DATABASE RESOURCES PRICING ABOUT US

{"id": "512128914F0E940733AA8FCEADE82B253B89B441D03FC6E96899CF50C10F8555", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Vulnerabilities in GSKit affect Host On-Demand (CVE-2015-0138)", "description": "## Summary\n\nGSKit is an IBM component that is used by Host On-Demand.The GSKit that is shipped with Host On-Demand contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. Host On-Demand has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nHost On Demand 11.0.12 and earlier\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nHost On-Demand| 11.0.13| To be announced \n \nFor IBM Rational Host On-Demand 11.0.12 and before, IBM recommends upgrading to IBM Rational Host On-Demand 11.0.13, scheduled to be released on 23rd March 2015. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2018-08-03T04:23:43", "modified": "2018-08-03T04:23:43", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://www.ibm.com/support/pages/node/257561", "reporter": "IBM", "references": [], "cvelist": ["CVE-2015-0138"], "immutableFields": [], "lastseen": "2023-02-21T01:40:36", "viewCount": 16, "enchantments": {"dependencies": {"references": [{"type": "aix", "idList": ["JAVAJSSE_ADVISORY.ASC", "JAVA_APRIL2015_ADVISORY.ASC"]}, {"type": "cve", "idList": ["CVE-2015-0138"]}, {"type": "ibm", "idList": ["098E1724D0D22BD8E0B54429E8D6B7A2A5B2B8403A792BB9788E96F4B4565340", "14BBFA6B49B2B32EC845FF39AD1F8D82849547A8D26A823F85483D3C123772AE", "1552258BC602B501CB144C17FE55DEC12CEDE82B9F4351E9E4F47BE8C7003BA9", "1A46129AC809B41F500970B41C9B22522A13E7E9D6A44839DC2EC0A7BF599993", "1A843547D5063F14046BF2E5CB1860630C9D296CA64E6F49114770A4500BF9B0", "22FC3C4AB16FE88DB3814191930C500C23D3D5A997F90B8E43D2DA9E4803CA8A", "29BFF097F764F2E2870C5D0DC577733C5EEBC573E7B3FE466D280FD91D64FD0A", "3087E890AD1B34329596C16C2C76C102E962CDA62DC06323CFC97E0BC299949A", "35C083A435A896FC1233AF3780CFAEEB9F01575136F17A20FDB83F464E5AD939", "363F1E6A6B5C2A70D13E0D8374B17FDF5930E05DCB5525830BB35B47CB16585E", "3769AE0D61C3CBAA5EF7CFA7F8E4509D7350FB3569E072FD500CDFD6AC677A66", "41233F56616095DF27197F1AE5AAC2E0D379D31214D494042F1C98BDC97B33FC", "41E28066AA2C3218C163447E6DEC287793F1F01FABF7D32B958220AD8A07D8F1", "42E120F033799AC7E1B18D852BA65973034A0861B261895FEE37D36B6D3EAAC7", "45287357CDFF0CBDD9F6FBC98FE84205AFD006DFB984C6B589393F8B09465C66", "467691274B46B374ED94D3C8CECDDBB250DC781111B8D9EE9B6CFCF7F4C45BB6", "4B00A89752FB47CF5A737FD47C6BD4B45EAA5FCB935D94AFF74FE195C649C4A7", "4B4898216C827EB96D26A0262D74942D89F7588963EFDE5F0B6C1A3F12BEF660", "4DC0A8334FA74CC72F7413D6B655F0E3EAACB5A860F1209C78A77DBEFC89B0BE", "4DE3F235DB56885BEC38FC17BF7C67C9840D8357D7B343F1FB2F45ED9EB735FF", "4EA215B3645DDAC4FD37F8734C45AA03E711B96215D9E5BD79734DA548CB9D4D", "527AEB02DC4029326B0DDB6C7A93716F28D3B32A5D2FFCEAC8C4A9ACE4F8F863", "53BF623AA722F72CE5ADFE866B98F9C352C7153B5036BD4F44218D79F03B13EC", "5455A5366A120EFE046B191CE85A7EAC26F1620B600AC84C31362DD48C43453F", "5D0CC6456D2278646647F1A4FEFECEB673F2B5D1F99FBBC5755735CEF5AA6268", "667F0CF2183A320CE4B9915860CC3C8A240BD2538D26B2B33B64838AA863BD14", "6A04D5E4C99A2F50DCD4C5B4FAF20AD2C3B16AD9EA922F5FEE4DF718AE506672", "6C4CC25BCEEE0FFD214CA09BCBD23E6E7D97A8749334FD5EF15BFF592A2C1B17", "6D535A3AEF65DAA651A7961CBD4354AE631F476BC694CF73D20623E7518799AB", "6DF3814722A33BAC4382EFDB9DF33B5A2FFEA62B91E068C5925CD8FDD7EED52D", "705280D237DEDB26D3D68396BC2097819ADC8127D93D08AF8CFC027E9A703179", "7408B0D116F1ACA3FBA42438A5C7BD95C4346FE353E99C771B9793BC2CA7A556", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E327BBFF3C6248340BB4D02D0AED4CFA65A1C13329D0793D3B72E11E963D084", "81ED11E63F71140E384926E4D91E9803BA0C9E42CE076CAD7CFF08561DF8F30A", "84675A12010348000987B3B23199431634511DDFAE93164E5909BC080FB29130", "85A7B696106AFFC135FC8B00290DAFFD29A00A70759CC6A6AB13CAE2B826FF3C", "86342A16183C947600A2D12FE2134D8199BF66CC53E099BBBD76E9F235DE5D41", "885CA8FB43A58F0F7C3739F6B18DF2B4186ED924961D062FB7470BC8E4377B74", "8888F22093A992161C145D8EB8FA3C1CCAB260B1D3FDE8B046A922FCEA3019A0", "88ED6434C339FC19F1478A1680F90F3960F8FBFEE85C7C4B449C4E1407DD071F", "8E52B580FD40A2463235A900C053978088551052E8CED206AAA5FACA17727B55", "9825FBBD59935C89C7054E7D70765761F175FA0631E7EFFDF7204FC8BED3C3D8", "9D7101E117A4070FAFB4A7B104EAECB6DFD44AE8B546A3A6E1365725AA7F9A28", "9D8FD967B563EB10DC5FC0FAC977A00C29B4A75950B67D3C9A89093934A12FD3", "9FD0A2153D7653CA93FDABF4A80D4F63FFD425F2201F266B744D51C1F6F9AB82", "A3A478C560F7D2D2CC57B2194BFC08E81927CA815E4B75181AB36C85C6CDFBBC", "A49F9EFECEFD840DBA180620BA6247AF2908F0E8D2F8C691E6322205046D5645", "AC5F4ED214203EFCAD3F989937F2121781E2F7F8A7A41ACF185250C39717A25B", "B2AF94E4B4104CFC171D34D738F1AFC4758C45D61D537CBC43031028CB7E0EA4", "B34877D991F21B254E16D92D7328B03658AA2122E7631AA85688801D398E5BAF", "B8F8FAB6D9387300926404BC53D8D8ADA0A1DADFC7A4CF32B99AAEAF7D05C0A1", "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "BA9A0F723D5B8F641EEA021DCFA0290BCCA064A65992E8781648D9FEEF4982C3", "C1C602B37EDF70C48D650440743C29740F6A8F38FA9C0E6F1E9E01FCB3C6658C", "C590C7F04E350EBE4E25E96737987B9BD9D85F3B04F15E8804A350221FF2C7D6", "C77F41E1A40A497E70A3BC1A7C0EAD9FB42719CFF54CB8725681FE37A4EC05C1", "CB1B87BF4874E8E4FDFF0C5D0245F1B8EA7AF72E1648F87D112407D83AC6BFA1", "CB75C0BD6B5A0A9FF5998DBD89782237D668B1C0A1067F7074DB5DF83F11FED2", "CC1740D85628549D6FAC223D34127F158CD233478F25DBA7737A26EE508DE9C0", "CF742788FBB5E737985FFECC4AE0A251E995D621D6DFFEB06044D6DCAF951F3B", "D06E9BDBBBA9D9235FA43D7E1CE553B024D6C0D9889FD94B63A28B5FF11F8829", "D1A3FD807BA4E7652F41DAF275B25C0E45AED49DE0DD3C98F3C83D50CD580F2F", "D23B506F373F085D0D95234FF39AA0BCD38839F8B4D1BDF9584496C6B93F1F28", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D995BFD7F2FE7D2B6BD9B254E3A2FFCCE7B6FC8B44FD9CE6285A91BD366E9BE9", "D9B33FAA9F87D18625F5A08EF5634D73168FBB4A49FD551EFF5B173DEC473E84", "DF89B2395C4DB15E1FF631A136BB1301E179B1A5D4A2BF72B8D0EF9E4A730437", "E7DD7A78504C2DDFDC5B8A3227100A6A0B9CA9EF9595F7D882ADD9D3C268C0B6", "EBC1C6CDC42FFB6CBAA0946487190015CE14CE671172E8DB970CA2D247556358", "EC972C692BE3023B72017E1A0E500647A4508BA18E2201793D3A30F3A4FFF8F1", "ECCE014D73B98FA8DFDAF62FBE6CB38DC60F865162B6796DE08DE157BB863D0D", "F06BAB24D9E4E17DD0677BA61DD3C1AC11E4C85147BBF86EE8D3A92E535C3E14", "F0ABD172DAB727B9E1A590E26426CC6FC3FB7572FBBAACB844B6C8AA844A1A2D", "F3758093EA44146C6BB9180D4A89ECCFA58C42ADF8707A861E087BF54975924C", "F59809CE9D4F3F2D2A03090B55E54276D439DAD51C4F7A6E10F50212DD6A92F6", "F98C6B1EAC8D235F19136FBD257D2C504AAE6912C5BCB9B73AE39565E359364A", "FC4C804F44282D78247FA90BC4C8C855819430A02725094AC97DBD89D0227589"]}, {"type": "kaspersky", "idList": ["KLA10503"]}, {"type": "nessus", "idList": ["9197.PRM", "9198.PRM", "9700.PRM", "9713.PRM", "9716.PRM", "AIX_JAVA_APR2015_ADVISORY.NASL", "AIX_JAVA_APRIL2015_ADVISORY.NASL", "DB2_101FP5.NASL", "DB2_105FP6.NASL", "DB2_97FP10_MULTI_VULN.NASL", "IBM_HTTP_SERVER_257477.NASL", "REDHAT-RHSA-2015-1006.NASL", "REDHAT-RHSA-2015-1007.NASL", "REDHAT-RHSA-2015-1020.NASL", "REDHAT-RHSA-2015-1021.NASL", "REDHAT-RHSA-2015-1091.NASL", "SUSE_SU-2015-1073-1.NASL", "SUSE_SU-2015-1085-1.NASL", "SUSE_SU-2015-1086-1.NASL", "SUSE_SU-2015-1086-2.NASL", "SUSE_SU-2015-1086-3.NASL", "SUSE_SU-2015-1086-4.NASL", "SUSE_SU-2015-1138-1.NASL", "SUSE_SU-2015-1161-1.NASL", "WEBSPHERE_8_5_5_6.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850825", "OPENVAS:1361412562310850826", "OPENVAS:1361412562310851032", "OPENVAS:1361412562310851094"]}, {"type": "redhat", "idList": ["RHSA-2015:1006", "RHSA-2015:1007", "RHSA-2015:1020", "RHSA-2015:1021", "RHSA-2015:1091"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1073-1", "SUSE-SU-2015:1085-1", "SUSE-SU-2015:1086-1", "SUSE-SU-2015:1086-2", "SUSE-SU-2015:1086-3", "SUSE-SU-2015:1086-4", "SUSE-SU-2015:1138-1", "SUSE-SU-2015:1161-1"]}]}, "score": {"value": 1.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "aix", "idList": ["JAVA_APRIL2015_ADVISORY.ASC"]}, {"type": "cve", "idList": ["CVE-2015-0138"]}, {"type": "ibm", "idList": ["5455A5366A120EFE046B191CE85A7EAC26F1620B600AC84C31362DD48C43453F", "D995BFD7F2FE7D2B6BD9B254E3A2FFCCE7B6FC8B44FD9CE6285A91BD366E9BE9", "DF89B2395C4DB15E1FF631A136BB1301E179B1A5D4A2BF72B8D0EF9E4A730437", "E7DD7A78504C2DDFDC5B8A3227100A6A0B9CA9EF9595F7D882ADD9D3C268C0B6", "F98C6B1EAC8D235F19136FBD257D2C504AAE6912C5BCB9B73AE39565E359364A"]}, {"type": "kaspersky", "idList": ["KLA10503"]}, {"type": "nessus", "idList": ["9198.PRM", "REDHAT-RHSA-2015-1021.NASL", "SUSE_SU-2015-1161-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850825", "OPENVAS:1361412562310851094"]}, {"type": "redhat", "idList": ["RHSA-2015:1007"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1161-1"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}, {"name": "ibm host on-demand", "version": 11}]}, "epss": [{"cve": "CVE-2015-0138", "epss": "0.004860000", "percentile": "0.722880000", "modified": "2023-03-17"}], "vulnersScore": 1.0}, "_state": {"dependencies": 1676943753, "score": 1676943997, "affected_software_major_version": 1677355290, "epss": 1679165106}, "_internal": {"score_hash": "0fd5a87462e5d75cd09084c42ecf56e4"}, "affectedSoftware": [{"version": "11.0", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.1.0", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.2.0", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.3.0", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.4.0", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.5.0", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.5.1", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.6", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.6.1", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.7", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.8", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.9", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.10", "operator": "eq", "name": "ibm host on-demand"}, {"version": "11.0.11", "operator": "eq", "name": "ibm host on-demand"}]}

{"ibm": [{"lastseen": "2023-02-21T01:49:00", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Rational RequisitePro. The GSKit that is shipped with IBM Rational RequisitePro contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM Rational RequisitePro has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n \n7.1.4 through 7.1.4.7\n\n| \n\nAffected \n \n7.1.3 through 7.1.3.14\n\n| \n\nAffected \n \n7.1.1.x, 7.1.2.x (all versions)\n\n| \n\nAffected \n \nYou are vulnerable if you configure Rational RequisitePro to use LDAP authentication with secure socket connections. \n\n## Remediation/Fixes\n\nThe fix is to first upgrade ReqPro to 7.1.2.17, 7.1.3.14, or 7.1.4.7. If installing 7.1.3.14 or 7.1.4.7, then a second step is required, installing a newer version of the GSKit component that fixes the vulnerability. Contact Rational Customer Support for a copy of the fix and the instructions to manually patch your system(s). The GSKit release with the fix can be located in [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FIBM+Global+Security+Kit&fixids=8.0.50.41-ISS-GSKIT-Win32-FP0041&source=dbluesearch&function=fixId&parent=ibm/Tivoli>). \n \n2) If upgrading to 7.1.3.14, or 7.1.4.7, then contact Rational Customer support for instructions to download and install the GSKit fix. If you are upgrading to 7.1.2.17, then you are done. \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone \n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:10", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Rational RequisitePro (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T05:01:10", "id": "E7DD7A78504C2DDFDC5B8A3227100A6A0B9CA9EF9595F7D882ADD9D3C268C0B6", "href": "https://www.ibm.com/support/pages/node/259143", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:40:14", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Rational ClearQuest. The GSKit that is shipped with IBM Rational ClearQuest contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM Rational ClearQuest has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest versions: \n \n\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| \n\nAffected \n \n8.0 through 8.0.0.14\n\n| \n\nAffected \n \n7.1.1.x, 7.1.2.x (all versions)\n\n| \n\nAffected \n \n \nYou are vulnerable if you configure Rational ClearQuest to use LDAP authentication with secure sockets connections. \n\n\n## Remediation/Fixes\n\nThe solution is to update to the latest fix pack. \n \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n8.0.1.x\n\n| \n\n[Install Rational ClearQuest Fix Pack 8 (8.0.1.8)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039864>) \n \n8.0.0.x\n\n| \n\n[Install Rational ClearQuest Fix Pack 15 (8.0.0.15)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039862>) \n \n7.1.2.x \n7.1.1.x\n\n| \n\nCustomers with extended support contracts should install [Rational ClearQuest Fix Pack 18 (7.1.2.18) ](<http://www-01.ibm.com/support/docview.wss?uid=swg24039860>) \n \n \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-09-29T18:04:03", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearQuest (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-09-29T18:04:03", "id": "D06E9BDBBBA9D9235FA43D7E1CE553B024D6C0D9889FD94B63A28B5FF11F8829", "href": "https://www.ibm.com/support/pages/node/257731", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:40:16", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by ClearQuest Eclipse client. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n * * ClearQuest Eclipse clients that use Report Designer, run remote reports on servers using secure connections, or use the embedded browser to connect to secure web sites.\n\n**ClearQuest Eclipse**\n\n| \n\n**Status** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| \n\nAffected \n \n8.0 through 8.0.0.14\n\n| \n\nAffected \n \n7.1.2 through 7.1.2.17\n\n| \n\nAffected \n \n7.1.0.x, 7.1.1.x (all versions and fix packs)\n\n| \n\nAffected \n \n## Remediation/Fixes\n\nThe solution is to update to the latest fix pack. \n \n\n\n**ClearQuest Eclipse**\n\n| \n\n**Fix pack required before applying manual fix** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| \n\n[Install Rational ClearQuest Fix Pack 8 (8.0.1.8)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039864>) \n \n8.0 through 8.0.0.14\n\n| \n\n[Install Rational ClearQuest Fix Pack 15 (8.0.0.15)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039862>) \n \n7.1.2 through 7.1.2.17\n\n| \n\nCustomers with extended support contracts should install[ Rational ClearQuest Fix Pack 18 (7.1.2.18) ](<http://www-01.ibm.com/support/docview.wss?uid=swg24039860>) \n \n7.1.0.x, 7.1.1.x (all versions and fix packs)\n\n| \n\nCustomers with extended support contracts should install [](<http://www-01.ibm.com/support/docview.wss?uid=swg24039860>)[Rational ClearQuest Fix Pack 18 (7.1.2.18) ](<http://www-01.ibm.com/support/docview.wss?uid=swg24039860>) \n \n \nYou should verify applying this fix does not cause any compatibility issues. \n \n_For unsupported versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {}, "published": "2018-09-29T18:04:03", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java runtime affect ClearQuest Eclipse (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-09-29T18:04:03", "id": "9D7101E117A4070FAFB4A7B104EAECB6DFD44AE8B546A3A6E1365725AA7F9A28", "href": "https://www.ibm.com/support/pages/node/261229", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:48:59", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by Rational Insight.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nRational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5 and 1.1.1.6\n\n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 11 (Implemented by file 10.1.6305.1016)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039727>) \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 11 (Implemented by file 10.1.6305.1016)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039727>) \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 10 (Implemented by file 10.2.5000.1153)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039726>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 ** \n \n\n\n 1. If the Data Collection Component or Jazz Reporting Serivce are used, perform this step first. \nReview the topics in <http://www-01.ibm.com/support/docview.wss?uid=swg21699296> for addressing the listed vulnerabilities in their underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 9 (Implemented by file 10.2.5006.1016)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039726>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:13", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects Rational Insight (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T05:01:13", "id": "C77F41E1A40A497E70A3BC1A7C0EAD9FB42719CFF54CB8725681FE37A4EC05C1", "href": "https://www.ibm.com/support/pages/node/259293", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:18", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Version 6, 6.1, 7, and 8.5 that is used by Tivoli Netcool Impact. