5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
The RC4 “Bar Mitzvah Attack” for Secure Socket Layer (SSL) and Transport Layer Security (TLS) affects TPF Toolkit.
CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
TPF Toolkit 4.0.x and 4.2.x
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
TPF Toolkit| 4.2.x| JR53501|
Install the latest version of IBM Installation Manager.
Apply Interim Fix 4.2.4 by using IBM Installation Manager.
Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from http://www.ibm.com/developerworks/java/jdk/
TPF Toolkit| 4.0.x| JR53500|
Install the latest version of IBM Installation Manager.
Apply Interim Fix 4.0.7 by using IBM Installation Manager.
Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from http://www.ibm.com/developerworks/java/jdk/
For TPF Toolkit 4.0.x and 4.2.x, you can disable the RC4 encryption algorithm for the IBM® Runtime Environment Java™ Technology Edition, Version 7 that is used by TPF Toolkit and the DSTORE server on any remote systems. To disable the RC4 encryption algorithm, complete the following steps:
%TPFHOME%\jdk\jre\lib\security
directory, and add or update the jdk.tls.disabledAlgorithms
property in the java.security file to include the RC4 encryption algorithm:jdk.tls.disabledAlgorithms=SSLv3, RC4
$JAVA_HOME\jre\lib\security
directory and add or update the jdk.tls.disabledAlgorithms
property in the java.security
file to include the RC4 encryption algorithm:jdk.tls.disabledAlgorithms=SSLv3, RC4
Note:$JAVA_HOME
is the installation directory for Java on the remote systems.CPE | Name | Operator | Version |
---|---|---|---|
tpf toolkit | eq | 4.0.0 | |
tpf toolkit | eq | 4.0.1 | |
tpf toolkit | eq | 4.0.2 | |
tpf toolkit | eq | 4.0.3 | |
tpf toolkit | eq | 4.0.4 | |
tpf toolkit | eq | 4.0.5 | |
tpf toolkit | eq | 4.0.6 | |
tpf toolkit | eq | 4.2.0 | |
tpf toolkit | eq | 4.2.1 | |
tpf toolkit | eq | 4.2.2 |