Lucene search

K
ibmIBM41E28066AA2C3218C163447E6DEC287793F1F01FABF7D32B958220AD8A07D8F1
HistoryApr 08, 2021 - 8:59 p.m.

Security Bulletin: Vulnerabilities in GSKit affect InfoSphere BigInsights (CVE-2015-0138, CVE-2015-0159)

2021-04-0820:59:42
www.ibm.com
9

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Summary

GSKit is an IBM component that is used by InfoSphere BigInsights. The GSKit that is shipped with InfoSphere BigInsights contains multiple security vulnerabilities including the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. InfoSphere BigInsights has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0159 DESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. You are not affected if you do not use TLS 1.2.

CVSS Base Score: 2.6
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Customers who have Secure Sockets Layer (SSL) support enabled in their Big SQL component are affected. SSL support is not enabled in Big SQL by default.

IBM InfoSphere BigInsights 3.0, 3.0.0.1 and 3.0.0.2

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

For versions 3.0, 3.0.0.1, and 3.0.0.2: Please contact technical support to obtain fix for this issue.

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Related for 41E28066AA2C3218C163447E6DEC287793F1F01FABF7D32B958220AD8A07D8F1