n \nIBM InfoSphere Optim Configuration Manager for DB2 for z/OS V2.1.0.0 through 3.1.0.1.\n\n## Remediation/Fixes\n\nV3.1.0.1\n\n| [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Optim+Configuration+Manager&release=3.1.0.1&platform=All&function=all>) (Interim Fix 002) or see Workarounds and Mitigations below. \n---|--- \nAll other versions| Replace JRE. For Linux platforms, visit [_http://www.ibm.com/developerworks/java/jdk/linux/download.html#java7_](<http://www.ibm.com/developerworks/java/jdk/linux/download.html>). For Windows platforms, contact IBM Technical Support. \n \n## Workarounds and Mitigations\n\nFor OCM versions 3.1.0.0 through 3.1.0.1 disable the RC4 cipher suite by adding \"RC4\" to the list of disabled algorithms defined by the jdk.tls.disabledAlgorithms security property in java.security file. \nEdit the java.security file that is located in the InfoSphere Optim Configuration Manager installation directory: \n` \n/jre/lib/security/java.security` \n \nAdd the following line and save the file: \n` \njdk.tls.disabledAlgorithms=RC4` \n \nIf the jdk.tls.disabledAlgorithms property was already enabled (without a \"#\" character at the beginning of the line), i.e.: \n` \njdk.tls.disabledAlgorithms=SSLv3` \n \nthen append the text _\", RC4\"_ to the end of the line and save the file. \n` \njdk.tls.disabledAlgorithms=SSLv3``**, RC4**` \n \nRestart the OCM Web Console server for this change to take effect. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2018-06-16T13:10:37", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM InfoSphere Optim Configuration Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T13:10:37", "id": "5C6CB5E656547D497007A49A5E3680CBE99483472C42C5C3AE5146EDBF1B33B1", "href": "https://www.ibm.com/support/pages/node/261309", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:11", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects DB2 QMF for Workstation. The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * DB2 QMF Enterprise Edition Version 11 Release 1, Fix Pack 3 (and earlier)\n * DB2 QMF for z/OS Version 11 Release 1, Fix Pack 3 (and earlier)\n * DB2 QMF Enterprise Edition Version 10 Release 1, Fix Pack 11 (and earlier)\n\n## Remediation/Fixes\n\n * DB2 QMF Enterprise Edition Version 11 Release 1: install [QMF for Workstation 11.1 in Fix Pack 4](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2+Query+Management+Facility&release=11.1&platform=All&function=all>)\n * DB2 QMF for z/OS Version 11 Release 1: install [QMF for Workstation 11.1 in Fix Pack 4](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2+Query+Management+Facility+for+zOS&release=11.1&platform=All&function=all>)\n * DB2 QMF Enterprise Edition Version 10 Release 1: install [Java 6.0 SR16FP3 fix available via IBM Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2+Query+Management+Facility&release=10.1&platform=All&function=all>)\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {}, "published": "2018-06-16T13:10:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM DB2 QMF for Workstation (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T13:10:46", "id": "DD49A4D17E29892B785C0596CC5E99EDAA08E558250D3C37FE18E57E25F3C129", "href": "https://www.ibm.com/support/pages/node/262051", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:11", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM DB2 LUW.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects two components of DB2: DB2 Advanced Copy Services and SSL client configuration using DB2 LDAP security plugin-in. \n \n**_For DB2 Advanced Copy Services_** \nIBM DB2 Advanced Copy Services included in IBM DB2 and DB2 Connect V10.1 and V10.5 editions listed below and running on AIX and Linux are affected. \n \nIBM DB2 Express Edition \nIBM DB2 Workgroup Server Edition \nIBM DB2 Enterprise Server Edition \nIBM DB2 Connect\u2122 Application Server Edition \nIBM DB2 Connect Application Server Advanced Edition \nIBM DB2 Connect Enterprise Edition \nIBM DB2 Connect Unlimited Edition for System i\u00ae \nIBM DB2 Connect Unlimited Edition for System z\u00ae \nIBM DB2 Connect Unlimited Advanced Edition for System z \nIBM DB2 10.1 pureScale Feature \nIBM DB2 10.5 Advanced Enterprise Server Edition \nIBM DB2 10.5 Advanced Workgroup Server Edition \nIBM DB2 10.5 Developer Edition for Linux, Unix and Windows \n \nNOTE: The DB2 Connect products mentioned are affected only if a local database has been created. \n \nOnly users of DB2 Advanced Copy Services (snapshot backup) are affected by this vulnerability. IBM DB2 includes restricted version of IBM Tivoli Flash Copy Manager, i.e. FCM v3.2 and v4.1, and both versions are affected by this vulnerability. IBM DB2 Advanced Copy Services in conjunction with IBM Tivoli FCM 3.2 or 4.1, on all current fix packs of IBM DB2 V10.1 and V10.5, are affected. AIX installations of DB2 may have this package installed by default, though it may not be in use on the system. \n \n \n**_For SSL _****_client configuration_****_ _****_using DB2 LDAP security plugin-in_** \nCustomers who have Secure Sockets Layer (SSL) support enabled in their client configuration using DB2 provided LDAP security plug-in to communicate with LDAP server are affected. SSL support is not enabled in LDAP security plug-in by default. \n \nAll fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and running on AIX, Linux, HP, Solaris or Windows are affected. \n \nIBM\u00ae DB2\u00ae Express Edition \nIBM\u00ae DB2\u00ae Workgroup Server Edition \nIBM\u00ae DB2\u00ae Enterprise Server Edition \nIBM\u00ae DB2\u00ae Advanced Enterprise Server Edition \nIBM\u00ae DB2\u00ae Advanced Workgroup Server Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Application Server Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Enterprise Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Unlimited Edition for System i\u00ae \nIBM\u00ae DB2\u00ae Connect\u2122 Unlimited Edition for System z\u00ae \n \nIBM\u00ae DB2\u00ae pureScale\u2122 Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected. \n \nThe IBM data server client and driver types are as follows: \n \nIBM Data Server Driver Package \nIBM Data Server Driver for ODBC and CLI \nIBM Data Server Runtime Client \nIBM Data Server Client \n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \n**FIX:** \n \n**_For SSL client configuration using DB2 LDAP security plugin-in_** \nThe fix for DB2 and DB2 Connect release V9.7 is in FP11, V10.1 is in V10.1 FP5 and V10.5 is in V10.5 FP6, available for download from Fix Central. \n \nCustomers running any vulnerable fixpack level of an affected Program, V9.8 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.8 FP5. