Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM41233F56616095DF27197F1AE5AAC2E0D379D31214D494042F1C98BDC97B33FC
HistoryOct 21, 2021 - 9:03 p.m.

Security Bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server for AIX/VIOS (CVE-2015-0138, CVE-2015-0159)

2021-10-2121:03:11
www.ibm.com
16

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

73.3%

JSON

Summary

GSKit is an IBM component that is used by IBM Security/Tivoli Directory Server. The GSKit that is shipped with IBM Security/Tivoli Directory Server contains multiple security vulnerabilities including the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability, IBM Security/Tivoli Directory Server has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2015-0138

DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0159

DESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations.

CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

5.3, 6.1, 7.1

VIOS 2.2.x

Remediation/Fixes

The GSKit package contains a fix and needs to be installed on AIX/VIOS systems.

The fixes for the GSKit components can be downloaded at the following link:

Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)

Workarounds and Mitigations

None

Related

ibm 147
aix 2
prion 1
cve 2
nessus 25
suse 8
kaspersky 1
redhat 5
openvas 4
veracode 4
ibm
ibm
Security Bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)
2018-06-16 21:23:03
Security Bulletin: A security vulnerability has been identified in IBM Tivoli Directory Server and IBM Security Directory Server shipped with IBM PureApplication System. (CVE-2015-0138)
2018-06-15 07:02:43
Security Bulletin: Vulnerabilities in GSKit affect InfoSphere BigInsights (CVE-2015-0138, CVE-2015-0159)
2021-04-08 20:59:42
aix
aix
AIX IBM SDK Java JSSE vulnerability
2015-04-13 12:11:24
Multiple vulnerabilities in IBM Java SDK affect AIX
2015-06-03 12:58:42
prion
prion
Design/Logic Flaw
2015-03-25 01:59:00
cve
cve
CVE-2015-0138
2015-03-25 01:59:00
CVE-2015-0159
2015-03-25 01:59:00
nessus
nessus
IBM HTTP Server 8.5.0.0 <= 8.5.5.5 / 8.0.0.0 <= 8.0.0.10 / 7.0.0.0 <= 7.0.0.37 / 6.1.0.0 <= 6.1.0.47 / 6.0.0.0 <= 6.0.2.43 (257477)
2020-12-15 00:00:00
AIX Java Advisory : Multiple Vulnerabilities (Bar Mitzvah)
2015-04-30 00:00:00
IBM DB2 10.5 < Fix Pack 6 Multiple Vulnerabilities (Bar Mitzvah)
2016-04-15 00:00:00
suse
suse
Security update for java-1_7_0-ibm (important)
2015-06-16 22:06:38
Security update for IBM Java (important)
2015-06-18 16:05:20
Security update for java-1_7_0-ibm (important)
2015-06-27 04:05:10
kaspersky
kaspersky
KLA10503 Multiple vulnerabilities in IBM products
2015-03-24 00:00:00
redhat
redhat
(RHSA-2015:1021) Important: java-1.5.0-ibm security update
2015-05-20 00:00:00
(RHSA-2015:1020) Critical: java-1.7.1-ibm security update
2015-05-20 00:00:00
(RHSA-2015:1091) Low: Red Hat Satellite IBM Java Runtime security update
2015-06-11 00:00:00
openvas
openvas
SUSE: Security Advisory for IBM Java (SUSE-SU-2015:1086-1)
2015-10-16 00:00:00
SUSE: Security Advisory for IBM Java (SUSE-SU-2015:1086-2)
2015-10-13 00:00:00
SUSE: Security Advisory for java-1_7_0-ibm (SUSE-SU-2015:1086-4)
2015-10-13 00:00:00
veracode
veracode
Sandbox Restrictions Bypass
2019-05-02 05:39:14
Sandbox Restrictions Bypass
2019-05-02 05:39:14
Insecure TLS Configurations
2019-05-02 05:39:14

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

73.3%

JSON
Related for 41233F56616095DF27197F1AE5AAC2E0D379D31214D494042F1C98BDC97B33FC
ibm147aix2prion1cve2nessus25suse8kaspersky1redhat5openvas4veracode4