4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
GSKit is an IBM component that is used by InfoSphere BigInsights. The GSKit that is shipped with InfoSphere BigInsights contains multiple security vulnerabilities including the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. InfoSphere BigInsights has addressed the applicable CVEs.
CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-0159 DESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. You are not affected if you do not use TLS 1.2.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Customers who have Secure Sockets Layer (SSL) support enabled in their Big SQL component are affected. SSL support is not enabled in Big SQL by default.
IBM InfoSphere BigInsights 3.0, 3.0.0.1 and 3.0.0.2
The recommended solution is to apply the appropriate fix for this vulnerability.
For versions 3.0, 3.0.0.1, and 3.0.0.2: Please contact technical support to obtain fix for this issue.
CPE | Name | Operator | Version |
---|---|---|---|
ibm db2 big sql | eq | 3.0 | |
ibm db2 big sql | eq | 3.0.0.2 | |
ibm db2 big sql | eq | 3.0.0.1 |