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. \n \nRefer to the folowing chart to determine how to proceed to obtain a needed fixpack or special build. \n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV9.7 | FP11| [IT08534](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT08534>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24040935> \nV9.8| TBD| [IT08535](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT08535>)| Please contact technical support. \nV10.1| FP5| [](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT05074>)[IT08536](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT08536>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24040170> \nV10.5 | FP6| [IT08537](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT08537>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24040522> \n \n \n \n**_For DB2 Advanced Copy Services_** \nThe fix for DB2 and DB2 Connect release V10.1 is in V10.1 FP6 and V10.5 is in V10.5 FP7, available for download from Fix Central. \n \nRefer to the folowing chart to determine how to proceed to obtain a needed fixpack.\n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV10.1| FP6| [](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT05074>)[IT10083](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT10083>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24043366> \nV10.5 | FP7| [IT09969](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT09969>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24041243> \n \n \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/data/db2/support/db2_9/probsub.html>) with DB2 Technical Support. \n\n**_Note:_**_ IBM\u2019s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM\u2019s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion_\n\n## Workarounds and Mitigations\n\nFor V9.8 customers, this problem can be mitigated by setting the environment variable LDAP_OPT_SSL_FIPS_PROCCESSING_MODE. \n\nMitigation instructions:\n\nCustomers should set the environment variable LDAP_OPT_SSL_FIPS_PROCCESSING_MODE on each DB2 server instance as follows:\n\n \n \nOn Linux/UNIX: \n\n1) As the DB2 instance owner, add the following line to the userprofile file that is located under the sqllib directory:\n\nexport LDAP_OPT_SSL_FIPS_PROCCESSING_MODE=ON \n\n2) As a user with DB2 SYSADM privilege, run the following commands:\n\ndb2set DB2ENVLIST=LDAP_OPT_SSL_FIPS_PROCCESSING_MODE \n\ndb2stop \ndb2start \n\nThe commands above assume that DB2ENVLIST registry variable is not set. If it is set, the environment variable names need to be delimited with a space. For example, if DB2ENVLIST is already set to SOME_ENV, it needs to be set as follows: \n\ndb2set DB2ENVLIST=\"SOME_ENV LDAP_OPT_SSL_FIPS_PROCCESSING_MODE\" \n\nOn Windows:\n\nSet the LDAP_OPT_SSL_FIPS_PROCCESSING_MODE environment variable at system level. You will need to restart the DB2 server for the environment variables to be picked up by DB2.\n\nVariable name: LDAP_OPT_SSL_FIPS_PROCCESSING_MODE\n\nVariable value: ON\n\nFor V9.7, V10.1 and V10.5 customers, this problem can be mitigated by enabling FIPS mode in the LDAP security plug-in.\n\nCustomers with the fix pack level of V9.7 FP9, V10.1 FP4, V10.5 GA or higher should follow the instruction below to mitigate the problem. \n\nCustomers with fix pack level of V9.7 FP8 or lower, V10.1 FP3 or lower should upgrade to the latest fix pack. Then follow the instruction below to mitigate the problem. \n\nMitigation instructions:\n\nCustomers should enable FIPS mode in LDAP security plugin-in as follows: \n\n1\\. As the DB2 instance owner, open up the LDAP security plugin-in configuration file \n\n \nThe default name and location for the IBM LDAP security plug-in configuration file is: \n\n * On UNIX: INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini\n * On Windows: %DB2PATH%\\cfg\\IBMLDAPSecurity.ini\n * Optionally, it could be resided in the location defined by the DB2LDAPSecurityConfig environment variable \n \n2\\. Search for the FIPS_MODE configuration parameter in the file and change its value to true. Save and close the file. \n\n\n; FIPS_MODE \n; To set SSL encryption FIPS mode on or off. \n; Optional; Valid values are true (on) and false (off). Defaults to \n; false (FIPS mode off). \nFIPS_MODE = true\n\n## ", "cvss3": {}, "published": "2018-06-16T13:10:36", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM\u00ae DB2\u00ae LUW (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-16T13:10:36", "id": "828CEE31F09B334B60050E591715660F3CB7633A618A4B90104085CB0D591C5F", "href": "https://www.ibm.com/support/pages/node/261211", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T01:35:31", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah Attack\" for SSL/TLS affects IBM Content Collector and IBM CommonStore for Lotus Domino.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Content Collector 2.1 - 4.0.1 \nIBM CommonStore for Lotus Domino 8.4\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Content Collector| 2.1.0 - 2.1.1| \n\n 1. Apply Interim Fix [4.0.1.0-IBM-ICC-IF002](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central \n 2. Follow the guidance in [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for IBM WebSphere Application Server 6.1 \nIBM Content Collector| 2.2.0| \n\n 1. Apply Interim Fix [4.0.1.0-IBM-ICC-IF002](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central.