Security Bulletin: Vulnerability in RC4 stream cipher affects DS8000 (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects DS8000

Vulnerability Details

CVEID: CVE-2015-2808 **
DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The following products and versions are impacted:

• DS8870 earlier than R7.2 ( 87.21.x.x)
• DS8800/DS8700 earlier than R6.3 SP9 (86.31.142.x/76.31.121.x)

Remediation/Fixes

Product Update

Note: Customers applying updates should consult the DS8000 code recommendation page before requesting versions: <http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456&gt;

Workarounds and Mitigations

None