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nTivoli Netcool Impact versions 5.1; 5.1.1; 6.1; 6.1.1; 7.1\n\n## Remediation/Fixes\n\n_VRMF_\n\n| _Websphere release level_| _Remediation_ \n---|---|--- \n7.1.0| 8.5| Apply Interim Fix [_PI36563_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>) and [7.1.0-TIV-NCI-FP0003](<http://www-01.ibm.com/support/docview.wss?uid=swg24040149>) for Java SDK upgrade fix for PI37013. [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038810>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038089>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037534>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037709>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>) \n6.1.1| 7.0| Apply Interim Fix[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>) [_PI36563_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>) and [_PI37013_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039694>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039292>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038816>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038094>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037515>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036968>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036504>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035397>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034997>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034443>) \n6.1| 7.0| Apply Interim Fix[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>) [_PI36563_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>) and [_PI37013_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039694>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039292>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038816>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038094>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037515>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036968>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036504>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035397>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034997>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034443>) \n5.1.1| 6.1| Apply Interim Fix[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>) [_PI36563_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>) and Fix PI37015 \n5.1| 6.1| Apply Interim Fix[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>) [_PI36563_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>) and Fix PI37015 \n \nFor more information and location of the above fixes see [http://www-01.ibm.com/support/docview.wss?uid=swg21698613 ](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)\n\n## Workarounds and Mitigations\n\nSee [http://www-01.ibm.com/support/docview.wss?uid=swg21698613 ](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)\n\n## ", "cvss3": {}, "published": "2018-06-17T14:59:23", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Netcool Impact (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T14:59:23", "id": "35C083A435A896FC1233AF3780CFAEEB9F01575136F17A20FDB83F464E5AD939", "href": "https://www.ibm.com/support/pages/node/259589", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:01", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Security SiteProtector System. The GSKit that is shipped with SiteProtector contains a security vulnerability known as \u201cFREAK: Factoring Attack on RSA-EXPORT keys\", a TLS/SSL client and server vulnerability. IBM Security SiteProtector System has addressed the applicable CVE.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Security SiteProtector System 3.0, 3.1.0 and 3.1.1\n\n## Remediation/Fixes\n\n \nYou should verify applying this fix does not cause any compatibility issues. \n \nApply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view: \n \n**For SiteProtector 3.0:** \nSiteProtector Core Component: ServicePack3_0_0_7.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_0_0_6.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_37.xpu \n \n**For SiteProtector 3.1.0:** \nSiteProtector Core Component: ServicePack3_1_0_4.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_1_0_4.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_19.xpu \n \n**For SiteProtector 3.1.1:** \nSiteProtector Core Component: ServicePack3_1_1_2.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_1_1_2.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_7.xpu \nUpdate Server Component: UpdateServer_3_1_1_2.pkg \nEvent Archiver Component: EventArchiver_3_1_1\u00ad_2.pkg \nEvent Archiver Importer Component: EventArchiverImporter_3_1_1_2.zip \nManual Upgrader Component: MU_3_1_1_3.xpu\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:18", "type": "ibm", "title": "Security Bulletin: A GSKit vulnerability affects IBM Security SiteProtector System (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-16T21:23:18", "id": "ECCE014D73B98FA8DFDAF62FBE6CB38DC60F865162B6796DE08DE157BB863D0D", "href": "https://www.ibm.com/support/pages/node/258465", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:49:01", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Version JDK7sr8, JDK6sr16fp2 that is used by Build Forge. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nBuildForge Versions: 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.3, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.3.5, 7.1.3.6, 8.0, 8.0.0.1, 8.0.0.2.\n\n## Remediation/Fixes\n\n**Affected Version**\n\n| **Fix** \n---|--- \nBuild Forge 7.1.2.0 - 7.1.2.3| [_7.1.2.3 iFix 7_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FRational&product=ibm/Rational/Rational+Build+Forge&release=All&platform=All&function=fixId&fixids=buildforge-7.1.2.3-7-0096&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nBuild Forge 7.1.3.0 - 7.1.3.6| [_7.1.3.6 iFix 6_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FRational&product=ibm/Rational/Rational+Build+Forge&release=All&platform=All&function=fixId&fixids=buildforge-7.1.3.6-6-0090&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nBuild Forge 8.0 - 8.0.0.2| [_8.0.0.2 iFix 7_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FRational&product=ibm/Rational/Rational+Build+Forge&release=All&platform=All&function=fixId&fixids=buildforge-8.0.0.2-7-0085&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## ", "cvss3": {}, "published": "2018-06-17T05:01:08", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects Build Forge (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T05:01:08", "id": "6271F6FCAD10280D06C3D0EFB9B0651AFBB756F13F6563A8DB2DD36838E38373", "href": "https://www.ibm.com/support/pages/node/258735", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:03", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin: [Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected IBM WebSphere Application Server Hypervisor Edition Versions \n---|--- \nIBM PureApplication System versions 1.0, 1.1, and 2.0| Version 8.5 \n \nVersion 8 \n \nVersion 7 \n \nVersion 6.1 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:47", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Hypervisor Edition shipped with IBM PureApplication System (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:47", "id": "85A7B696106AFFC135FC8B00290DAFFD29A00A70759CC6A6AB13CAE2B826FF3C", "href": "https://www.ibm.com/support/pages/node/259935", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:03", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nFor vulnerability details, see the security bulletin [**_Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)_**](<http://www.ibm.com/support/docview.wss?uid=swg21698613>)**.**\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Remote Server version \n6.2, 6.2.1, 7.0, 7.1.1, 7.1.2, 8.5| WebSphere Application Server version 6.1, 7.0, 8.0, 8.5, 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:46", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:46", "id": "CF742788FBB5E737985FFECC4AE0A251E995D621D6DFFEB06044D6DCAF951F3B", "href": "https://www.ibm.com/support/pages/node/259463", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:01", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Workload Deployer. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin: [Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected IBM WebSphere Application Server Hypervisor Edition Versions \n---|--- \nIBM Workload Deployer v3.1 and later| Version 8.5 \n \nVersion 8 \n \nVersion 7 \n \nVersion 6.1 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:48", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Hypervisor Edition shipped with IBM Workload Deployer (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:48", "id": "8888F22093A992161C145D8EB8FA3C1CCAB260B1D3FDE8B046A922FCEA3019A0", "href": "https://www.ibm.com/support/pages/node/259937", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:37:24", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects some versions of DS8000.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)\n\n**DESCRIPTION:** A vulnerability in SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. A client implementation could accept the use of an RSA temporary key in a non-export RSA key uexchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nDS8870 prior to R7.2 \n\nDS8800/DS8700 prior to SP9 ( 86.31.142.0 / 76.31.121.0 respectively) which have not applied ISO CD patch named RemoveWeakCertificatesv1.0 or RemoveWeakCertificatesV1.1\n\nDS8100/DS8300 even if they have applied the above patch.\n\n## Remediation/Fixes\n\nAs noted DS8870 at R7.2 and above ( 87.21.5.0 or above) and above and DS8800/DS8700 at SP9 ( 86.31.142.0 / 76.31.121.0 or above) are not impacted.\n\nDS8700/DS8800/DS8870 customers should upgrade to a version which is not impacted or apply the patch noted below.\n\n \n\n\nDS8100/DS8300 customers should apply the patch noted below.\n\n**Patch Release**\n\n \n \n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nDS8870 prior to R7.2| N/A| CVE_WEAK_CIPHER_PATCH_v1.0| 03/23/2015 \nDS8800 prior to 6.3 SP 9| N/A| CVE_WEAK_CIPHER_PATCH_v1.0| 03/23/2015 \nDS8700 prior to 6.3 SP 9| N/A| CVE_WEAK_CIPHER_PATCH_v1.0| 03/23/2015 \nDS8100/DS8300| N/A| CVE_WEAK_CIPHER_PATCH_v1.0| 03/23/2015 \n \n## ", "cvss3": {}, "published": "2022-05-24T17:06:20", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK Runtime affects DS8000 (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2022-05-24T17:06:20", "id": "81ED11E63F71140E384926E4D91E9803BA0C9E42CE076CAD7CFF08561DF8F30A", "href": "https://www.ibm.com/support/pages/node/690333", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:10", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Liberty Profile Version 8.5.5 that is used by IBM MQ Light.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)_ \n_**DESCRIPTION: **A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nThe vulnerability affects users of IBM MQ Light V1.0 and V1.0.0.1 on all platforms.\n\n## Remediation/Fixes\n\nDownload and install the appropriate MQ Light Server for your platform as shown below: \n \n\n\n**Platform**| **License Type**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nWindows| Developer| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Windows-x64-developer-L150408-IT08000&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-developer-L150408-IT08000&includeSupersedes=0>) \nWindows| Production| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Windows-x64-production-L150408-IT08000&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-production-L150408-IT08000&includeSupersedes=0>) \nLinux| Developer| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Linux-x64-developer-L150408-IT08000&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-developer-L150408-IT08000&includeSupersedes=0>) \nLinux| Production| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Linux-x64-production-L150408-IT08000&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-production-L150408-IT08000&includeSupersedes=0>) \nMac| Developer| IT08000| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Mac-x64-developer-L150408-IT08000&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Mac-x64-developer-L150408-IT08000&includeSupersedes=0>) \n \nThe following link describes how to re-use the data from your existing installation: \n[_http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm_](<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm>) \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM MQ Light (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:43", "id": "C8952ECDD3564BBA8B61A29BAC788E0C39BC4C6B74A7561C74F788F8D624DE0B", "href": "https://www.ibm.com/support/pages/node/258825", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:52:11", "description": "## Summary\n\nIBM Tivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM System Director and Tivoli Common Reporting are shipped as components of IBM System Director Editions. Information about the security vulnerability affecting these components hasbeen published in the security bulletin.\n\n## Vulnerability Details\n\n## Summary\n\nIBM Tivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM System Director and Tivoli Common Reporting are shipped as components of IBM System Director Editions. Information about the security vulnerability affecting these components has been published in the security bulletin.\n\n**Vulnerability Details:**\n\nPlease consult the security bulletins listed below for the vulnerability details of the affected products.\n\n## Affected products and versions\n\nAffected Product and Version(s) | Product and Version shipped as a component | Security Bulletin \n---|---|--- \nIBM System Director Editions 6.2.0.0 | IBM Tivoli Monitoring6.2.2.02. base FP2 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.2.0.0 | Tivoli Application Dependency Discovery Managerv7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.2.0.0 | Tivoli Common Reporting1.3 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.2.0.0 | IBM System Director 6.2.0.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.2.1.0 | IBM Tivoli Monitoring6.2.2 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.2.1.0 | Tivoli Application Dependency Discovery Managerv7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.2.1.0 | Tivoli Common Reporting1.3 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.2.1.0 | IBM System Director 6.2.1.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.3.0.0 | IBM Tivoli Monitoring6.2.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.3.0.0 | Tivoli Application Dependency Discovery Managerv7.2.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.3.0.0 | Tivoli Common Reporting2.1.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.3.0.0 | IBM System Director 6.3.0.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.3.2.0 | IBM Tivoli Monitoring6.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.3.2.0 | Tivoli Common Reporting3.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.3.2.0 | IBM System Director 6.3.2.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \n \n## Workarounds and Mitigations:\n\nNone\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n27 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects IBMTivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM Systems Director and Tivoli Common Reporting with IBM System Director Editions (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-0138"], "modified": "2019-01-31T01:55:01", "id": "B8F8FAB6D9387300926404BC53D8D8ADA0A1DADFC7A4CF32B99AAEAF7D05C0A1", "href": "https://www.ibm.com/support/pages/node/867184", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-12T21:34:52", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 1.7 that is used by TSSC/IMC\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nTSSC/IMC 7.x\n\n## Remediation/Fixes\n\nPlease update to TSSC/IMC 7.4.15. Contact IBM service for update. You should verify applying this fix does not cause any compatibility issues.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:23", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects TSSC/IMC (TS3000) (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-18T00:09:23", "id": "C590C7F04E350EBE4E25E96737987B9BD9D85F3B04F15E8804A350221FF2C7D6", "href": "https://www.ibm.com/support/pages/node/690365", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:39:58", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Personal Communications. The GSKit that is shipped with IBM Personal Communications 6.0.13 and before contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM Personal Communications 6.0.14 addresses the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM Personal Communications - 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13\n\n## Remediation/Fixes\n\nYou should verify applying this fix does not cause any compatibility issues. \n \n\n\n_Product_| _VRMF_| _Remediation/First Fix_ \n---|---|--- \n_IBM Personal Communications _| _6.0.14_| _23rd March 2015_ \n \n_For__ IBM Personal Communications 6.0.13 and before, __IBM recommends upgrading to IBM Personal Communications 6.0.14, released on 23rd March 2015._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2019-03-05T12:59:26", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Personal Communications v6.0.x (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2019-03-05T12:59:26", "id": "CB75C0BD6B5A0A9FF5998DBD89782237D668B1C0A1067F7074DB5DF83F11FED2", "href": "https://www.ibm.com/support/pages/node/257559", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:48:59", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Version 5, 6 and 7 that is used by Rational Service Tester related to the use of TLS/SSL. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nRational Service Tester versions 8.2.*, 8.3.*, 8.5.*, 8.6.* and 8.7.\n\n## Remediation/Fixes\n\nA fix is available as described below \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRST| 8.7| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.6 - 8.6.x| None| Download[ Java 7 SR8 FP10 +IV70681 ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.5 - 8.5.x| None| Download[ Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.3 - 8.3.x| None| Download [Java 7 SR8 FP10 +IV70681](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \nRST| 8.2 - 8.2.1.x| None| Download [Java 7 SR8 FP10 +IV70681 ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:25", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects Rational Service Tester (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T05:01:25", "id": "9825FBBD59935C89C7054E7D70765761F175FA0631E7EFFDF7204FC8BED3C3D8", "href": "https://www.ibm.com/support/pages/node/259825", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:11", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability may affect some configurations of WebSphere Application Server used by WebSphere Service Registry and Repository.