\n 2. Follow the guidance in [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for IBM WebSphere Application Server 7.0.0.35. \nIBM Content Collector \non Windows 32-bit operating system| 3.0.0 - 4.0.1| \n\n 1. Apply Interim Fix [4.0.1.0-IBM-ICC-IF002](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central. \n 2. Review the instructions in Interim Fix [4.0.1.0-IBM-ICC-IF003](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF003&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central.\n 3. Follow the guidance in [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for IBM WebSphere Application Server 8.0. \nIBM Content Collector \non Windows 64-bit operating system| 3.0.0 - 4.0.1| \n\n 1. Apply Interim Fix [4.0.1.0-IBM-ICC-IF002](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central.\n 2. Apply Interim Fix [4.0.1.0-IBM-ICC-IF003](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF003&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central. \n 3. Follow the guidance in [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for IBM WebSphere Application Server 8.0.0.10. \nCommonStore for Lotus Domino| 8.4.0| Apply Interim Fix [4.0.1.0-IBM-ICC-IF002](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central. \nNo further update is required. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nUse WebSphere Application Server admin console to disable RC4 stream cipher. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-17T12:10:52", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Content Collector and IBM CommonStore for Lotus Domino (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T12:10:52", "id": "5DAD5B9396433170501637E95257F97D5776D387EED9E3BF7C74C6D1E21EFE7A", "href": "https://www.ibm.com/support/pages/node/261749", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-18T05:32:37", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM\u00ae FlashSystem\u2122 840 and IBM FlashSystem 900. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n_FlashSystem 840 including machine type and models (MTMs) for all available code levels._ MTMs affected include 9840-AE1 and 9843-AE1. \n \n_FlashSystem 900 including machine type and models (MTMs) for all available code levels._ MTMs affected include 9840-AE2 and 9843-AE2.\n\n## Remediation/Fixes\n\n_FS840 & FS900 MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**FlashSystem ****840 MTM: ** \n9840-AE1 & \n9843-AE1 \n \n**FlashSystem 900 MTMs:** \n9840-AE2 & \n9843-AE2| _A code fix is now available, the VRMF of this code level is 1.3.0.2 (or later)_| _ __N/A_| _No workarounds or mitigations, other than applying this code fix, are known for this vulnerability_ \n \n \n1.3.0.2 is available @ IBM\u2019s Fix Central **: **[**_840 fixes, download 1.3.0.2 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>)* \n1.3.0.2 is available @ IBM\u2019s Fix Central **: **[**_900 fixes, download 1.3.0.2 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>)* \n \n* This vulnerability had been previously fixed on the FlashSystem 840 and 900 for other ports, but was reintroduced in the code level 1.2.1.4 on the port opened to allow REST API control. FlashSystem 840 and 900 systems running code levels prior to 1.3.0.2, but at 1.2.1.4 or 1.2.1.7, only have this vulnerability on the port used exclusively by the REST API. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects the IBM FlashSystem models 840 and 900 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2023-02-18T01:45:50", "id": "841D0CB097E1653079714F29531E9C840670446443922EED9128DC8B2ED3041D", "href": "https://www.ibm.com/support/pages/node/690653", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-12T17:34:50", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM XIV Storage System Gen2.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM XIV Storage System Gen2\n\n## Remediation/Fixes\n\nUpgrade to release 10.2.4.e-8 to address this issue. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nDisabling the RC4 cipher on XIV Management Tools and on the third-party CIM client (if used) is a workaround for this issue, as it ensures that the RC4 cipher will not be used to encrypt the management traffic. \n\nTo disable RC4 on XIV Management Tools:\n\n \n\u00b7 For the IBM XIV XCLI and XIV GUI, edit the file <install-dir>\\jre\\lib\\security\\java.security: change the last line to \"jdk.tls.disabledAlgorithms=SSLv3, RC4\".After editing, restart the application. \n\n\u00b7 For the IBM Hyper-Scale Manager, edit the file $JAVA_IBM_HOME/lib/security/java.security, where JAVA_IBM_HOME is by default /home/msms/hyperscale/jre, and change the last line to \"jdk.tls.disabledAlgorithms=SSLv3, RC4\".After editing, restart the application.\n\nTo disable RC4 on your CIM client, please contact your CIM client vendor for information.\n\n \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:29", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM XIV Storage System Gen2 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:29", "id": "C824A399132BA4F794A2EAFF2643D32EF244870C5BCC3C4B0108B1DBF82FDB50", "href": "https://www.ibm.com/support/pages/node/690453", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-12T17:34:51", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Real-time Compression Appliance \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".CVSS Base Score: 5CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nReal-time Compression Appliance releases: V4.1, V3.9 and V3.8\n\n## Remediation/Fixes\n\nReal-time Compression Appliance 4.1.2.11 \nReal-time Compression Appliance 3.9.1.12 \nReal-time Compression Appliance 3.8.0.11 \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nN/A\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:28", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Real-time Compression Appliance (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:28", "id": "5B548D29ED850BC7891B2ACCCA87A8C9D303BA759C5E2FF9BB6EFAB9E636812B", "href": "https://www.ibm.com/support/pages/node/690447", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:38:00", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Storwize V7000 Unified.