Security Bulletin:Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server Community Edition 3.0.0.4 （CVE-2015-0138)

Summary

The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect IBM WebSphere Application Server Community Edition.

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM WebSphere Application Server Community Edition 3.0.0.4

Workarounds and Mitigations

Upgrade your IBM SDK for Java to an interim fix level as determined below:
IBM SDK 6.0:
IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 (required) + IV70681

IBM SDK 7.0:
IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 FP10 (optional) +IV70681
IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2 FP10 (optional) + IV70681