\n\n## Vulnerability Details\n\n**CVEID**: [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM SOA Policy Gateway Pattern for AIX Server 2.5 and 2.0\n\n## Remediation/Fixes\n\nPlease note that the default configuration of WebSphere Application Server and WebSphere Service Registry and Repository uses a \"STRONG\" or \"HIGH\" secure cipher list, which does not use RSA Export ciphers, so you would not be affected if you have not changed your ciphers. \n\nFor advice on mitigating FREAK on servers which deviate from this default configuration, please apply the mitigations indicated in the WebSphere Application Server bulletin at [http://www.ibm.com/support/docview.wss?uid=swg21698613](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>). You should verify applying this configuration change does not cause any compatibility issues.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java runtime affects IBM SOA Policy Gateway Pattern for AIX Server (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:46", "id": "4DC0A8334FA74CC72F7413D6B655F0E3EAACB5A860F1209C78A77DBEFC89B0BE", "href": "https://www.ibm.com/support/pages/node/259501", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:52:13", "description": "## Vulnerability Details\n\n## Summary\n\nIBM Tivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM System Director and Tivoli Common Reporting\u00c2 are shipped as components of IBM System Director Editions. Information about the security vulnerability affecting these components has been published in the security bulletin.\n\n**Vulnerability Details**\n\nPlease consult the security bulletins listed below for the vulnerability details of the affected products.\n\n## Affected products and versions\n\nAffected Product and Version(s) | Product and Version shipped as a component | Security Bulletin \n---|---|--- \nIBM System Director Editions 6.2.0.0 | IBM Tivoli Monitoring 6.2.2.02. base FP2 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.2.0.0 | Tivoli Application Dependency Discovery Manager v7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.2.0.0 | Tivoli Common Reporting 1.3 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.2.0.0 | IBM System Director 6.2.0.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.2.1.0 | IBM Tivoli Monitoring 6.2.2 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.2.1.0 | Tivoli Application Dependency Discovery Manager v7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.2.1.0 | Tivoli Common Reporting 1.3 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.2.1.0 | IBM System Director 6.2.1.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.3.0.0 | IBM Tivoli Monitoring 6.2.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.3.0.0 | Tivoli Application Dependency Discovery Manager v7.2.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.3.0.0 | Tivoli Common Reporting 2.1.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.3.0.0 | IBM System Director 6.3.0.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.3.2.0 | IBM Tivoli Monitoring 6.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.3.2.0 | Tivoli Common Reporting 3.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.3.2.0 | IBM System Director 6.3.2.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \n \n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n27 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin:Vulnerability in IBM Java Runtime affects IBM Tivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM Systems Director and Tivoli Common Reporting with IBM System Director Editions.(CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-0138"], "modified": "2019-01-31T01:55:01", "id": "AC5F4ED214203EFCAD3F989937F2121781E2F7F8A7A41ACF185250C39717A25B", "href": "https://www.ibm.com/support/pages/node/867234", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:48:58", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition that is used by Rational Automation Framework,\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \n**CVSS Base Score**: 4.3 \n**CVSS Temporal Score**: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nRational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2, 3.0.1.2.1, 3.0.1.3 and 3.0.1.3.1 on all supported platforms.\n\n## Remediation/Fixes\n\nUpgrade to [RAF 3.0.1.3 ifix2](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Automation+Framework&release=3.0.1.3i2&platform=All&function=all>)[ ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Automation+Framework&release=3.0.1.3i2&platform=All&function=all>)or later.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects Rational Automation Framework (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T05:01:24", "id": "6C4CC25BCEEE0FFD214CA09BCBD23E6E7D97A8749334FD5EF15BFF592A2C1B17", "href": "https://www.ibm.com/support/pages/node/259637", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:36:18", "description": "## Summary\n\nThe \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect some configurations of IBM HTTP Server for WebSphere Application Server and IBM WebSphere EDGE caching proxy. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nThe following IBM HTTP Server for WebSphere Application Server and WebSphere EDGE Caching Proxy Versions may be affected: \n\n * Version 8.5 and 8.5.5\n * Version 8 \n * Version 7 \n * Version 6.1\n\n## Remediation/Fixes\n\n**For affected IBM HTTP Server for WebSphere Application Server:** \n \nIf you are using SSLProxyEngine ON in IBM HTTP Server and you are going to unknown servers that may still have RSA_Export ciphers enabled then you should apply an interim fix or fixpack as noted below: \n \n**For V8.5.0.0 through 8.5.5.5 Full Profile:**\n\n\u00b7 Apply Interim Fix [PI36417](<http://www-01.ibm.com/support/docview.wss?uid=swg24039744>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039197>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.6 or later. \n\n** \nFor V8.0 through 8.0.0.10:** \n\u00b7 Apply Interim Fix [PI36417](<http://www-01.ibm.com/support/docview.wss?uid=swg24039744>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039197>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.11 or later. \n\n** \nFor V7.0.0.0 through 7.0.0.37:** \n\u00b7 Apply Interim Fix [PI36417](<http://www-01.ibm.com/support/docview.wss?uid=swg24039744>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037517>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.39 or later. \n\n**For V6.1.0.0 through 6.1.0.47:** \n\u00b7 Upgrade to Fix Pack 6.1.0.47 and then apply Interim Fix [PI36417](<http://www-01.ibm.com/support/docview.wss?uid=swg24039744>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039197>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037517>)\n\n** \nFor V6.0.0.0 through 6.0.2.43:** \n\u00b7 Upgrade to Fix Pack 6.0.2.43 and then apply Interim Fix PI36417[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037517>) from IBM Support.\n\n \n \nIf you are using an earlier unsupported release, IBM strongly recommends that you upgrade. \n\n## Workarounds and Mitigations\n\n**For IBM HTTP Server Version 7.0.0.37 and later, IBM HTTP Version 8, IBM HTTP Version 8.5.x: ** \n \nThese versions and fix packs disable RSA_EXPORT ciphers by default and is unaffected. If you have overridden the default TLS ciphers with the 'SSLCipherSpec' directive (see parameters below), those RSA_EXPORT ciphers should be removed: \n\n\n * Ciphers specified by name and containing the word 'EXPORT' in their names.\n * Ciphers specified by 2-digit code: 33, 36, 62, 64, 24, 22 \n\n \n**For IBM HTTP Server Version 7.0.0.0 through 7.0.0.35 and IBM HTTP Server Versions 6.1 and earlier: ** \nThese versions and fix packs include all available ciphers by default and is affected by this vulnerability in the absence of explicit configuration restricting configured ciphers. For each httpd.conf context containing 'SSLEnable', ensure the following criteria is met: \n\n\n * Ensure at least 1 SSLCipherSpec directive is set in the same context as SSLEnable by using at least one of these strong ciphers:\n * SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA\n * SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA\n * SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA\n * * Ensure none of the following ciphers are specified, if specified, then remove them\n * Ciphers specified by name and containing the word 'EXPORT' in their names.\n * Ciphers specified by 2-digit code: 33, 36, 62, 64, 24, 22\n \n \nFor any outbound connections, IBM Recommends that any servers that IBM HTTP Server is connecting to needs to ensure that RSA_EXPORT Ciphers are also disabled. Features of IBM HTTP Server that make outbound HTTPS connections require the configuration directive 'SSLProxyEngine ON' and additionally require directives such as 'ProxyPass, ProxyPassMatch, and RewriteRule with the [P] flag'. Related functionality exists in the WebSphere Application Server WebServer Plug-in. \n \n**For IBM WebSphere EDGE Caching proxy Version 8.0 and later: ** \n \nThese versions and fix packs disable RSA_EXPORT ciphers by default and is unaffected. If you have overridden the default TLS ciphers with these 'V3CipherSpecs', 'TLSV11CipherSpecs' or 'TLSV12CipherSpecs' directive (see parameters below), those RSA_EXPORT ciphers should be removed: \n\n\n * Ciphers specified by name and containing the word 'EXPORT' in their names.\n * Ciphers specified by 2-digit code: 03, 06, 62, 64 \n\n \n**For IBM WebSphere EDGE Caching Proxy Versions 7.0 and earlier: ** \nThese versions and fix packs include '0A, 09, 05, 06, 64, 62, 04, 03, 02, 01, 00' ciphers by default and is affected by this vulnerability in the absence of explicit configuration restricting configured ciphers. \n \nEnsure none of the following ciphers are specified, if specified, then remove them \n\n * Ciphers specified by name and containing the word 'EXPORT' in their names.\n * Ciphers specified by 2-digit code: 33, 36, 62, 64, 24, 22\n \nIn these releases, the following ciphers are the strongest supported: \n\n * TLS_RSA_WITH_AES_128_CBC_SHA (2F) \n * TLS_RSA_WITH_AES_256_CBC_SHA (35)\n \nFor any outbound connections, IBM Recommends that any servers that IBM WebSphere EDGE Caching proxy is connecting to needs to ensure that RSA_EXPORT Ciphers are also disabled. \n\n## ", "cvss3": {}, "published": "2022-09-08T00:09:56", "type": "ibm", "title": "Security Bulletin: Vulnerability with RSA Export Keys may affect IBM HTTP Server and WebSphere EDGE Caching Proxy (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2022-09-08T00:09:56", "id": "9D8FD967B563EB10DC5FC0FAC977A00C29B4A75950B67D3C9A89093934A12FD3", "href": "https://www.ibm.com/support/pages/node/257477", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:35:58", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition.\n\n## Vulnerability Details\n\n**CVE-ID**: [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)\n\n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nMaximo Asset Management 7.6, 7.5, 7.1 \nMaximo Asset Management Essentials 7.5, 7.1 \nMaximo for Government 7.5, 7.1 \nMaximo for Nuclear Power 7.5, 7.1 \nMaximo for Transportation 7.5, 7.1 \nMaximo for Life Sciences 7.5, 7.1 \nMaximo for Oil and Gas 7.5, 7.1 \nMaximo for Primavera 7.5, 7.1 \nMaximo for Utilities 7.5, 7.1 \nSmartCloud Control Desk 7.5 \nTivoli Asset Management for IT 7.2, 7.1 \nTivoli Service Request Manager 7.2, 7.1 \nChange and Configuration Management Database 7.2, 7.1 \nIntelligent Building Management 1.1 | \n\nIBM WebSphere Application Server 8.5.5 \nIBM WebSphere Application Server 8.5 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 6.1 \n \n## Remediation/Fixes\n\nPlease refer to Workarounds and Mitigations below.\n\n## Workarounds and Mitigations\n\nBy default, the WebSphere Application Server SSL configuration is set to use the \"STRONG\" or \"HIGH\" secure cipher list which does not use RSA Export ciphers, so you would not be affected if you have not changed your ciphers. \n\n \nIf you have overridden the default configuration to use the \"MEDIUM\" secure cipher list then it will contain the RSA Export Ciphers. You should change this configuration to use \"STRONG\" or \"HIGH\". \n \nIf you have configured to use \"CUSTOM\" list of ciphers that includes an RSA Export cipher, then you should remove those RSA Export ciphers from the Application Server configuration. \n \nFor any outbound connections, IBM recommends that any servers that WebSphere Application Server is connecting to needs to insure that RSA Export Ciphers are also disabled. \n\n## ", "cvss3": {}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Vulnerability with RSA Export Keys May Affect IBM WebSphere Application Server on Asset and Service Management (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2022-09-22T03:02:31", "id": "53BF623AA722F72CE5ADFE866B98F9C352C7153B5036BD4F44218D79F03B13EC", "href": "https://www.ibm.com/support/pages/node/258895", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:36:18", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Full Profile (and IBM WebSphere Application Server Hypervisor Edition) that is used by WebSphere Process Server (and WebSphere Process Server Hypervisor Editions).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * WebSphere Process Server V7.0\n * WebSphere Process Server Hypervisor Editions V6.2, V7.0\n\nFor earlier unsupported versions of the above products IBM recommends upgrading to a fixed, supported version of the products.\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-09-15T18:51:00", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects WebSphere Process Server and WebSphere Process Server Hypervisor Editions (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2022-09-15T18:51:00", "id": "88ED6434C339FC19F1478A1680F90F3960F8FBFEE85C7C4B449C4E1407DD071F", "href": "https://www.ibm.com/support/pages/node/258579", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:38:39", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Liberty Profile Version 8.5 that is used by Power Hardware Management Console.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nPower HMC V7.7.8.0 \nPower HMC V7.7.9.0 \nPower HMC V8.8.1.0 \nPower HMC V8.8.2.0\n\n## Remediation/Fixes\n\nThe Following fixes are available on IBM Fix Central at <http://www-933.ibm.com/support/fixcentral/>\n\nProduct| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nPower HMC| V7.7.8.0 SP2| MB03892| Apply eFix MH01504 \nPower HMC| V7.7.9.0 SP2| MB03893| Apply eFix MH01505 \nPower HMC| V8.8.1.0 SP1| MB03894| Apply eFix MH01506 \nPower HMC| V8.8.2.0 SP1| MB03895| Apply eFix MH01507 \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2021-09-23T01:31:39", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Power Hardware Management Console (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2021-09-23T01:31:39", "id": "4DE3F235DB56885BEC38FC17BF7C67C9840D8357D7B343F1FB2F45ED9EB735FF", "href": "https://www.ibm.com/support/pages/node/646193", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-09-29T18:26:54", "description": "## Abstract\n\nIBM WebSphere Application Server is shipped as a component of IBM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Content\n\n**Vulnerability Details** \nPlease consult the security bulletin [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>) for vulnerability details and information about fixes. \n \n**Affected Products and Versions**\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5 and 1.5.0.1| IBM WebSphere Application Server \n \n**Change History** \n29 May 2015: Original Version Published \n\n[{\"Product\":{\"code\":\"SS8TBK\",\"label\":\"IBM Integrated Information Core\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"1.5;1.4;1.5.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {}, "published": "2022-09-25T21:21:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2022-09-25T21:21:12", "id": "F59809CE9D4F3F2D2A03090B55E54276D439DAD51C4F7A6E10F50212DD6A92F6", "href": "https://www.ibm.com/support/pages/node/260443", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:40:03", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Versions 7, 6 that is used by Rational Functional Tester.\n\n## Vulnerability Details\n\n**CVEID**: [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n \n**Description**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \n**CVSS Base Score**: 4.3 \n**CVSS Temporal Score**: <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score. \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nAll versions of Rational Functional Tester from 8.0.0.0 through 8.6.0.3\n\n## Remediation/Fixes\n\n**Vendor Fixes:** \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First fix** \n---|---|---|--- \nRFT| 8.6.0 - 8.6.0.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 7.0 Service Refresh 8 Fix Pack 10 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.6.0.1&platform=All&function=fixId&fixids=Rational-RFT-Java7SR8FP10a-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it.\n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it. \nRFT| 8.5.1 - 8.5.1.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 7.0 Service Refresh 8 Fix Pack 10 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.6.0.1&platform=All&function=fixId&fixids=Rational-RFT-Java7SR8FP10a-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it.\n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it \nRFT| 8.5.0 - 8.5.0.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 7.0 Service Refresh 8 Fix Pack 10 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.6.0.1&platform=All&function=fixId&fixids=Rational-RFT-Java7SR8FP10a-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it.\n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it. \nRFT| 8.3.0 - 8.3.0.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 7.0 Service Refresh 8 Fix Pack 10 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.6.0.1&platform=All&function=fixId&fixids=Rational-RFT-Java7SR8FP10a-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it.\n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it. \nRFT| 8.2.2.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 6.0 64-bit Service Refresh 16 Fix Pack 3 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.2.2.1&platform=All&function=fixId&fixids=Rational-RFT-Java6SR16FP3a_64bitSupport-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it.\n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it. \nRFT| 8.2.0 - 8.2.x.