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n\n\n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \n \nAll products are affected when running code releases 1.3, 1.4 and 1.5 except for version 1.5.2.0 and above.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM Storwize V7000 Unified to the following code level or higher: \n \n1.5.2.0_ \n__ \n_[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>) \n \nAfter the upgrade has completed, please run one of the following commands ... \n\n\nchsecurity -sslprotocol 2 \nchsecurity -sslprotocol 3 \n[IBM Storwize V7000 Unified Knowledge Center - chsecurity command](<http://www-01.ibm.com/support/knowledgecenter/ST5Q4U_1.5.1/com.ibm.storwize.v7000.unified.151.doc/manpages/chsecurity.html>) \n \nThe requirement to run chsecurity will be removed in a future PTF. \n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:27", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Storwize V7000 Unified (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:27", "id": "F3B24C6A2F5F6D4782E7CC3F5BA84FC18C519163A25D2A0F35B7925FEF6330A7", "href": "https://www.ibm.com/support/pages/node/690427", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-18T05:32:38", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM FlashSystem 840.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**IBM FlashSystem 840:** \nMachine Type 9840, model -AE1 (all supported releases) \nMachine Type 9843, model -AE1 (all supported releases) \n \n**IBM FlashSystem V840:** \nMachine Type 9846, model -AE1 (all supported releases) \nMachine Type 9848, model -AE1 (all supported releases) \n \nAll available code levels.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nFlashSystem 840 MTMs: \n\n9840-AE1,\n\n9843-AE1\n\n9840 MTMs:\n\n9846-AE1 &\n\n9849-AE1\n\n| A code fix is now available. The VRMF of this code level is 1.1.3.8 (or later). | None| This vulnerability has been remediated in firmware version 1.1.3.8. \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables any use of the RC4 stream cipher when interfacing to the IBM FlashSystem 840 -- and does not allow it to be re-enabled. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n_For firmware versions released earlier than 1.1.3.8, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n[_Link to FlashSystem 840 fixes_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash+high+availability+systems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM FlashSystem 840 and IBM FlashSystem V840, -AE1 models. (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2023-02-18T01:45:50", "id": "43F0A1B7986C0AB4856F01F94CC6067E50D8A4D21DD4348CAAC5EC2DBD5A3562", "href": "https://www.ibm.com/support/pages/node/690441", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:38:01", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM XIV Management Tools.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM XIV Management Tools, all releases up to and including 4.5\n\n## Remediation/Fixes\n\nSee \u201cWorkarounds and Mitigations\u201d below.\n\n## Workarounds and Mitigations\n\nFor the IBM XIV XCLI and XIV GUI, edit the file <install-dir>\\jre\\lib\\security\\java.security: change the last line to \"jdk.tls.disabledAlgorithms=SSLv3, RC4\". After editing and saving, restart the application. \n\nFor the IBM Hyper-Scale Manager, edit the file $JAVA_IBM_HOME/lib/security/java.security, where JAVA_IBM_HOME is by default /home/msms/hyperscale/jre, and change the last line to \"jdk.tls.disabledAlgorithms=SSLv3, RC4\". After editing and saving, restart the application.\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. \n\n \nIBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:27", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM XIV Management Tools (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:27", "id": "DCD5521B6EFA5BEBCDC29ECEF4477480540B720142644060148CBDF94F0707BD", "href": "https://www.ibm.com/support/pages/node/690431", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:38:02", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM SAN Volume Controller and Storwize Family\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n\n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \n \nAll products are affected when running code releases 1.1 to 7.4.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code level or higher: \n \n7.3.0.10 \n7.4.0.4 \n \n[_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) \n[_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) \n[_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) \n[_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) \n[_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:27", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM SAN Volume Controller and Storwize Family (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:27", "id": "E0EEC718E264F9F31B64117E5961FA40938A5D5DBBEFFE6D0ED5DEB15CB03713", "href": "https://www.ibm.com/support/pages/node/690433", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:48", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM Virtualization Engine TS7700\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nAll versions of microcode for the IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB) prior to release R2.1 are affected. In addition, microcode versions of releases