Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Performance Tester (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects Rational Performance Tester.

Vulnerability Details

CVEID: CVE-2015-2808**
DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational Performance Tester versions 8.2., 8.3., 8.5., 8.6. and 8.7.

Remediation/Fixes

Download Java from one of the links below. Edit java.security and disable RC4 by adding it to the list of disabled algorithms. For example,

jdk.tls.disabledAlgorithms=SSLv3, RC4

For a default installation the file java.security can be found as indicated below.

Windows: C:\Program Files\IBM\SDP\jdk\jre\lib\security.

Linux: /opt/IBM/SDP/jdk/jre/lib/security.

Workarounds and Mitigations

None