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 6.0 Service Refresh 16 Fix Pack 3 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RFT-Java6SR16FP3a-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it.\n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it. \nRFT| 8.1.0 - 8.1.x - 8.1.x.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 6.0 Service Refresh 16 Fix Pack 3 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RFT-Java6SR16FP3a-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it. \n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it. \nRFT| 8.0.0.x - 8.0.x.x| None| \n\n * Download the IBM SDK, Java Technology Edition, Version 6.0 Service Refresh 16 Fix Pack 3 [iFix](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Functional+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RFT-Java6SR16FP3a-ifix&includeSupersedes=0&source=fc>) from the Fix Central and apply it.\n * Download the SWT Beans Library [fix](<ftp://ftp.software.ibm.com/software/rational/private/RFT-Xmc7ysKxRPgt>) and apply it. \n \n**Note**: You should verify that applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-09-29T20:06:32", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects Rational Functional Tester (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-09-29T20:06:32", "id": "7408B0D116F1ACA3FBA42438A5C7BD95C4346FE353E99C771B9793BC2CA7A556", "href": "https://www.ibm.com/support/pages/node/259703", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:48:17", "description": "## Summary\n\nThe Factoring Attack on RSA-EXPORT keys (\"FREAK\"), TLS/SSL client and server security vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Version 1.6.0 SR16 FP3 and earlier. TLS/SSL is a configurable option in IBM FileNet Content Manager and IBM FileNet BPM products to provide secure connections for server to server commnication, such as servers in a cluster, as well as for server to client communication. If using SSL/TLS with these server products, please refer to the sections below to remediate the FREAK security vulnerability.\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION: ** \nA vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \n** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See **[_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>)** for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **\n\n## Affected Products and Versions\n\nIBM FileNet Content Manager 4.5.1, 5.0.0, 5.1.0, 5.2.0, 5.2.1 (includes CE/CPE and CSS) \nIBM Content Foundation 5.2.0, 5.2.1 \nIBM FileNet BPM 4.5.1, 5.0.0\n\n## Remediation/Fixes\n\nUpgrade to Java Runtime Environment (JRE) 1.6.0 SR16 FP3 + IV70681 or higher to resolve the security vulnerability. By installing the below fixes, the private IBM JRE used by Process Engine, Content Platform Engine and Content Search Services will be updated to resolve the security vulnerability. \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager (FNCM)| 4.5.1 \n5.0.0 \n5.1.0 \n5.2.0 \n5.2.1| PJ43074 \nPJ43075 \nPJ43078 \nPJ43076, PJ43079 \nPJ43077, PJ43079| Released on April 8, 2015: \n5.1.0.0-P8CSS IF011 \n5.2.0.2-P8CSS-IF003 \n5.2.1.0-P8CSS-IF001 \n4.5.1.4-P8PE-IF007 \n5.0.0.8-P8PE-IF001 \n5.2.0.3-P8CPE-IF006 \n5.2.1.0-P8CPE-IF002 \nReleased on April 10, 2015: \neProcess-5.2.0-001.005 \nFileNet Business Process Manager (BPM)| 4.5.1 \n5.0.0 \n5.2.0 \n5.2.1| PJ43074 \nPJ43075 \nPJ43078 \nPJ43076, PJ43079 \nPJ43077, PJ43079| Released on April 8, 2015: \n5.1.0.0-P8CSS IF011 \n5.2.0.2-P8CSS-IF003 \n5.2.1.0-P8CSS-IF001 \n4.5.1.4-P8PE-IF007 \n5.0.0.8-P8PE-IF001 \n5.2.0.3-P8CPE-IF006 \n5.2.1.0-P8CPE-IF002 \nReleased on April 10, 2015: \neProcess-5.2.0-001.005 \nIBM Content Foundation| 5.2.0 \n5.2.1| PJ43076, PJ43079 \nPJ43077, PJ43079| Released on April 8, 2015: \n5.2.0.3-P8CPE-IF006 \n5.2.1.0-P8CPE-IF002 \n5.2.0.2-P8CSS-IF003 \n5.2.1.0-P8CSS-IF001 \nIBM Case Foundation| 5.2.0 \n5.2.1| PJ43076, PJ43079 \nPJ43077, PJ43079| Released on April 8, 2015: \n5.2.0.3-P8CPE-IF006 \n5.2.1.0-P8CPE-IF002 \n5.2.0.2-P8CSS-IF003 \n5.2.1.0-P8CSS-IF001 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T12:10:30", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects IBM FileNet Content Manager and IBM Content Foundation (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T12:10:30", "id": "6E527C5A0B0B2A6613918BBF9C94897FC8671D3EA7ABEBDE13363F32D36D8E9C", "href": "https://www.ibm.com/support/pages/node/258225", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:48:57", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Version 6.0.16.2, that is used by Rational Lifecycle Integration Adapter for HP ALM. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \n**CVSS** Base Score: 4.3 \n**CVSS** Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \n**CVSS** Environmental Score*: Undefined \n**CVSS** Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n\n## Affected Products and Versions\n\nIBM Rational Lifecycle Integration Adapter for HP ALM 1.2 and later versions\n\n## Remediation/Fixes\n\n \nThe fix is available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Lifecycle+Integration+Adapters+Tasktop+Edition&release=1.1.3.1&platform=All&function=fixId&fixids=Rational-RLIA_Tasktop-JavaPatch-Java60163&includeSupersedes=0>). \n \nYou should verify that applying this fix does not cause any compatibility issues. \n \nTo update IBM Rational Lifecycle Integration Adapter with a corrected JRE, follow the instructions below. Depending on how you deployed the products, and depending on your usage scenarios, you might need to upgrade the IBM SDK, Java Technology Edition in IBM WebSphere Application Server and Apache Tomcat. Be sure to upgrade all the components that you use in your deployment uses. \n \nNOTE: IBM SDK, Java Technology Edition is only included in IBM Rational Lifecycle Integration Adapter version 1.1.2 or later. Previous versions of the Rational Lifecycle Integration Adapter Standard Edition HP Adapter were released as WAR files only. Please consult with the application server documentation for updating the IBM SDK, Java Technology Edition. \n \n**Upgrading the JRE for a** **WebSphere Application Server**** installation \n \n**If your products are deployed on WebSphere Application Server, [_Java SDK Upgrade Policy for the IBM WebSphere Application Server_](<http://www.ibm.com/support/docview.wss?uid=swg21138332>) lists IBM SDK, Java Technology Edition upgrades that are available. Also check the [_Product Security Incident Response Blog_](<https://www.ibm.com/blogs/psirt/>) for any recent security bulletins for WebSphere Application Server that may have fixpacks or interim fixes for the JRE. \n \n**Upgrading the **IBM SDK, Java Technology Edition** for a Tomcat installations**\n\n1\\. Stop the Rational Lifecycle Integration Adapter server. \n \n**Note**: The applications may be running in different application server instances or using a delegated converter. \n\n2\\. Go to the original installation directory, and rename the /jre folder \n \n&lt;InstallDir&gt;/server/jre \n \nto \n \n&lt;InstallDir&gt;/server/jre-Original \n \nThis ensures that the original JRE is kept as a backup in the event a restore is required._ \n \n_Example (Linux):` \nmv <OrigInstallDir>/server/jre <OrigInstallDir>/server/jre-Original `\n\n3\\. Extract the new JRE archive provided by support to the Installation directory. \n \nExample (Linux): ` \nunzip <newInsallZip> -d <InstallDir>/server/`\n\n4\\. Remove the Apache Tomcat temporary files in the following directories: \n \n`<OrigInstallDir>/server/tomcat/temp \n<OrigInstallDir>/server/tomcat/work/Catalina/localhost`\n\n5\\. Restart the Rational Lifecycle Integration Adapter server\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:40", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects Rational Lifecycle Integration Adapter for HP ALM (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T05:01:40", "id": "5BFA3A34D731F2673154992C7A5F15DB2A3F98DE9F70E8C7E886D0230852F153", "href": "https://www.ibm.com/support/pages/node/260681", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:52:05", "description": "## Summary\n\nThe FREAK: Factoring Attack on RSA-EXPORT keys TLS/SSL client and server vulnerability affects IBM Runtime Environment Java Technology Edition, Version 1.6 and 1.7 that are used by IBM Flex System Manager (FSM).\n\n## Vulnerability Details\n\n## Summary\n\nThe FREAK: Factoring Attack on RSA-EXPORT keys TLS/SSL client and server vulnerability affects IBM Runtime Environment Java Technology Edition, Version 1.6 and 1.7 that are used by IBM Flex System Manager (FSM).\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)\n\n**Description:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.\n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected products and versions\n\n * Flex System Manager 1.1.x.x\n * Flex System Manager 1.2.0.x\n * Flex System Manager 1.2.1.x\n * Flex System Manager 1.3.0.x\n * Flex System Manager 1.3.1.x\n * Flex System Manager 1.3.2.x\n * Flex System Manager 1.3.3.x\n\n## Remediation/Fixes:\n\nProduct | VRMF | APAR | Remediation \n---|---|---|--- \nFlex System Manager | 1.3.3.x | IT07950 | The fix for this vulnerability is packaged with fixes that require agent updates. \nNavigate to the [Support Portal](<http://www-947.ibm.com/support/entry/portal/support/>) and search for technote [ 736218441](<http://www.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>) for instructions on installing updates for the FSM and Agents. \nFlex System Manager | 1.3.2.x | IT07950 | The fix for this vulnerability is packaged with fixes that require agent updates. \nNavigate to the [Support Portal](<http://www-947.ibm.com/support/entry/portal/support/>) and search for technote [ 736218441](<http://www.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>) for instructions on installing updates for the FSM and Agents. \nFlex System Manager | 1.3.1.x | IT07950 | Upgrade to FSM 1.3.2.0 and follow the appropriate remediation for all vulnerabilities, or open a PMR with support to request an APAR. \nFlex System Manager | 1.3.0.x | IT07950 | Upgrade to FSM 1.3.2.0 and follow the appropriate remediation for all vulnerabilities, or open a PMR with support to request an APAR. \nFlex System Manager | 1.2.1.x | IT07950 | IBM is no longer providing code updates for this release, upgrade to FSM 1.3.2.0 and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager | 1.2.0.x | IT07950 | IBM is no longer providing code updates for this release, upgrade to FSM 1.3.2.0 and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager | 1.1.x.x | IT07950 | Effective April 30, 2015, IBM has discontinued service for these version/release/modification/fix levels. \n \nYou should verify applying this fix does not cause any compatibility issues.\n\n## Workarounds and Mitigations:\n\nNone\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nThe vulnerability was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA.\n\n**Change History** \n27 August 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Flex System Manager (FSM) (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2019-01-31T02:10:01", "id": "DC17B43D81313667FD36A73A1588B5C3E049212067CB8CF4BE342AB498571C7D", "href": "https://www.ibm.com/support/pages/node/867772", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:52:23", "description": "## Summary\n\nThe FREAK: Factoring Attack on RSA-EXPORT keys TLS/SSL client and server vulnerability affects IBM Systems Director.\n\n## Vulnerability Details\n\n## Abstract\n\nThe FREAK: Factoring Attack on RSA-EXPORT keys TLS/SSL client and server vulnerability affects IBM Systems Director.\n\n## Content\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)\n\n**Description:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected products and versions\n\nFrom the IBM System Director command line enter smcli lsver to determine the level of IBM System Director installed.\n\nIBM Systems Director:\n\n * 5.2.x.x\n * 6.1.x.x\n * 6.2.0.x\n * 6.2.1.x\n * 6.3.0.0\n * 6.3.1.x\n * 6.3.2.x\n * 6.3.3.x\n * 6.3.5.0\n\n## Remediation/Fixes\n\nReleases 5.2.x.x, 6.1.x.x are unsupported and will not be fixed.\n\nFollow the instructions mentioned under <http://www-947.ibm.com/support/entry/portal/support/> and search for Tech note **741266903** to apply the fix for releases:\n\n * 6.2.0.x\n * 6.2.1.x\n * 6.3.0.0\n * 6.3.1.x\n * 6.3.2.x\n * 6.3.3.x\n * 6.3.5.0\n\n## Workarounds and Mitigations\n\nNone.\n\n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n23 April 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Vulnerability with RSA Export Keys affects IBM Systems Director (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2019-01-31T01:55:01", "id": "53D0AE73272C98C52DAD50318C44451464A08931AFB6FA152F68439DB4D4F13D", "href": "https://www.ibm.com/support/pages/node/866682", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:52:24", "description": "## Summary\n\nIBM Tivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM System Director and Tivoli Common Reporting are shipped as components of IBM System Director Editions.\n\n## Vulnerability Details\n\n## Summary\n\nIBM Tivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM System Director and Tivoli Common Reporting\u00c2 are shipped as components of IBM System Director Editions. Information about the security vulnerability affecting these components has been published in the security bulletin.\n\n**Vulnerability Details**\n\nPlease consult the security bulletins listed below for the vulnerability details of the affected products.\n\n## Affected products and versions\n\nAffected Product and Version(s) | Product and Version shipped as a component | Security Bulletin \n---|---|--- \nIBM System Director Editions 6.2.0.0 | IBM Tivoli Monitoring 6.2.2.02. base FP2 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.2.0.0 | Tivoli Application Dependency Discovery Manager v7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.2.0.0 | Tivoli Common Reporting 1.3 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.2.0.0 | IBM System Director 6.2.0.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.2.1.0 | IBM Tivoli Monitoring 6.2.2 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.2.1.0 | Tivoli Application Dependency Discovery Manager v7.2 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.2.1.0 | Tivoli Common Reporting 1.3 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.2.1.0 | IBM System Director 6.2.1.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.3.0.0 | IBM Tivoli Monitoring 6.2.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.3.0.0 | Tivoli Application Dependency Discovery Manager v7.2.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21701949> \nIBM System Director Editions 6.3.0.0 | Tivoli Common Reporting 2.1.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.3.0.0 | IBM System Director 6.3.0.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \nIBM System Director Editions 6.3.2.0 | IBM Tivoli Monitoring 6.3 (TEPS, TDW, TCR) | <http://www-01.ibm.com/support/docview.wss?uid=swg21701519> \nIBM System Director Editions 6.3.2.0 | Tivoli Common Reporting 3.1 | <http://www-01.ibm.com/support/docview.wss?uid=swg21903299> \nIBM System Director Editions 6.3.2.0 | IBM System Director 6.3.2.0 | [ http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097735>) \n \n## Reference\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [OpenSSL Project vulnerability website](<http://www.openssl.org/news/vulnerabilities.html>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n27 May 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin:Vulnerability in IBM Java Runtime affects IBM Tivoli Monitoring, Tivoli Application Dependency Discovery Manager, IBM Systems Director and Tivoli Common Reporting with IBM System Director Editions.(CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-0138"], "modified": "2019-01-31T01:55:01", "id": "3A8DCA0D51B2577B4386FCF6B49D18116E827A1E5CA0C769697219CA37689A36", "href": "https://www.ibm.com/support/pages/node/867236", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:52:31", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that is used by IBM Cognos Business Intelligence Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Business Intelligence Server 10.2.2 \nIBM Cognos Business Intelligence Server 10.2.1.1 \nIBM Cognos Business Intelligence Server 10.2.1 \nIBM Cognos Business Intelligence Server 10.2 \nIBM Cognos Business Intelligence Server 10.1.1 \nIBM Cognos Business Intelligence Server 10.1 \nIBM Cognos Business Intelligence Server 8.4.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n[IBM Cognos Business Intelligence 8.4.1 Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24039725>) \n \n[IBM Cognos Business Intelligence 10.1.x Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24039727>) \n \n[IBM Cognos Business Intelligence 10.2, 10.2.1x and 10.2.2 Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24039726>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T23:13:38", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM\u00ae Runtime Environment Java\u2122 Technology Edition affects IBM Cognos Business Intelligence Server (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T23:13:38", "id": "B8539C03EFB5ED5E6A11B420810996629F342F10850F03870DD31D695879E8C4", "href": "https://www.ibm.com/support/pages/node/260157", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:54:56", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect IBM WebSphere Application Server Community Edition.