Lucene search

K
ibmIBM2D9FA4CEC155B182B2AEB787D0A79A2F3E438F7B97BA9E14F3F967D6365E9E88
HistoryJun 17, 2018 - 2:59 p.m.

Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Netcool Service Quality Manager (CVE-2015-0138)

2018-06-1714:59:42
www.ibm.com
6

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Summary

The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM® Runtime Java™ Technology Edition, Version 5.0 that is used by Tivoli Netcool Service Quality Manager.

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

This vulnerability affects Tivoli Netcool Service Quality Manager 4.1.4

Remediation/Fixes

IBM has provided patches for all affected versions.
The IBM Java Runtime Environment Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 can be downloaded from the IBM Fix Central site:_
_https://delivery04.dhe.ibm.com/sar/CMA/WSA/04x1e/0/jre564redist.tar.gz

To install the patch the following procedure has to be performed on TNSQM servers:

$ sap stop
$ sapmon stop
$ sapmgr stop
$ cd ${WMCROOT}/java
$ mv jre jre.old
$ gunzip -c <location of patch>/jre564redist.tar.gz | tar -xf -
$ sapmon start
$ sapmgr start
$ sap start

Workarounds and Mitigations

None

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Related for 2D9FA4CEC155B182B2AEB787D0A79A2F3E438F7B97BA9E14F3F967D6365E9E88