4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
72.6%
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Liberty Profile Version 8.5 that is used by Power Hardware Management Console.
CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Power HMC V7.7.8.0
Power HMC V7.7.9.0
Power HMC V8.8.1.0
Power HMC V8.8.2.0
The Following fixes are available on IBM Fix Central at <http://www-933.ibm.com/support/fixcentral/>
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
Power HMC | V7.7.8.0 SP2 | MB03892 | Apply eFix MH01504 |
Power HMC | V7.7.9.0 SP2 | MB03893 | Apply eFix MH01505 |
Power HMC | V8.8.1.0 SP1 | MB03894 | Apply eFix MH01506 |
Power HMC | V8.8.2.0 SP1 | MB03895 | Apply eFix MH01507 |
You should verify applying this fix does not cause any compatibility issues. |
None
CPE | Name | Operator | Version |
---|---|---|---|
power system hardware management console physical appliance | eq | any |