\n\n## Vulnerability Details\n\n**CVEID**: [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM WebSphere Application Server Community Edition 3.0.0.4\n\n## Workarounds and Mitigations\n\nUpgrade your IBM SDK for Java to an interim fix level as determined below: \nIBM SDK 6.0: \nIBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 (required) + [IV70681](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>) \n \nIBM SDK 7.0: \nIBM SDK, Java Technology Edition, Version 7 Service Refresh 8 FP10 (optional) +[IV70681](<http://www-01.ibm.com/support/docview.wss?uid=swg24039665>) \nIBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2 FP10 (optional) + [IV70681](<http://www-01.ibm.com/support/docview.wss?uid=swg24039687>)\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:56", "type": "ibm", "title": "Security Bulletin:Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server Community Edition 3.0.0.4 \uff08CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:56", "id": "421CD0D6072AB74058E23479FD80CC38A955C5600974054F7C050356B9B86C6B", "href": "https://www.ibm.com/support/pages/node/261425", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:01", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect IBM WebSphere Application Server that shipped with WebSphere Enterprise Service Bus Registry Edition.\n\n## Vulnerability Details\n\nFor more information on the vulnerability as well as remediation options and fixes, refer to the following bulletin: [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>)\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:50", "type": "ibm", "title": "Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server that shipped with WebSphere Enterprise Service Bus Registry Edition (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:50", "id": "F0EAB90B09BC591CA31A4D87854A58B529FD2D91EA4D9FA5012140AB532F7D37", "href": "https://www.ibm.com/support/pages/node/260301", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:02", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM SDK Java Technology Edition, Version 6 and IBM SDK Java Technology Edition, Version 7 that is used by IBM OS Images for Red Hat Linux Systems, AIX, and Windows.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)\n\n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>)<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM OS Image for Red Hat Linux Systems 2.0.0.1 and earlier. \nIBM OS Image for AIX 2.0.0.1 and earlier. \nIBM OS Image for Windows 2.0.0.1 and earlier.\n\n## Remediation/Fixes\n\nThe deployed Red Hat Linux-based, AIX, and Windows virtual machines on all IBM PureApplication Systems types are affected. The solution is to apply the following IBM PureApplication System fix to the deployed virtual machines. \n \n[http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication%20System&amp;release=2.0.0.0&amp;platform=All&amp;function=textSearch&amp;text=java](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication%20System&release=2.0.0.0&platform=All&function=textSearch&text=java>) \n \n\n\n 1. Import the fix into the Emergency Fix catalogue.\n 2. For deployed instances, apply this emergency fix on the VM. The IBM Java SDK will be upgraded to IBM Java JDK 7.0 SR8 FP10 interim fix and IBM Java JDK 6.0 SR16 FP3 interim fix.\n 3. Restart the deployed instance after the fix is applied.\n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:50", "id": "EF76C96F2E2912184D5C0494E98B7031C29155F39DF956D7114AD55EB80A7877", "href": "https://www.ibm.com/support/pages/node/260267", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:03", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by IBM Image Construction and Composition Tool.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)\n\n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See** **<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Image Construction and Composition Tool v2.2.1.3 \nIBM Image Construction and Composition Tool v2.3.1.0 \nIBM Image Construction and Composition Tool v2.3.2.0\n\n## Remediation/Fixes\n\nThe solution is to apply the following IBM Image Construction and Composition Tool version fixes. \n \nUpgrade the IBM Image Construction and Composition Tool to the following fix levels: \n \n\uf0b7 For IBM Image Construction and Composition Tool v2.2.1.3 \no IBM Image Construction and Composition Tool v2.2.1.3 Build 28 \n \n\n\n[http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=1.1.0.5&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.2.1.3-28&amp;includeSupersedes=0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=1.1.0.5&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.2.1.3-28&includeSupersedes=0>) \n \n\uf0b7 For IBM Image Construction and Composition Tool v2.3.1.0 \no IBM Image Construction and Composition Tool v2.3.1.0 Build 38 \n \n\n\n[http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=2.0.0.1&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.3.1.0-38&amp;includeSupersedes=0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.0.0.1&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.1.0-38&includeSupersedes=0>) \n \n\uf0b7 For IBM Image Construction and Composition Tool v2.3.2.0 \no IBM Image Construction and Composition Tool v2.3.2.0 Build 12 \n\n \n[http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=2.1.0.0&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.3.2.0-12&amp;includeSupersedes=0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.1.0.0&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.2.0-12&includeSupersedes=0>) \n \n \nYou should verify applying this fix does not cause any compatibility issues. \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:48", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Image Construction and Composition Tool (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:48", "id": "652D354E596F1BF0419D184075679C9B1A4861A955CD0ABFB2986F555115142A", "href": "https://www.ibm.com/support/pages/node/260161", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:03", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environments Java\u2122 Technology Edition, Version 6.0.5 that is used by WebSphere Business Modeler Advanced and WebSphere Business Modeler Basic.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects: \n\n\n * WebSphere Business Modeler Advanced V7.0.0.x\n * WebSphere Business Modeler Basic V7.0.0.x\n * WebSphere Business Modeler Advanced V6.2.0.x\n * WebSphere Business Modeler Basic V6.2.0.x\n\n## Remediation/Fixes\n\nTo fully mitigate this vulnerability, an additional fix for WebSphere Business Modeler is required (JR52951): \n\n\n * [WebSphere Business Modeler Advanced V7.0.0.x](<http://www.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FIBM+WebSphere+Business+Modeler+Advanced&fixids=7.0.0.4-WB-ModelerAdv-IFJR52951&source=SAR&function=fixId&parent=ibm/WebSphere>)\n * [WebSphere Business Modeler Basic V7.0.0.x](<http://www.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FIBM+WebSphere+Business+Modeler+Basic&fixids=7.0.0.4-WB-ModelerBas-IFJR52951&source=SAR&function=fixId&parent=ibm/WebSphere>)\n * [WebSphere Business Modeler Advanced V6.2.0.x](<http://www.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FIBM+WebSphere+Business+Modeler+Advanced&fixids=6.2.0.3-WB-ModelerAdv-IFJR52951&source=SAR&function=fixId&parent=ibm/WebSphere>)\n * [WebSphere Business Modeler Basic V6.2.0.x](<http://www.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FIBM+WebSphere+Business+Modeler+Basic&fixids=6.2.0.3-WB-ModelerBas-IFJR52951&source=SAR&function=fixId&parent=ibm/WebSphere>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:47", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtimes affect Websphere Business Modeler Advanced and Websphere Business Modeler Basic (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:47", "id": "CBE391D4537A02C7DAD21431426EB80FDF3DF9AAE6EF3129827DB718EC2DBA06", "href": "https://www.ibm.com/support/pages/node/259979", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:05", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability may affect some configurations of WebSphere Application Server used by WebSphere Service Registry and Repository.\n\n## Vulnerability Details\n\n**CVEID**: [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server 2.5 and 2.0\n\n## Remediation/Fixes\n\nPlease note that the default configuration of WebSphere Application Server and WebSphere Service Registry and Repository uses a \"STRONG\" or \"HIGH\" secure cipher list, which does not use RSA Export ciphers, so you would not be affected if you have not changed your ciphers. \n\nFor advice on mitigating FREAK on servers which deviate from this default configuration, please apply the mitigations indicated in the WebSphere Application Server bulletin at [](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)[http://www.ibm.com/support/docview.wss?uid=swg21698613](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>). You should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nYou should verify applying this configuration change does not cause any compatibility issues.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java runtime affects IBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:46", "id": "AADD6DEC33FC746EA227DF8A2AB825F8DF3840C54CAEB51F15BD6D0541DB820C", "href": "https://www.ibm.com/support/pages/node/259503", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:07", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability may affect some configurations of WebSphere Application Server used by WebSphere Service Registry and Repository.\n\n## Vulnerability Details\n\n**CVEID**: [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nWebSphere Service Registry and Repository versions 8.5, 8.0, 7.5, 7.0.\n\n## Workarounds and Mitigations\n\nPlease note that a default installed configuration of WebSphere Application Server and WebSphere Service Registry and Repository uses a \"STRONG\" or \"HIGH\" secure cipher list, which does not use RSA Export ciphers, so you would not be affected if you have not changed your ciphers. \n\nFor advice on mitigating FREAK on servers which deviate from this default configuration, please apply the mitigations indicated in the WebSphere Application Server bulletin at [http://www.ibm.com/support/docview.wss?uid=swg21698613. You should verify applying this configuration change does not cause any compatibility issues.](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:44", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java runtime affects WebSphere Service Registry and Repository (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:44", "id": "EEA40EE94F1CD00B246C4208C1F27C86B7A9FBA03679182D248D44B783F0AA75", "href": "https://www.ibm.com/support/pages/node/258853", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:10", "description": "## Summary\n\n\"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects IBM WebSphere Real Time Version 3 Service Refresh 8 Fix Pack 10 and earlier releases\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM WebSphere Real Time Version 3 Service Refresh 9. \n \nIn addition, an iFix release based on Service Refresh 8 Fix Pack 10 is available. \n \nIBM customers should download WebSphere Real Time updates from [Fix Central](<http://www.ibm.com/support/fixcentral/>). \n \nThe APAR for this fix is [IV70681](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV70681>).\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:42", "type": "ibm", "title": "Security Bulletin: Current release of IBM\u00ae WebSphere Real Time is affected by CVE-2015-0138", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:42", "id": "4F7D80D0E68015216182DCF5862AE3314F24842A412FD6BE39D0A2E70138ADD6", "href": "https://www.ibm.com/support/pages/node/259913", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:11", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nThe following products are affected: \n\n * WebSphere Business Monitor V7.0.0.x\n * IBM Business Monitor V7.5.x\n * IBM Business Monitor V8.0.1.x\n * IBM Business Monitor V8.5.5.0\n * IBM Business Monitor V8.5.6.0\n\n## Remediation/Fixes\n\nTo remediate this issue, refer to [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>)\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:47", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Monitor (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:47", "id": "B77168F63DAAF43375243891355FD6CE04996BFC71ADF6BB0EA2EBA72BE044D7", "href": "https://www.ibm.com/support/pages/node/259739", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:12", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n**AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions may be affected: \n\n * Version 8.5 and 8.5.5 Full Profile and Liberty Profile\n * Version 8 \n * Version 7\n * Version 6.1\n\n## Remediation/Fixes\n\nPlease note that the interim fixes for PI36563 also include the removal of RC4 stream ciphers. \nFor more information on RC4 stream ciphers, refer to the security bulletin [Vulnerability in RC4 ciphers affects WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>). \n \nBy default, the WebSphere Application Server SSL configuration is set to use the \"STRONG\" or \"HIGH\" secure cipher list which does not use RSA Export ciphers, so you would not be affected if you have not changed your ciphers. \n \nIf you have overridden the default configuration to use the \"MEDIUM\" secure cipher list then it will contain the RSA Export Ciphers. You should change this configuration to use \"STRONG\" or \"HIGH\", or apply Interim Fix PI36563. \n \nIf you have configured to use \"CUSTOM\" list of ciphers that includes an RSA Export cipher, then you should remove those RSA Export ciphers from the Application Server configuration. \n \nFor any outbound connections, IBM Recommends that any servers that WebSphere Application Server is connecting to needs to insure that RSA Export Ciphers are also disabled. If you require RSA_Export on the server side then you should apply an interim fix for the client to block the downgrade of the RSA key. You should apply the correct Interim Fix as noted below for your version of the IBM SDK Java Technology Edition. \n \n \n**_Fix: To remove the RSA Export Ciphers from the Medium secure cipher list: _** \nApply an [Interim Fix](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>), [_Fix Pack or PTF_](<https://www-304.ibm.com/support/docview.wss?rs=180&uid=swg27004980>) containing this APAR PI36563, as noted below: ** \n \nFor IBM WebSphere Application Full Profile, IBM WebSphere Application Server Liberty Profile or IBM WebSphere Application Server Hypervisor Edition: \n \nFor V8.5.0.0 through 8.5.5.5:**\n\n * Apply Interim Fix [PI36563](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>)\n\\-- OR \n * Apply Fix Pack 6 (8.5.5.6), or later. \n** \nFor V8.0.0.0 through 8.0.0.10:**\n\n * Apply Interim Fix [PI36563](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>)\n\\-- OR \n * Apply Fix Pack 11 (8.0.0.11), or later. \n** \nFor V7.0.0.0 through 7.0.0.37:**\n\n * Apply Interim Fix[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>) [PI36563](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>)\n\\-- OR \n * Apply Fix Pack 39 (7.0.0.39), or later.\n \n**For V6.1.0.0 through 6.1.0.47:**\n\n * If you are using the MEDIUM cipher list, refer to remediation above to remove the RSA export ciphers.\n \n \n**_Fix to block the downgrade of the RSA keys: _** \nYou should apply the correct Interim Fix as noted below for your version of the IBM SDK Java Technology Edition. \n \nAPAR IV70681 - includes the fix for CVE-2015-0138 for IBM SDK, Java Technology Edition, Versions 6, 7 and 8 \nAPAR IV70684 - includes the fix for CVE-2015-0138 for IBM SDK, Java 2 Technology Edition Version 5 \n \nApply an [Interim Fix](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>), [_Fix Pack or PTF_](<https://www-304.ibm.com/support/docview.wss?rs=180&uid=swg27004980>) as noted below: ** \n** \n**_For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition_** **:** \n \nDownload and apply the interim fix APARs below, for your appropriate release: ** \n \nFor V8.5.0.0 through 8.5.5.5 Liberty Profile:**\n\n * Apply Interim Fix [PI42772](<http://www-01.ibm.com/support/docview.wss?uid=swg24040171>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038091>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036965>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036506>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035399>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034999>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034798>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034589>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 (required) + IV70681 \n * Apply Interim Fix [PI37005](<http://www-01.ibm.com/support/docview.wss?uid=swg24039665>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039312>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038810>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038089>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037534>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037709>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 FP10 (optional) +IV70681\n * Apply Interim Fix [PI37004](<http://www-01.ibm.com/support/docview.wss?uid=swg24039687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039311>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038809>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038165>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>): Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) FP10 (optional) + IV70681 \n * Apply Interim Fix [PI37003](<http://www-01.ibm.com/support/docview.wss?uid=swg24039782>): Will upgrade you to IBM SDK, Java Technology Edition, Version 8 (optional) + IV70681 \n**\\--OR--**\n\n * Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 6 (8.5.5.6) or later.\n \n**For V8.5.0.0 through 8.5.5.5 Full Profile:**\n\n * Apply Interim Fix [PI37006](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038091>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036965>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036506>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035399>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034999>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034798>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034589>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 (required) + IV70681 \n * Apply Interim Fix [PI37005](<http://www-01.ibm.com/support/docview.wss?uid=swg24039665>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039312>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038810>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038089>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037534>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037709>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 FP10 (optional) +IV70681\n * Apply Interim Fix [PI37004](<http://www-01.ibm.com/support/docview.wss?uid=swg24039687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039311>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038809>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038165>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>): Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) FP10 (optional) + IV70681 \n**\\--OR--**\n\n * Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 6 (8.5.5.6) or later.