Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 6 and 7 that are used by Tivoli Netcool/OMNIbus. . These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.

Vulnerability Details

CVEID:CVE-2015-0488**
DESCRIPTION:*An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/102336for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-0478**
DESCRIPTION:*An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/102339for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:CVE-2015-2808**
DESCRIPTION:*The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/101851for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2015-0204**
DESCRIPTION:*A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99707for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Tivoli Netcool/OMNIbus 7.3.0
Tivoli Netcool/OMNIbus 7.3.1
Tivoli Netcool/OMNIbus 7.4.0
Tivoli Netcool/OMNIbus 8.1.0

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
OMNIbus | 7.3.0.16| IIV73107| <http://www-01.ibm.com/support/docview.wss?uid=swg24039351&gt;
OMNIbus| 7.3.1.13| IV73107| <http://www-01.ibm.com/support/docview.wss?uid=swg24039350&gt;
OMNIbus| 7.4.0.7| IV73107| <http://www-01.ibm.com/support/docview.wss?uid=swg24039348&gt;
OMNIbus | 8.1.0.4| IV73107| <http://www-01.ibm.com/support/docview.wss?uid=swg24039347&gt;

Workarounds and Mitigations

Mitigation instructions for CVE-2015-2808 are available here:

• IBM SDK, Java Technology Edition, Version 8
• IBM SDK, Java Technology Edition, Version 7R1
• IBM SDK, Java Technology Edition, Version 7
• Configure the OMNIbus server components to use FIPS mode that will disable RC4 by default. FIPS mode configuration is described here: <http://www-01.ibm.com/support/knowledgecenter/SSSHTQ_8.1.0/com.ibm.netcool_OMNIbus.doc_8.1.0/omnibus/wip/install/concept/omn_con_fips_configuringsupport.html?lang=en&gt;