R2.1, R3.0, R3.1 and R3.2 prior to and including the following are also affected: \n\n**Release**\n\n| **Version** \n---|--- \nR3.2| 8.32.0.88 \nR3.1| 8.31.0.92 \nR3.0| 8.30.3.4 \nR2.1| 8.21.0.178 \n \n## Remediation/Fixes\n\nContact IBM Service at 1-800-IBM-SERV to arrange an upgrade to the latest microcode level followed by the installation of vtd_exec.202 as shown below: \n\n**Release**\n\n| **Fix** \n---|--- \nR3.2| 8.32.0.88 + vtd_exec.202 v1.5 or higher \nR3.1| 8.31.0.92 + vtd_exec.202 v1.5 or higher \nR3.0| 8.30.3.4 + vtd_exec.202 v1.5 or higher \nR2.1| 8.21.0.178 + vtd_exec.202 v1.5 or higher \nOlder Releases| 8.21.0.178 + vtd_exec.202 v1.5 or higher \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you upgrade to the fixes identified above, you can mitigate, but not eliminate the risk of these vulnerabilities by restricting physical and network access to the TS7700 to authorized users and IBM Service Personnel only.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects the IBM Virtualization Engine TS7700 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:26", "id": "D251C18E418F3C48A2F3DB4C75C6216C77221717BBC528E99A14B09C8EC30557", "href": "https://www.ibm.com/support/pages/node/690399", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:42:47", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM WebSphere Application Server Version 7 that is shipped with IBM Tivoli Netcool Configuration Manager.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n\u00b7 Affected releases/versions/platforms: 6.2.x, 6.3.0.5 and earlier, 6.4.1.1 and earlier. \n\n\u00b7 Releases/systems/configurations NOT affected: None\n\n## Remediation/Fixes\n\nProduct version\n\n| Fix Date | Notes \n---|---|--- \n6.4.1.x | 19\\. March 2015 | [_6.4.1-TIV-ITNCM-LINUX-FP002 _](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&fixids=6.4.1-TIV-ITNCM-LINUX-FP002&source=dbluesearch&function=fixId&parent=ibm/Tivoli>)available from fix central. \n6.4.0.x | 19\\. March 2015 | 6.4.0.3 is remediated by 6.4.1.2. ITNCM is merging the streams so it is advised that customers upgrade to 6.4.1.2 [_6.4.1-TIV-ITNCM-LINUX-FP002_](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&fixids=6.4.1-TIV-ITNCM-LINUX-FP002&source=dbluesearch&function=fixId&parent=ibm/Tivoli>) available from fix central. \n6.3.x | 29\\. January 2015 | [_6.3.0.6-TIV-ITNCM-IF001_](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&fixids=6.3.0.6-TIV-ITNCM-IF001&source=dbluesearch&function=fixId&parent=ibm/Tivoli>) Available from fix central. \n6.2.x | None | Please contact support. \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n_For__ __6.2.x IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2019-12-20T16:10:00", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Netcool Configuration Manager (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-12-20T16:10:00", "id": "691AE2D8DCA4C73C9A3FFA0474C3B49E463B29A44AB89B7A0390AF00A0C6B8D6", "href": "https://www.ibm.com/support/pages/node/714343", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:44:49", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the IBM FlashSystem 900.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM FlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9843-AE2 and 9840-AE2.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nFlashSystem 900 MTMs: \n\n9840-AE2\n\n9843-AE2\n\n| The VRMF of the present code level is 1.2.0.11, and while RC4 is enabled by default, it supports the workaround described below. A code fix which disables RC4 as a default is being developed, but is not presently available. | None | \n\nThis issue is fixed in 1.2.1.8 firmware.\n\nThe only way to address this vulnerability in older firmware is by use of the workaround described in the following section. \n \n \nIBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n_IBM recommends upgrading to a fixed, supported version/release/platform of the product as soon as it is available. _\n\n_**This vulnerability is first fixed in 1.2.1.8.**_\n\n## Workarounds and Mitigations\n\nThe default security_level setting of the SSL protocol is 1, and RC4 is enabled when the security_level is at this default value of 1. But the user can increase the security level of the SSL protocol from 1 to either 2 or 3 by issuing the following command from the CLI, replacing words in italics with actual values:\n\nsvctask chsecurity \u2013sslprotocol _security_level_\n\n \nTo view the security level, issue svcinfo lssecurity \n \nHere is what the security level settings mean: \n\u00b7 1 disallows SSL 3.0 \n\u00b7 2 allows TLS 1.2 only \n\u00b7 3 additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2 \n \nAt whatever security level you choose to operate, you should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take any necessary precautions.\n\n## ", "cvss3": {}, "published": "2019-01-03T20:50:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM FlashSystem 900 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-03T20:50:01", "id": "D706DF72021A516F2E16751F556C146ECBCF213599825F1415A61FFD8BAA8B47", "href": "https://www.ibm.com/support/pages/node/690449", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:36:38", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d attack for SSL/TLS affects IBM WebSphere Application Server that is used by WebSphere Business Services Fabric.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\n * WebSphere Business Services Fabric V7.0\nFor earlier unsupported versions of the above product IBM recommends upgrading to a fixed, supported version of the product. \n\n## Remediation/Fixes\n\nPlease consult the security bulletin [_Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) for vulnerability details and information about fixes. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-08-19T18:23:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Business Services Fabric (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2022-08-19T18:23:31", "id": "9223C1D4ABBCFCCC426E70B9F49CD6B2A43D414CB21474CCF14E89551EAAB1A3", "href": "https://www.ibm.com/support/pages/node/261479", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:48", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects TS2900. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFirmware versions below 0037.\n\n## Remediation/Fixes\n\nUpdate firmware version to 0037 or later. \n \nYou should verify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects TS2900 (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-18T00:09:26", "id": "E083AEF7E32576EE35EBC792C463859DEE8AF7CE4CA6E690788B1FFF379F7957", "href": "https://www.ibm.com/support/pages/node/690403", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:57", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects Jazz Team Server and Cognos Business Intelligence (Cognos BI) shipped with Rational Insight.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nRational Insight 1.1, 1.1.1, 1.1.1.1 and 1.1.1.2| Cognos BI 10.1.1 \nRational Insight 1.1.1.3| Cognos BI 10.2.1 \nRational Insight 1.1.1.4, 1.1.1.5 and 1.1.1.6| Cognos BI 10.2.1 Fix pack 2 \nJazz Team Server 5.0, 5.0.1 and 5.0.2 \nRational Insight 1.1.1.7| Cognos BI 10.2.1 Fix pack 2 \nJazz Team Server 6.0 \n \n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 13 (Implemented by file 10.1.6305.506)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040116>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 13 (Implemented by file 10.1.6305.506)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040116>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 11 (Implemented by file 10.2..5000.1156)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040114>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 and 1.1.1.7 ** \n \n\n\n 1. If the Data Collection Component or Jazz Reporting Serivce are used, perform this step first. \nReview the topics in <http://www-01.ibm.com/support/docview.wss?uid=swg21715543> for addressing the listed vulnerabilities in their underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 10 (Implemented by file 10.2.5007.509)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040114>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n 3. \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nPlease consult the security bulletins <http://www-01.ibm.com/support/docview.wss?uid=swg21715543> (Jazz Team Server) and <http://www-01.ibm.com/support/docview.wss?uid=swg21715530> (Cognos BI) for vulnerability details and information about fixes. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:45", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Insight (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2018-06-17T05:01:45", "id": "2287B7930359AFE1373993C3806D5B58E0203D7B34173EF0EFB1D583985E57C6", "href": "https://www.ibm.com/support/pages/node/261253", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:42:54", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nReleases 6.1, 7.1 and 7.2 of IBM i are affected. \n\n## Remediation/Fixes\n\nThe issue can be fixed by applying PTF\u2019s to IBM i and following the remediation plan below. NOTE: Please read this entire section for the list PTF numbers for IBM i: \n \nPlease review this document for IBM i remediation steps: [_http://www.ibm.com/support/docview.wss?uid=nas8N1020681_](<http://www.ibm.com/support/docview.wss?uid=nas8N1020681>) \n \nReleases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed. \n \nThe IBM i PTF numbers are: \n \n**_IBM i OS and options:_**\n\n**Release 6.1 \u2013 **SI56418\n\n \n**Release 7.1 \u2013 ** SI56419 \n**Release 7.2 \u2013 **SI56643 \n \n**_IBM i Java:_** \n \nJava for IBM i: 5761-JV1 & 5770-JV1 \n \nFor details on Java for IBM i, see the details on the Java for IBM i page on developerWorks: \n[_http://www.ibm.com/developerworks/ibmi/techupdates/java_](<http://www.ibm.com/developerworks/ibmi/techupdates/java>) \n \nThe IBM i Group PTF numbers for Java are: \n**Release 6.1 \u2013 SF99562 level 32** \n**Release 7.1 \u2013 SF99572 level 21** \n**Release 7.2 \u2013 SF99716 level 6** \n \n**_Important note: _**_IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._\n\n## Workarounds and Mitigations\n\nN/A\n\n## ", "cvss3": {}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: RC4 Bar Mitzvah Attack for SSL/TLS (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2019-12-18T14:26:38", "id": "9FBC8617200CF2B7AF16E266B4914ADB80990BED0550F197A87E06B5ED476D36", "href": "https://www.ibm.com/support/pages/node/666237", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:51:57", "description": "## Summary\n\nThe RC4 Bar Mitzvah Attack for SSL/TLS affects Tivoli Application Dependency Discovery Manager, IBM Tivoli Monitoring, and IBM Systems Director which are shipped as components of IBM System Director Editions. Information about the security vulnerabilityaffecting these components has been published in the security bulletin.\n\n## Vulnerability Details\n\n## Summary\n\nThe RC4 Bar Mitzvah Attack for SSL/TLS affects Tivoli Application Dependency Discovery Manager, IBM Tivoli Monitoring, and IBM Systems Director which are shipped as components of IBM System Director Editions. Information about the security vulnerability affecting these components has been published in the security bulletin.\n\n**Vulnerability Details:**\n\nPlease consult the security bulletins listed below for the vulnerability details of the affected products.