\n * **For 8.0.0.0 through 8.0.0.10:**\n\n * Apply Interim Fix [PI37010](<http://www-01.ibm.com/support/docview.wss?uid=swg24039668>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039304>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038812>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038093>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037708>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036967>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036505>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035398>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034998>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034447>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 [](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>)Fix Pack 2 + IV70681 \n\\--**OR**\\-- \n\n * Apply Interim Fix [PI38186](<http://www-01.ibm.com/support/docview.wss?uid=swg24039749>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 + IV70681 \n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 11 (8.0.0.11) or later.\n** \nFor V7.0.0.0 through 7.0.0.37:**\n\n * Apply Interim Fix [PI37013](<http://www-01.ibm.com/support/docview.wss?uid=swg24039694>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039292>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038816>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038094>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037515>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036968>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036504>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035397>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034997>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034443>) Will upgrade you to IBM SDK, Java Technology Edition, Version 6 Service Refresh 16[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) Fix Pack 3 + IV70681\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 39 (7.0.0.39) or later.\n** \nFor V6.1.0.0 through 6.1.0.47:**\n\n * Contact IBM Support and apply Interim Fix PI37015[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037458>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035396>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034996>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034418>): Will upgrade you to IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 + IV70684\n**_ \nFor IBM WebSphere Application Server for i5/OS operating systems:_** \n \nThe IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to [_Java on IBM i_](<https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20i%20Technology%20Updates/page/Java%20on%20IBM%20i>) for updates on when these fixes will be available. ** ** \n\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:37", "type": "ibm", "title": "Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-15T07:02:37", "id": "0CA2D884425D25EDB73F3399D79B0458C939C53D6423CF98739BDC98AA1F45F0", "href": "https://www.ibm.com/support/pages/node/257017", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:15", "description": "## Summary\n\nIBM Tivoli Monitoring for Tivoli Storage Manager packages IBM Tivoli Monitoring (ITM) as one of its components. \n \nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by ITM. \n \nGSKit is an IBM component that is used by IBM Tivoli Monitoring. The GSKit that is shipped with IBM Tivoli Monitoring contains a security vulnerability for the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. ITM has addressed the CVE. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nThe following components of IBM Tivoli Monitoring for Tivoli Storage Manager are affected by this vulnerability. \n\n * IBM Tivoli Monitoring for Tivoli Storage Manager version 6.1 - 7.1\n\n## Remediation/Fixes\n\nThe solution provided is for IBM Tivoli Monitoring for Tivoli Storage Manager versions 6.3 and 7.1. \n\n**Table: Upgrading IBM Tivoli Monitoring**\n\n \n**Note: Customer must first upgrade the IBM Tivoli Monitoring, before applying the security fix.** **_IBM Tivoli Monitoring for Tivoli Storage Manager Version_**| ** ****_URL_** \n---|--- \n6.3.x| \n\n[](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Monitoring&platform=All&release=6.3.0&function=fixId&fixids=6.3.0-TIV-ITM-FP0004>)[**_6.2.2-TIV-ITM-FP0009_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=6.2.2&platform=All&function=fixId&fixids=6.2.2-TIV-ITM-FP0009&includeSupersedes=0>) \n \n7.1.x| \n\n[**_6.3.3-TIV-ITM-FP0004_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=6.3.0&platform=All&function=fixId&fixids=6.3.0-TIV-ITM-FP0004&includeSupersedes=0>) \n \n**Table: Security Fixes for IBM Tivoli Monitoring**\n\n \n**Note: Only for versions 6.3 through 7.1.x** **_IBM Tivoli Monitoring for Tivoli Storage Manager Version_**| **_Fix_**| **_Remediation/First Fix_** \n---|---|--- \n**_6.3.x_**| **6.X.X-TIV-ITM_JRE_CANDLEHOME_5.16.09.01 **| [**__IFIX Download Instructions__**](<http://www.ibm.com/support/docview.wss?uid=swg24039756>) \n**_7.1.x_**| **6.X.X-TIV-ITM_JRE_CANDLEHOME_7.08.10.01**| [**__IFIX Download Instructions__**](<http://www.ibm.com/support/docview.wss?uid=swg24039756>) \n \n**NOTE: **\n\n**Extended support customers using IBM Tivoli Monitoring versions 6.1 or 6.2 for Tivoli Storage Manager should contact IBM support.** \n \n**Follow the 6.X.X-TIV-ITM_JRE_CANDLEHOME_XX.XX.XX.XX.README instructions to install the ITM IFIX. Where XX.XX.XX.XX matches the IFIX level download.**\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:01:03", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime and GSKit affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T15:01:03", "id": "62271CAA15BF5B3CD7F0FD1A957972203812A6F82B76120573C72B7C9A1B30F9", "href": "https://www.ibm.com/support/pages/node/262695", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:18", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Java\u2122 Technology Edition, Version 5.0 that is used by Tivoli Netcool Service Quality Manager. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects Tivoli Netcool Service Quality Manager 4.1.4\n\n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. \nThe IBM Java Runtime Environment Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 can be downloaded from the IBM Fix Central site:_ \n_[_https://delivery04.dhe.ibm.com/sar/CMA/WSA/04x1e/0/jre564redist.tar.gz_](<https://delivery04.dhe.ibm.com/sar/CMA/WSA/04x1e/0/jre564redist.tar.gz>) \n \nTo install the patch the following procedure has to be performed on TNSQM servers: \n \n$ sap stop \n$ sapmon stop \n$ sapmgr stop \n$ cd ${WMCROOT}/java \n$ mv jre jre.old \n$ gunzip -c &lt;location of patch&gt;/jre564redist.tar.gz | tar -xf - \n$ sapmon start \n$ sapmgr start \n$ sap start\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T14:59:42", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Netcool Service Quality Manager (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T14:59:42", "id": "2D9FA4CEC155B182B2AEB787D0A79A2F3E438F7B97BA9E14F3F967D6365E9E88", "href": "https://www.ibm.com/support/pages/node/260217", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:18", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM embedded WebSphere Application Server that is used by Tivoli Workload Scheduler.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nTivoli Workload Scheduler is potentially impacted by the listed vulnerabilities since they potentially affect secure communications between eWAS and subcomponents through Java exposures. \nThe issues have been fixed updating Java inside eWAS installed with the latest fixpack version of TWS. \n \nThe affected versions are: \nTivoli Workload Scheduler Distributed 8.4.0 \nTivoli Dynamic Workload Console 8.4.0 \nTivoli Workload Scheduler Distributed 8.5.0 \nTivoli Dynamic Workload Console 8.5.0 \nTivoli Workload Scheduler z/OS Connector 8.5.0 \nTivoli Workload Scheduler Distributed 8.5.1 \nTivoli Dynamic Workload Console 8.5.1 \nTivoli Workload Scheduler z/OS Connector 8.5.1 \nTivoli Workload Scheduler Distributed 8.6.0 \nTivoli Dynamic Workload Console 8.6.0 \nTivoli Workload Scheduler z/OS Connector 8.6.0 \n\nFor Tivoli Workload Scheduler Distributed 9.1 and 9.2 the only change needed is the one that refers to localopts.\n\nSince TWS 9.1 and 9.2 did not include WebSphere Application Server refer to\n\n[_http://www-01.ibm.com/support/docview.wss?uid=swg21698613_](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) to patch this product.\n\n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch. \n\nAfter patch has been installed, before restarting the product, it is necessary to perform the following step for Master Domain Managers, Backup Master Domain Manager and classic FTA (no changes for Dynamic Agent or zCentric):\n\nLocate in the the localopts file the line \n\n \n#CLI SSL chiper = MD5 \n \nand change it in \n \n**CLI SSL cipher** = HIGH \n \n(notice that original string \"chiper\" was incorrect so please change it to \"cipher\") \n \n \n\n\nApar IV71618 has been opened for the issues.\n\nFor TWS 8.4.0, 8.5.0, 8.5.1 it is mandatory to install the Limited Availability fixes IV61280 and IV70762 before applying Limited Availability fix IV71618. For TWS 8.6.0, it is mandatory to install the Limited Availability fix IV70762 before applying IV71618.\n\nThe following interim fixes for IV71618 will be available for download on FixCentral:\n\n8.4.0-TIV-TWS-FP0007- IV71618 \nto be applied on top of Tivoli Workload Scheduler Distributed 8.4.0 FP07 \n\n8.5.0-TIV-TWS-FP0005- IV71618 \nto be applied on top of Tivoli Workload Scheduler Distributed 8.5.0 FP05 \n\n8.5.1-TIV-TWS-FP0005- IV71618 \nto be applied on top of Tivoli Workload Scheduler Distributed 8.5.1 FP05\n\n8.6.0-TIV-TWS-FP0003- IV71618 \nto be applied on top of Tivoli Workload Scheduler Distributed 8.6.0 FP03\n\nand officially included in next fixpacks for the affected TWS versions. \nFurther information about WebSphere configuration and fix can be found here\n\n[_http://www-01.ibm.com/support/docview.wss?uid=swg21698613_](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) \n\n\n \nYou should verify applying this fix does not cause any compatibility issues. \n_For unsupported releases IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nYou should verify applying this configuration change does not cause any compatibility issues.\n\n## ", "cvss3": {}, "published": "2018-06-17T14:59:34", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Workload Scheduler (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T14:59:34", "id": "E9B9688AF49ED050872383DC96B25A14C9FE2F363B5DF782F81AC54022F4663B", "href": "https://www.ibm.com/support/pages/node/259915", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:20", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect some configurations of IBM WebSphere Application Server Full Profile shipped with IBM Tivoli Network Performance Manager\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as component \n---|--- \nTivoli Network Performance Manager 1.4| Bundled the Jazz for Service Management version 1.1.0.2, IBM WebSphere version 8.5.0.1 and the JRE from IBM SDK Java 2 Technology Edition Version 7. \nTivoli Network Performance Manager 1.3.3| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Performance Manager 1.3.2| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Performance Manager 1.3.1| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \n \n## Remediation/Fixes\n\nApply workaround and mitigation in[ Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)\n\n## ", "cvss3": {}, "published": "2018-06-17T14:59:15", "type": "ibm", "title": "Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server shipped with IBM Tivoli Network Performance Manager (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T14:59:15", "id": "BA23DCD69B7D7B2ABD29A595E6EFF4BC0D7E0DF30561B219A131FBFA3EF8F550", "href": "https://www.ibm.com/support/pages/node/259335", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:26", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by the Enterprise Common Collector (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nEnterprise Common Collector 1.1.0 (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring v6.2.3 and v6.3.0)\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Operating System_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Tivoli zEnterprise Monitoring Agent (Enterprise Common Collector v1.1.0 component) \n\n| \n\nv6.2.3\n\n| AIX\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-AIX-IF0003&includeSupersedes=0>) \n \nLinux\u00ae on System z\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxz-IF0003&includeSupersedes=0>) \n \nLinux\u00ae on Intel\u00ae 32-bit| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxx32-IF0003&includeSupersedes=0>) \n \nLinux\u00ae on Intel\u00ae 64-bit| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxx64-IF0003&includeSupersedes=0>) \n \n32-bit Windows\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Windows32-IF0003&includeSupersedes=0>) \n \n64-bit Windows\u00ae| \n\n[_Fix Central link_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Windows64-IF0003&includeSupersedes=0>) \n \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## ", "cvss3": {}, "published": "2018-06-17T14:59:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects the Enterprise Common Collector component of the IBM Tivoli zEnterprise Monitoring Agent (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T14:59:24", "id": "DF7B4FDCA520FCCC4A15B1F7A8593D3E6402CCE1DD776115DE5A78077FD00AED", "href": "https://www.ibm.com/support/pages/node/259607", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:49:06", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Versions 6.1, 7, 8, 8.5, and 8.5.5 that are used by IBM Rational RequisitePro. \n \n\n\n## Vulnerability Details\n\nPlease consult the [_Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)_](<http://www.ibm.com/support/docview.wss?uid=swg21698613>) for vulnerability details and information about fixes. \n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Rational RequisitePro, RequisiteWeb Server component. \n \n\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n7.1.3.x, 7.1.4.x| This vulnerability only applies to RequisiteWeb component, and it only applies if one of the following conditions exist: \n \n\\- You have installed RequisiteWeb server into an existing WAS profile, and that profile supports a non-default set of ciphers. \n \n\\- You modified the default set of ciphers in the WAS profile created during the installation of RequisitePro. \n7.1.0.x, 7.1.1.x, 7.1.2.x| This vulnerability only applies to the RequisiteWeb component, other parts of RequisitePro are not affected. In addition, this vulnerability only applies if you modified the RequisiteWeb WAS profile by changing its set of supported ciphers. \n \n## Remediation/Fixes\n\nReview the security bulletin referenced above and apply the relevant fixes to your WAS installation and WAS profiles used for RequisiteWeb. \n \n\n\n**Affected version**\n\n| \n\n**Applying the fix** \n \n---|--- \n7.1.3.x, 7.1.4.x| Apply the appropriate WebSphere Application Server directly to your RequisiteWeb server host. No particular RequisitePro steps are necessary. \n7.1.0.x, 7.1.1.x and 7.1.2.x| [Document 1390803](<http://www-01.ibm.com/support/docview.wss?uid=swg21390803>) explains how to update WebSphere Application Server for RequisiteWeb servers for 7.1.0.x, 7.1.1.x and 7.1.2.x releases. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Rational RequisitePro (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-17T05:01:24", "id": "8BD055970F3AEBC1072117F86120DD4963EB2275EBA431FFD601E7A2B2DB2B6C", "href": "https://www.ibm.com/support/pages/node/259625", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:34", "description": "## Summary\n\nThe \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM Sterling B2B Integrator and IBM Sterling File Gateway. \n\n## Vulnerability Details\n\n**CVE ID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION: **A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\n \n**CVSS:** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM Sterling B2B Integrator 5.2 \n\nIBM Sterling File Gateway 2.2\n\nSterling Integrator 5.1\n\nSterling File Gateway 2.1\n\n## Remediation/Fixes\n\n**Product &amp; Version**\n\n| \n\n**Remediated Fix** \n \n---|--- \nSterling Integrator 5.1 or \n\nSterling File Gateway 2.1\n\n| \n\n 1. Upgrade Sterling Integrator to 5.1.0.4 and apply Generic Interim Fix 5104_6. \n \n\n 2. For Linux, AIX and Windows, go to the[ _Fix Central for IBM Java fixes_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/Java&release=All&platform=All&function=all>) to download IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and subsequent releases. \n \n \nFor Solaris and HP-UX, refer to the Java vendor to find the appropriate version that addresses the \u201cFREAK\u201d vulnerability. \nIBM Sterling B2B Integrator 5.2 or \n\nIBM Sterling File Gateway 2.2\n\n| \n\n 1. Upgrade Sterling B2B Integrator to 5.2.5.0. \n \n\n 2. For Linux, AIX and Windows, go to the [_Fix Central for IBM Java fixes_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/Java&release=All&platform=All&function=all>) to download IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 Service Refresh 8 Fix Pack 10 and subsequent releases. \n \nFor Solaris and HP-UX, go to [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) to download the fix for: \n * HP\u00ae SDK\u2122 for J2SE\u2122 HP-UX\u00ae 11i platform adapted by IBM\u00ae for IBM\u00ae Software Version 7 Service Refresh 8 Fix Pack 10 and subsequent releases.