\n\n## Affected products and versions\n\nAffected Product and Version(s) | Product and Version shipped as a component | Security Bulletin \n---|---|--- \nIBM System Director Editions 6.2.0.0 | Tivoli Application Dependency Discovery Manager v7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21882717> \nIBM System Director Editions 6.2.0.0 | IBM System Director 6.2.0.0 | \nIBM System Director Editions 6.2.1.0 | IBM Tivoli Monitoring6.2.2 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21883223> \nIBM System Director Editions 6.2.1.0 | Tivoli Application Dependency Discovery Manager v7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21882717> \nIBM System Director Editions 6.2.1.0 | IBM System Director 6.2.1.0 | \nIBM System Director Editions 6.3.0.0 | IBM Tivoli Monitoring6.2.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21883223> \nIBM System Director Editions 6.3.0.0 | Tivoli Application Dependency Discovery Managerv7.2.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21882717> \nIBM System Director Editions 6.3.0.0 | IBM Systems Director 6.3.0.0 | \nIBM System Director Editions 6.3.2.0 | IBM Tivoli Monitoring6.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21883223> \nIBM System Director Editions 6.3.2.0 | IBM Systems Director 6.3.2.0 | \n \n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n22 July 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Systems Director Editions (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-2808"], "modified": "2019-01-31T02:10:01", "id": "981AEA2811A325CF121DD605BCE212CD99B839C759F94EA338AF2AF04BCB92B2", "href": "https://www.ibm.com/support/pages/node/867612", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:37:15", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM DataPower Gateway Appliances.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)\n\n \n \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nAll DataPower products and versions that are configured to perform SSL/TLS transactions.\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nDisable RC4 ciphers in DataPower configuration referring to the steps below. \n \nFirst make sure to Quiesce all domains and services to stop traffic to the appliance. System quiesce and unquiesce commands can be invoked by navigating to Administration --> Main --> System Control. \n \nNext, select Objects --> Crypto Configuration --> Crypto Profile in the left navigation pane. For all the crypto profile objects that are configured, in the \"Configure Crypto Profile\" page, \"Ciphers\" parameter, suffix the existing string with a value \":!RC4\". Click Apply. \n \nFor example, if you have a default configuration, the updates will appear as below: \nDefault cipher string: HIGH:MEDIUM:!aNULL:!eNULL:@STRENGTH \nRC4 disabled cipher string: HIGH:MEDIUM:!aNULL:!eNULL:@STRENGTH**:!RC4** \n \nNote that RC4 must be disabled in all the Crypto Profile objects configured in all the domains. \n \nTo disable RC4 in Web Management and XML Management interfaces, refer to [_Disable RC4 in DataPower Web management and XML management services_](<http://www-01.ibm.com/support/docview.wss?uid=swg21712036>). \n\nIf you have configured WebSphere JMS or Tibco EMS objects, refer to [_Disable RC4 in DataPower WebSphere Java Message Service (JMS)._](<http://www-01.ibm.com/support/docview.wss?uid=swg21717540>)\n\nIf you have configured WebSphere MQ objects, refer to [_Disable RC4 in DataPower MQ Queue Manager objects._](<http://www-01.ibm.com/support/docview.wss?uid=swg21713632>)\n\n \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2021-06-08T22:18:27", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM DataPower Gateway Appliances (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2808"], "modified": "2021-06-08T22:18:27", "id": "18446F3D4547367B41578EB59FDF2A44E030BACDA28F49D9EEAAAAFDE99573DB", "href": "https://www.ibm.com/support/pages/node/260869", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:41:51", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Rational ClearCase.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x, 8.0.1.x, in the following components: \n\n * CCRC WAN server/CM Server component, when configured to use SSL (all platforms)\n * Base CC/CQ V2 (Perl trigger-based) integration, when configured to use SSL to communicate with a ClearQuest Web server (all platforms)\n * CMI and OSLC integrations, including UCM/ClearQuest integration via OSLC (UNIX/Linux platforms), when configured to use SSL. (Windows CMI/OSLC clients are not affected in the default configuration.)\n * CMI/OSLC integration clients (Windows) and automatic view client (Windows), when SSLv3 is enabled (not the default configuration)\n * ClearCase remote client: CCRC/CTE GUI, rcleartool, and CMAPI clients, when using SSL to access a CCRC WAN Server/CM Server\n * Customer defined uses of SSL from ratlperl scripts\n\n## Remediation/Fixes\n\nAll fixes listed below except CCRC WAN server/CM server require the latest published fix pack before applying the rest of the fix. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| Install [Rational ClearCase Fix Pack 8 (8.0.1.8) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24039865>) \n \n8.0 through 8.0.0.14\n\n| Install [Rational ClearCase Fix Pack 15 (8.0.0.15) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24039863>) \n \n7.1.2 through 7.1.2.17 \n7.1.1.x (all fix packs) \n7.1.0.x (all fix packs)\n\n| Customers on extended support contracts should install [Rational ClearCase Fix Pack 18 (7.1.2.18) for 7.1.2](<http://www.ibm.com/support/docview.wss?uid=swg24039861>) \n \n**CCRC WAN server/CM Server component:**\n\nThe solution is to apply fixes or mitigations to your WAS and IHS components. \n\nIf your clients connect to IHS via SSL (which then redirects their connections to WAS), then review this IHS bulletin: [Security Bulletin: Vulnerability in RC4 stream cipher affects IBM HTTP Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701072>) and apply fixes or remediations to your server.\n\nIf your clients connect directly to WAS with SSL, then review this bulletin for instructions on applying a mitigation or fix to your WAS installation and your ClearCase profile:\n\n \n[Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>). \n\nDepending on your version of ClearCase, you may need additional steps when installing IHS or WAS fixes:\n\n \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n7.1.0.x, 7.1.1.x, and 7.1.2.x| [Document 1390803](<http://www.ibm.com/support/docview.wss?uid=swg21390803>) explains how to update WebSphere Application Server and/or IBM HTTP Server for ClearCase CM Servers at release 7.1.x. Consult those instructions when applying the fix. \n8.0.0.x \n8.0.1.x| Apply the appropriate WebSphere Application Server and/or IBM HTTP Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n**Base CC/CQ Perl trigger-based (V2) integration:** \n**CMI and OSLC change management integrations (UNIX/Linux platforms):** \n\n\nThe solution is to update to the fix pack listed above. \n**CMI/OSLC integration clients (Windows) and automatic view client (Windows), when SSLv3 is enabled**\n\nThe solution is to update to the fix pack listed above, then restore the default configuration with SSLv3 disabled. \n \nTo disable SSLv3, remove the environment variable CCASE_ENABLE_SSLV3 from your configuration. This is not a default configuration, and would only have been set if you needed to temporarily enable SSLv3 support, which was disabled by the fixes listed in [Security Bulletin: Vulnerability in SSLv3 affects IBM Rational ClearCase (CVE-2014-3566)](<http://www.ibm.com/support/docview.wss?uid=swg21687347>). **Customer defined uses of SSL from ratlperl scripts**\n\nThe solution is to update to the fix pack listed above, then check and modify your ratlperl scripts that use OpenSSL. \n \nDisable any uses of the insecure RC4 cipher when you use IO::Socket::SSL. The `SSL_cipher_list` setting configures permissible ciphers for use by OpenSSL . You can view the documentation with: \n`ratlperl -e \"use Pod::Perldoc; Pod::Perldoc->run();\" IO::Socket::SSL` You can view the Base CC/CQ Perl trigger-based (V2) integration for an example, in the script module `<ccase-home-dir>/lib/CQCC/CQWebJavaParser.pm` **ClearCase remote client: CCRC/CTE GUI, rcleartool, CMAPI clients**\n\nThe solution is to update to the fix pack listed above. \n\n**Notes:**\n\n * If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), or you use rcleartool or CMAPI using a Java\u2122 Virtual Machine not supplied by IBM as part of Rational ClearCase, you should update the Java\u2122 Virtual Machine you use to include a fix for the above issues (disabling RC4 by default). Contact the supplier of your Java\u2122 Virtual Machine.\n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n_For unsupported versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nSee above section.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Rational ClearCase (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2015-2808"], "modified": "2018-07-10T08:34:12", "id": "6DFC02A34D3BB730D9CBA6C97A8D3284FFD1FB8F5F3DD7D9B65FE6CA089C2006", "href": "https://www.ibm.com/support/pages/node/260657", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:15", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah Attack\" for SSL/TLS affects IBM Sterling Connect:Direct for Microsoft Windows.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct for Microsoft Windows 4.7.0 and earlier.\n\n## Remediation/Fixes\n\nIBM Sterling Connect:Direct for Microsoft Windows by default disables the RC4 stream cipher. If you enabled the RC4 stream cipher you are exposed to the RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\nTo disable RC4 stream ciphers, open the CD Secure+ Admin Tool and go through the list of node entries. For each entry, go to its TLS/SSL Protocol > TLS/SSL Options tab and remove any RC4 stream cipher from the list shown in the Enabled box. \n\nYou should verify applying this configuration change does not cause any compatibility issues.\n\n \n \nNote that the remaining available ciphers are generally CBC ciphers. CBC ciphers are vulnerable to [CVE-2011-3389](<https://vulners.com/cve/CVE-2011-3389>) (BEAST Attack). While the previous recommendation to mitigate CVE-2011-3389 was to not use CBC ciphers, there is now a fix available to mitigate CVE-2011-3389. Therefore IBM recommends to apply the following fix in addition to disabling RC4 stream ciphers: \n \n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM Sterling Connect:Direct for Microsoft Windows| 4.5.00| [IT08243](<http://www.ibm.com/support/docview.wss?uid=swg1IT08243>)| Apply 4.5.00 patch 056, available on [IWM](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-SterlngLegacyreq>) \nIBM Sterling Connect:Direct for Microsoft Windows| 4.5.01| [IT08243](<http://www.ibm.com/support/docview.wss?uid=swg1IT08243>)| Apply 4.5.01 patch 022, available on [IWM](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-SterlngLegacyreq>) \nIBM Sterling Connect:Direct for Microsoft Windows| 4.6.0| [IT08243](<http://www.ibm.com/support/docview.wss?uid=swg1IT08243>)| Apply 4.6.0.5_iFix010, available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Sterling+Connect%3ADirect+for+Microsoft+Windows&release=4.6.0.5&platform=All&function=all>) \nIBM Sterling Connect:Direct for Microsoft Windows| 4.7.0| [IT08243](<http://www.ibm.com/support/docview.wss?uid=swg1IT08243>)| Apply 4.7.0.3_iFix005, available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Sterling+Connect%3ADirect+for+Microsoft+Windows&release=4.7.0.3&platform=All&function=all>) \n \nFor older unsupported versions IBM recommends upgrading to a fixed, supported version of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-07-24T22:19:08", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3389", "CVE-2015-2808"], "modified": "2020-07-24T22:19:08", "id": "4658C62A77F48A34C93A36AA5082184E598712E676A47847A2174B2175EB4DBB", "href": "https://www.ibm.com/support/pages/node/261419", "cvss": {"sc
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Security Network Intrusion Prevention System (CVE-2015-2808)