\n * IBM 64-bit SDK for Solaris\u2122 Java\u2122 Technology Edition Version 7 Service Refresh 8 Fix Pack 10 and subsequent releases. \n \n\n* Make configuration changes specified in Workarounds and Mitigations section below \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nThe following table provides instructions on how to make configuration changes to both Sterling B2B Integrator 5.2 and 5.1. After making the necessary changes, you will need to stop and restart IBM Sterling B2B Integrator in order for these changes to take affect. \n\nIf you use:| Then do this: \n---|--- \nSterling B2B Integrator 5.1 or 5.2 or \nSterling File Gateway 2.1 or 2.2| Put following entries in customer_overrides.properties \n\nsecurity.WeakCipherSuite=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5\n\nsecurity.StrongCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA\n\nsecurity.AllCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5\n\nIBM recommends the use of strong ciphers in the configuration for adapters. \n \nProduct UIs (including Dashboard) for Sterling Integrator 5.1 or \nSterling File Gateway 2.1| \n\n 1. Upgrade Sterling Integrator to 5104_6 if Sterling Integrator version is lower than 5104_6 \n \n\n 2. Put following entry in customer_overrides.properties \n \nsecurity.dashboardCipherSuite=strong \nWSMQ adapters and services \n\nMQFTE adapters and services\n\nCD:Server adapters and services\n\nMEIG Message Configuration Adapter\n\n| IBM recommends the use of strong ciphers in the configuration for adapters and services and to not use the cipher with RSA_EXPORT. \nYou should verify applying this configuration change does not cause any compatibility issues. \n\n## ", "cvss3": {}, "published": "2018-06-16T19:43:40", "type": "ibm", "title": "Security Bulletin: Vulnerability with RSA Export Keys may affect IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-16T19:43:40", "id": "0A6B048D791B9CA5B8A7F84578627E062AF28A04FD8B46E740F53156760C3A63", "href": "https://www.ibm.com/support/pages/node/259743", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:41:25", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by IBM InfoSphere Guardium Data Redaction.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM InfoSphere Guardium Data Redaction: 2.5, 2.5.1\n\n## Remediation/Fixes\n\n_&lt;Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Guardium Data Redaction| 2.5| _&lt;APAR&gt;_| [_http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=java-update-linux-SR16-FP3,java-update-win-SR16-FP3&amp;includeSupersedes=0&amp;source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=java-update-linux-SR16-FP3,java-update-win-SR16-FP3&includeSupersedes=0&source=fc>) \nIfoSphere Guardium Data Redaction| 2.5.1| _&lt;APAR or None&gt;_| [_http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=java-update-linux-SR16-FP3,java-update-win-SR16-FP3&amp;includeSupersedes=0&amp;source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=java-update-linux-SR16-FP3,java-update-win-SR16-FP3&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-07-16T10:15:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects IBM InfoSphere Guardium Data Redaction (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-07-16T10:15:46", "id": "22FC3C4AB16FE88DB3814191930C500C23D3D5A997F90B8E43D2DA9E4803CA8A", "href": "https://www.ibm.com/support/pages/node/259059", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:36:36", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Full Profile that is used by WebSphere Business Services Fabric.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * WebSphere Business Services Fabric V7.0\nFor earlier unsupported versions of the above product IBM recommends upgrading to a fixed, supported version of the product. \n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-08-19T18:23:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects WebSphere Business Services Fabric (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2022-08-19T18:23:31", "id": "3769AE0D61C3CBAA5EF7CFA7F8E4509D7350FB3569E072FD500CDFD6AC677A66", "href": "https://www.ibm.com/support/pages/node/258591", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:52:08", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae SDK Java\u2122 Technology Edition, Version 1.6 and 1.7, that is used by IBM SPSS Analytic Server.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n\n\n## Affected Products and Versions\n\n * * SPSS Analytic Server 1.0.1\n * SPSS Analytic Server 2.0\n\n## Remediation/Fixes\n\n \n[SPSS Analytic Server 1.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24039935>) \n[SPSS Analytic Server 2.0](<http://www.ibm.com/support/docview.wss?uid=swg24039934>)\n\n## ", "cvss3": {}, "published": "2018-06-16T13:14:14", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM SDK Java Technology Edition, Versions 1.6 and 1.7, affect IBM SPSS Analytic Server (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-16T13:14:14", "id": "2FF76E02773F487219316986D6FB9DBAF647611A435291298F156E3F77A86705", "href": "https://www.ibm.com/support/pages/node/263227", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:08", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Security Network Protection. The GSKit that is shipped with IBM Security Network Protection contains multiple security vulnerabilities including the FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM Security Network Protection has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * IBM Security Network Protection 5.2\n * IBM Security Network Protection 5.3 \n\n## Remediation/Fixes\n\n**Product**\n\n| **Version**| **Remediation** \n---|---|--- \nIBM Security Network Protection| 5.2| [_5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/IBM+Security+Network+Protection&release=5.2&platform=All&function=all>) \nIBM Security Network Protection| 5.3| Firmware Update 5.3.0.5** **[_https://ibmss.flexnetoperations.com/_](<https://ibmss.flexnetoperations.com/>) \n \nYou should verify applying this fix does not cause any compatibility issues.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in GSKit affects IBM Security Network Protection (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138"], "modified": "2018-06-16T21:23:31", "id": "3ADDA7A515910B96713F73A4DF63AC933CBAB97E7C6F12274D2F79C435DEBE21", "href": "https://www.ibm.com/support/pages/node/260243", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:09", "description": "## Summary\n\nIBM Tivoli Directory Server and IBM Security Directory Server are shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM Tivoli Directory Server and IBM Security Directory Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID: **[**CVE-2015-0138**](<https://vulners.com/cve/CVE-2015-0138>)\n\n**Description: \n**Consult the following security bulletin for vulnerability details and information about fixes: [Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698703>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nPureApplication System versions 1.0, 1.1, and 2.0| IBM Tivoli Directory Server (all versions) \nIBM Security Directory Server (all versions) \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:43", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Tivoli Directory Server and IBM Security Directory Server shipped with IBM PureApplication System. (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-15T07:02:43", "id": "4B00A89752FB47CF5A737FD47C6BD4B45EAA5FCB935D94AFF74FE195C649C4A7", "href": "https://www.ibm.com/support/pages/node/258619", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:38:24", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Rational DOORS. The GSKit that is shipped with Rational DOORS contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. Rational DOORS has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-6221_](<https://vulners.com/cve/CVE-2014-6221>)** \nDESCRIPTION:** Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise. \n\n**CVSS Base Score:** 8.8 \n**CVSS Temporal Score:** See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929>) for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:M/Au:N/C:C/I:C/A:N)\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n\n\n## Affected Products and Versions\n\nRational DOORS: 9.3.0.0 - 9.3.0.9, 9.4.0.0 - 9.4.0.3, 9.5.0.0 - 9.5.0.3, 9.5.1.0 - 9.5.1.4, 9.5.2.0 - 9.5.2.3, 9.6.0.0 - 9.6.0.2, 9.6.1.0 - 9.6.1.1 \n \nThe following Rational DOORS components are affected: \n\n * Rational DOORS desktop client\n * Rational DOORS database server\n * Rational DOORS interoperation server\n\n## Remediation/Fixes\n\nUpgrade to the fix pack that corresponds to the version of Rational DOORS that you are running, as shown in the following table. Upgrade the Rational DOORS client, the Rational DOORS database server, and the Rational DOORS interoperation server. \nYou should verify applying this fix does not cause any compatibility issues. \n \n\n\n**Rational DOORS version**| **Upgrade to fix pack** \n---|--- \n9.3 \n9.3.0.1 - 9.3.0.9| [9.3.0.10](<http://www.ibm.com/support/docview.wss?uid=swg24039556>) \n9.4 \n9.4.0.1 - 9.4.0.3| [9.4.0.4](<http://www.ibm.com/support/docview.wss?uid=swg24039555>) \n9.5 \n9.5.0.1 - 9.5.0.3| [9.5.0.4](<http://www.ibm.com/support/docview.wss?uid=swg24039554>) \n9.5.1 \n9.5.1.1 - 9.5.1.4| [9.5.1.5](<http://www.ibm.com/support/docview.wss?uid=swg24039553>) \n9.5.2 \n9.5.2.1 - 9.5.2.3| [9.5.2.4](<http://www.ibm.com/support/docview.wss?uid=swg24039552>) \n9.6.0 \n9.6.0.1 - 9.6.0.2| [9.6.0.3](<http://www.ibm.com/support/docview.wss?uid=swg24039551>) \n9.6.1 \n9.6.1.1| [9.6.1.2](<http://www.ibm.com/support/docview.wss?uid=swg24039550>) \n \n_For__ Rational DOORS version 9.2.x and earlier, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\nIf you are using Rational DOORS Web Access, after you upgrade _but before you start the Rational DOORS Web Access server_, edit the core configuration file and set the required version of the interoperation server to the version of the fix pack upgrade, as described in this procedure.\n\n**Procedure:**\n\n 1. To edit the Rational DOORS Web Access core configuration file, open the `festival.xml` file, which is in the `server\\festival\\config` directory. \n \n\n 2. Add the following line in the `<f:properties>` section: \n \n`<``**f:property name=\"interop.version\" value=\"9.n.n.n\"**`` /> \n \n`Replace \"`9.n.n.n`\" with the version of the fix pack upgrade: 9.3.0.10, 9.4.0.4, 9.5.0.4, 9.5.1.5, 9.5.2.4, 9.6.0.3, or 9.6.1.2. \n \n\n 3. Save and close the file. \n \n\n\nAfter this revision, only the specified version of the interoperation server can access the Rational DOORS database. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-05-01T08:19:24", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect Rational DOORS (CVE-2015-0138, CVE-2014-6221)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138"], "modified": "2020-05-01T08:19:24", "id": "4B4898216C827EB96D26A0262D74942D89F7588963EFDE5F0B6C1A3F12BEF660", "href": "https://www.ibm.com/support/pages/node/256997", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:50:59", "description": "## Summary\n\nGSKit, an IBM component, contains multiple vulnerabilities including \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. GSKit is used by IBM Tivoli Directory Server. IBM Tivoli Directory Server is used by IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business. \n \nOpenSSL is also affected by these vulnerabilities. IBM Security Access Manager for Web appliances use OpenSSL for secure connections to the embedded Tivoli Directory Server. \n \nIBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business have addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n\n\n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Access Manager for e-business 6.0, 6.1 and 6.1.1. \nIBM Security Access Manager for Web 7.0 (software installations) \nIBM Security Access Manager for Web 7.0 (appliances) \nIBM Security Access Manager for Web 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, and 8.0.1.0.\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nIBM Tivoli Access Manager for e-business| 6.0 \n6.1 \n6.1.1| N/A| IBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions. \n\nFollow the instructions in the LDAP security bulletin:[ Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698703>) \n \nIBM Security Access Manager for Web \n(software-based installation)| _7.0.0.0 - \n7.0.0.12 \n_| N/A| IBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions. \n\nFollow the instructions in the LDAP security bulletin:[ Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698703>) \n \nIBM Security Access Manager for Web (appliance-based)| _7.0.0.0 -_ \n_7.0.0.12_ \n \n_8.0.0.0 - _ \n_8.0.1.0 \n_| N/A| IBM Security Access Manager for Web appliances use OpenSSL to connect to the embedded LDAP. Ensure that you have followed the instructions in the associated security bulletin: \n \nOpenSSL: <http://www.ibm.com/support/docview.wss?uid=swg21696550>\n\nIf you have any stand-alone installations of IBM LDAP, please ensure that you upgrade to the latest version of LDAP. Follow the instructions in the LDAP security bulletin: [_Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21698703>) \n \nFor Tivoli Access Manager for e-business 5.1, IBM recommends upgrading to a fixed, supported release of the product.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:22", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Tivoli Directory Server affect IBM Security Access Manager for Web and Tivoli Access Manager for e-business (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-16T21:23:22", "id": "A3A478C560F7D2D2CC57B2194BFC08E81927CA815E4B75181AB36C85C6CDFBBC", "href": "https://www.ibm.com/support/pages/node/258959", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:38:27", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Security/Tivoli Directory Server. The GSKit that is shipped with IBM Security/Tivoli Directory Server contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability, IBM Security/Tivoli Directory Server has addressed the applicable CVE. \n\n## Vulnerability Details\n\nCVEID: CVE-2015-0138 \n \nDESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n \nCVEID: CVE-2015-0159 \n \nDESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n5.3, 6.1, 7.1 \n\nVIOS 2.2.x\n\n## Remediation/Fixes\n\nThe GSKit package contains a fix and needs to be installed on AIX/VIOS systems. \n \n**The fixes for the GSKit components can be downloaded at the following link:** \n \n[Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698703>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2021-10-21T21:03:11", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server for AIX/VIOS (CVE-2015-0138, CVE-2015-0159)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2021-10-21T21:03:11", "id": "41233F56616095DF27197F1AE5AAC2E0D379D31214D494042F1C98BDC97B33FC", "href": "https://www.ibm.com/support/pages/node/680517", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:05", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM MessageSight. The GSKit that is shipped with MessageSight contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. MessageSight has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)\n\n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3\n\n \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>)\n\n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations.\n\nCVSS Base Score: 2.6\n\n \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n## Remediation/Fixes\n\nYou should verify applying this fix does not cause any compatibility issues. \n \n \n\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM MessageSight_| _1.1_| _IT07794_| _1.1.0.1-IBM-IMA-IFIT07794_ \n_IBM MessageSight_| _1.2_| _IT07794_| _1.2.0.0-IBM-IMA-IFIT07794_ \n \n## ", "cvss3": {}, "published": "2018-06-17T15:12:15", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM MessageSight (CVE-2015-0159, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-17T15:12:15", "id": "885CA8FB43A58F0F7C3739F6B18DF2B4186ED924961D062FB7470BC8E4377B74", "href": "https://www.ibm.com/support/pages/node/257987", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:37:14", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM Installation Manager and IBM Packaging Utility. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM Installation Manager and IBM Packaging Utility versions 1.8.2 and earlier.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM Installation Manager and IBM Packaging Utility_| _1.8.2.1_| _None_| [_1.8.2.1 IBM Installation Manager Remediation_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039708>) \n[_1.8.2.1 IBM Packaging Utility Remediation_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039709>) \n_IBM Installation Manager and IBM Packaging Utility_| _1.7.4.1_| _None_| [_1.7.4.1 IBM Installation Manager Remediation_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039707>) \n[_1.7.4.1 IBM Packaging Utility Remediation_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039706>) \n \n_Please note that the 1.7.4.1 fix is intended for upgrade of 1.7.4 and earlier versions which continue support on platforms that are NOT supported by 1.8 or later versions__._ \n \n## Workarounds and Mitigations\n\nYou should verify applying this configuration change does not cause any compatibility issues.\n\n## ", "cvss3": {}, "published": "2021-10-25T12:12:53", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the IBM Installation Manager and IBM Packaging Utility (CVE-2014-6593 and CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138"], "modified": "2021-10-25T12:12:53", "id": "F06BAB24D9E4E17DD0677BA61DD3C1AC11E4C85147BBF86EE8D3A92E535C3E14", "href": "https://www.ibm.com/support/pages/node/258905", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:52:30", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Liberty Profile Version 8.5 that is used by IBM Cognos Business Intelligence Server 10.2.2 \n \nA security vulnerability has been discovered in GSKit 8.0 used by IBM Cognos Business Intelligence Server 10.2.2 \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**CVEID:** [CVE-2015-0159](<https://vulners.com/cve/CVE-2015-0159>) \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function \nrelated to the production of incorrect results on some platforms by Bignum squaring BN_sqr) has an unknown attack vector and impact in some ECC operations. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM Cognos Business Intelligence Server 10.2.2\n\n## Remediation/Fixes\n\n[IBM Cognos Business Intelligence 10.2, 10.2.1x and 10.2.2 Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24039726>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T23:13:38", "type": "ibm", "title": "Security Bulletin:Vulnerabilities in IBM WebSphere Application Server and GSKit affects Cognos Business Intelligence (CVE-2015-0138, CVE-2015-0159)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-15T23:13:38", "id": "B4C4A21F2773A7F09B9F4A95E51575CEAAE74B2996859ABE1B9C4CB640C5C4BD", "href": "https://www.ibm.com/support/pages/node/260171", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:55:01", "description": "## Summary\n\nThe RC4 \"Bar Mitzvah\" for SSL/TLS may affect some configurations of WebSphere Application Server. NOTE: If you are configured for FIPS140-2, Suite B or SP800-131 in your Security&gt;SSL certificate and key management then you are not affected by this vulnerability or your SSL communication for Liberty. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThe following Versions of WebSphere Application Server may be affected: \n\n * Version 8.5 and 8.5.5 Full Profile and Liberty Profile \n * Version 8.0\n * Version 7.0\n * Version 6.1\n\n## Remediation/Fixes\n\nIf you are configured for FIPS140-2, Suite B or SP800-131 in your Security&gt;SSL certificate and key management or your SSL communication for Liberty then you are not affected by this vulnerability. \n \nIf you use the IBM HTTP Server please refer to this bulletin [Vulnerability in RC4 stream ciphers affects IBM HTTP Server. ](<http://www-01.ibm.com/support/docview.wss?uid=swg21701072>) \n \n**_For ALL Versions and Editions:_** \nThe simplest way to remediate this vulnerability is to configure for FIPS140-2, Suite B or SP800-131 standards since these do not use RC4 stream ciphers. This can be configured in the Security&gt;SSL Certificate and Key management. Refer to the [Knowledge Center](<http://www.ibm.com/support/knowledgecenter/en/SSEQTP/mapfiles/product_welcome_was.html>) for your WebSphere Application Server Version for the instructions. If you are using Liberty it can be found in the Enabling SSL configuration in the [Knowledge Center.](<https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/as_ditamaps/was900_welcome_liberty.html>) If you can not configure any of those standards then please refer below for your edition and version. \n \n \n**_For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition_**: \n \n**For V8.5.0.0 through 8.5.5.5 Full Profile:**\n\n * The Interim Fix for CVE-2015-0138 (FREAK, the vulnerability in RSA export keys) already contains the update to remove RC4 ciphers by default. Please refer to the [Security bulletin for RSA Export Keys (FREAK)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) and apply Interim Fix PI36563. If you are using custom ciphers, you will need to remove all RC4 ciphers from your custom list. \n\\--OR-- \n * Follow the mitigation section to mitigate your IBM Java SDK Versions 7 or 8. If you are using IBM Java SDK Version 6, you will need to create a \"CUSTOM\" list of ciphers that do not include any RC4 ciphers from your Application Server configuration. Please refer to the Knowledge Center for instructions on creating a custom cipher list.\n** \nFor 8.0.0.0 through 8.0.0.10:**\n\n * The Interim Fix for CVE-2015-0138 (FREAK, the vulnerability in RSA export keys) already contains the update to remove RC4 ciphers by default. Please refer to the [Security bulletin for RSA Export Keys (FREAK)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) and apply Interim Fix [PI36563.](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>) If you are using custom ciphers, you will need to remove all RC4 ciphers from your custom list. \n \n**For V7.0.0.0 through 7.0.0.37:**\n\n * The Interim Fix for CVE-2015-0138 (FREAK, the vulnerability in RSA export keys) already contains the update to remove RC4 ciphers by default. Please refer to the [Security bulletin for RSA Export Keys (FREAK)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) and apply Interim Fix [PI36563.](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>) If you are using custom ciphers, you will need to remove all RC4 ciphers from your custom list. \n \n**For V6.1.0.0 through 6.1.0.47:**\n\n * You must remove the RC4 ciphers from your configuration. You will need to create a \"CUSTOM\" list of ciphers that do not include any RC4 ciphers from your Application Server configuration. Please refer to the Knowledge Center for instructions on creating a custom cipher list. ** \n**\n \n**_For IBM WebSphere Application Server Liberty Profile:_** \n \n**For V8.5.0.0 through 8.5.5.5 Full Profile:**\n\n * Upgrade to Fix Pack 8.5.5.4 or later (RC4 ciphers were removed by default)\n\\--**OR**\\-- \n\n * Apply the Interim Fix PI36563 which already contains the removal of RC4 ciphers by default. Please refer to the [Security bulletin for RSA Export Keys (FREAK)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) and apply Interim Fix [PI36563.](<http://www-01.ibm.com/support/docview.wss?uid=swg24039583>)\n**\\--OR--**\n\n * Follow the mitigation section to mitigate your IBM SDK, Java Technology Edition or your Oracle Java SDK. \n \n \nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product. \n\n## Workarounds and Mitigations\n\n**_For the IBM SDK, Java Technology Edition that is used by IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition: _** \n \n**For Java 7 or Java 8:**\n\n * Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4 \n \n**_For the IBM SDK, Java Technology Edition or Oracle Java SDK, that is used by IBM WebSphere Application Server Liberty Profile: _** \n\n\n * Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4 \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \n\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:51", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-2808"], "modified": "2018-06-15T07:02:51", "id": "08C02FD421BC1A6098960FACBD1EF8272B1B868BCE24FDA719C6A6018F3DCEB5", "href": "https://www.ibm.com/support/pages/node/260551", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:19", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Tivoli Directory Server. The GSKit that is shipped with IBM Tivoli Directory Server contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. These vulnerabilities affect Tivoli Netcool Service Quality Manager.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n** \nCVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n** \nDESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100835> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nThese vulnerabilities affect Tivoli Netcool Service Quality Manager 4.1.4\n\n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. \nThe fix for IBM Tivoli Directory Server could be downloaded from the IBM Fix Central site: \n<http://www-01.ibm.com/support/docview.wss?uid=swg21698703> \n \nThe restart of the TNSQM instance is required after an appropriate patch is applied. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T14:57:45", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Tivoli Directory Server affect Tivoli Netcool Service Quality Manager (CVE-2015-0138, CVE-2015-0159)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-17T14:57:45", "id": "7E53813A1806C8C6C6572C9F568D0557B65DFC477AC0891E6560D9C6C4FE037C", "href": "https://www.ibm.com/support/pages/node/259057", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:01", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web. The GSKit that is shipped with IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * IBM Tivoli Access Manager for e-business versions 6.0, 6.1, 6.1.1 \n * IBM Security Access Manager for Web version 7.0 software \n * IBM Security Access Manager for Web version 7.0 appliance, all firmware versions \n * IBM Security Access Manager for Web version 8.0 appliance, all firmware versions \n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\n \nThe following steps describe how to mitigate this vulnerability for the affected releases. \n \n \n**1) Apply security patch** \n \n \nSecurity patches have been provided for all versions of IBM Tivoli Access Manager for e-business (TAMeb) and IBM Security Manager for Web (ISAM for Web). The mitigations for the GSKit FREAK vulnerability require that these patches be installed first. Please read the security bulletins provided in the table below for your product version for instructions on obtaining and applying the necessary security patches. \n \n**Important** \u2013 these patches **must** be applied before moving onto step two \u201cApplying mitigation\u201d following. \n \n\n\nProduct | Link to security bulletin \n---|--- \nIBM Tivoli Access Manager for e-business | [_Security Bulletin: Vulnerability in SSLv3 affects IBM Tivoli Access Manager for e-business (CVE-2014-3566)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21691605>) \nIBM Security Access Manager for Web | [Security Bulletin: Vulnerability in SSLv3 affects IBM Security Access Manager (CVE-2014-3566)](<http://www-01.ibm.com/support/docview.wss?uid=swg21691604>) \n \n \n**2) Apply mitigation** \n \n \n**_Mitigation for all TAMeb versions and ISAM for Web 7.0 software version _** \n \n1). Download the latest version of GSKit, 7.0.5.5 or 8.0.50.41, for your currently installed TAMeb or ISAM version - \n\n\n * [**IBM Security Access Manager for Web 7.0.0**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=fixId&fixids=7.0.0-ISS-SAM-IF0011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)** **\n * [**Tivoli Access Manager for e-business 6.1.1**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.13&platform=All&function=fixId&fixids=6.1.1-ISS-TAM-IF0014&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)\n * [**Tivoli Access Manager for e-business 6.1.0**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.0.16&platform=All&function=fixId&fixids=6.1.0-ISS-TAM-IF0017&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)** **\n * [**Tivoli Access Manager for e-business 6.0.0**](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.0.0.35&platform=All&function=fixId&fixids=6.0.0-ISS-TAM-IF0036&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)** **\n \n2). Shutdown all running instances of WebSEAL on the machine for which these instructions are to be followed. \n \n3). **For all ISAM and TAMeb versions.** For all machines hosting WebSEAL if the following environment variables have been set \u2013 \n \nGSK_V2_CIPHER_SPECS \nGSK_V3_CIPHER_SPECS \n \nremove all references of the following cipher numbers \u2013 \n \n03 06 62 64 \n \n4). **For ISAM 7.0 only**. For each instance of WebSEAL, under the [ssl] stanza remove all references to the following RSA_EXPORT ciphers from both the gsk_attr_name and the jct_gsk_attr_name attributes - \n \nLong Name \n\\----------------------------------- \nTLS_RSA_EXPORT_WITH_RC4_40_MD5 \nTLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA \nTLS_RSA_EXPORT1024_WITH_DES_CBC_SHA \n \n**Note** \\- any instance of the long names for the above ciphers should be removed. \n \n5). **For all TAMeb and ISAM versions.** For all instances of WebSEAL, if the GSKit environment variables have been correctly configured as outlined in step two above and the value of the ssl-qop-mgmt within the WebSEAL configuration file is currently set to \u201cNo\u201d or \u201cFalse\u201d then no additional actions are required., Skip to step six following. \n \nFor all instances of WebSEAL, if the ssl-qop-mgmt attribute is set to \u201cYes\u201d or \u201cTrue\u201d and the default attribute is set to \u201cALL\u201d then redefine the default attribute values to include a subset of ciphers ensuring that the following are **not** present - \n \ndefault = RC4-40 \ndefault = RC2-40 \ndefault = DES-56 \ndefault = DES-56-62 \ndefault = RC4-56 \n\nFinally, for all instances of WebSEAL with alternative ssl-qop-mgmt configurations ensure that all references to the following ciphers are removed -\n\ndefault = RC4-40\n\n \ndefault = RC2-40 \ndefault = DES-56 \ndefault = DES-56-62 \ndefault = RC4-56 \n\n6). For all instances of WebSEAL, if not already done, set the following environment variable during WebSEALs start up process -\n\n \n \nGSK_STRICTCHECK_CBCPADBYTES = GSK_FALSE \n \n**Important** \\- If this environment variable is already set then it can remain in place. It should not have any effect on this mitigation plan. \n \n7). Upgrade to GSKit, 7.0.5.5 or 8.0.50.41, using the instructions provided in the readme of their respective releases. \n \n8). Restart all instances of WebSEAL. \n \n \n**_Mitigation for all ISAM for Web 7.0 and 8.0 appliance versions _** \n \n1). Download the GSKit 8.0.50.41 appliance fix packs for the product version - \n\n\n * [**IBM Security Access Manager for Web 8.0.1.0 IF0002**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=All&function=all>)\n * [**IBM Security Access Manager for Mobile 8.0.1.0 IF0002**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Security+Access+Manager+for+Mobile&release=8.0.1.0&platform=All&function=all>)\n * [**IBM Security Access Manager for Web (WGA) 7.0.0 IF0011**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>)\n * [**IBM Single Sign On for Bluemix v2 Identity Bridge 8.0.1.0 IF0002**](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FIBM+Single+Sign-On+for+Bluemix&fixids=8.0.1-ISS-SSOBluemix-IF0002&source=SAR&function=fixId&parent=Security%20Systems>)** **\n \n2). Shut down all instances of the Reverse Proxy hosted by the appliance where these instructions are to be followed. \n \n3). For each of the instance of Reverse Proxy open its configuration file using the following instructions - \n \n1\\. Select 'Secure Web Settings -&gt; Reverse Proxy' from the menu bar; \n2\\. Select the Reverse Proxy instance; \n3\\. Select 'Manage -&gt; Configuration -&gt; Edit Configuration File' from the menu \n \n4). For each instance of Reverse Proxy, under the [ssl] stanza remove all references to the following RSA_EXPORT ciphers from both the gsk_attr_name and the jct_gsk_attr_name attributes - \n \nLong Name \n\\----------------------------------- \nTLS_RSA_EXPORT_WITH_RC4_40_MD5 \nTLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 \nTLS_RSA_EXPORT1024_WITH_RC4_56_SHA \nTLS_RSA_EXPORT1024_WITH_DES_CBC_SHA \n \n**Note** \\- any instance of the long names for the above ciphers should be removed. \n \n5). For all instances of the Reverse Proxy, if the ssl-qop-mgmt attribute is set to \u201cYes\u201d or \u201cTrue\u201d and the default attribute is set to \u201cALL\u201d then redefine the default attribute values to include a subset of ciphers ensuring that the following are **not** present - \ndefault = RC4-40 \ndefault = RC2-40 \ndefault = DES-56 \ndefault = DES-56-62 \ndefault = RC4-56 \n\nFinally, for all instances of the Reverse Proxy with alternative ssl-qop-mgmt configurations ensure that all references to the following ciphers are removed -\n\ndefault = RC4-40\n\n \ndefault = RC2-40 \ndefault = DES-56 \ndefault = DES-56-62 \ndefault = RC4-56 \n\n6). For each instance of Reverse Proxy if not already set, set the following attribute and value under the [ssl] stanza - \n\n \n \ngsk-attr-name = enum:471:0 \njct-gsk-attr-name = enum:471:0 \n \n**Note** \\- If this attribute is already set to then this can remain in place. It should not have any affect for the mitigation plan. \n \n7). For each instance of Reverse Proxy save and deploy the changes. \n \n8). Upgrade GSKit 8.0.50.41 by applying the appliance fix pack using the following instructions - \n \n1). Click Manage, and then click Fix Packs. \n2). In the Fix Packs pane, click New. \n3). In the Add Fix Pack window, click Browse to locate the fix pack file, and then click Open. \n4). Click Submit to install the fix pack. \n \n9). Once the appliance has restarted, verify that all Reverse Proxy servers are restarted successfully. \n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-16T21:23:04", "type": "ibm", "title": "Security Bulletin: Vulnerability in GSKit affects Tivoli Access Manager for e-business and Security Access Manager for Web (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2015-0138"], "modified": "2018-06-16T21:23:04", "id": "FEFAC1672FAF9DBC8B3886836AAAA4CFF66280311554CE3CF62DDC395A9ACFEE", "href": "https://www.ibm.com/support/pages/node/257381", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:51:04", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Security/Tivoli Directory Server. The GSKit that is shipped with IBM Security/Tivoli Directory Server contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability, IBM Security/Tivoli Directory Server has addressed the applicable CVE.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * IBM Tivoli Directory Server (ITDS) versions 6.0, 6.1, 6.2, 6.3\n * IBM Security Directory Server (ISDS) version 6.3.1\n\n## Remediation/Fixes\n\n**Affected Product Name and Release**\n\n| **Fix level**| **GSKit version** \n---|---|--- \nISDS 6.3.1| [6.3.1.9-ISS-ISDS-IF0009](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.3.1.9&platform=All&function=all>)| GSKit 8.0.50.41 \nITDS 6.3| [6.3.0.35-ISS-ITDS-IF0035](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.35&platform=All&function=all>)| GSKit 8.0.50.41 \nITDS 6.2| [6.2.0.42-ISS-ITDS-IF0042](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.42&platform=All&function=all>)| GSKit 7.0.5.5 \nITDS 6.1| [6.1.0.66-ISS-ITDS-IF0066](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.1.0.66&platform=All&function=all>)| GSKit 7.0.5.5 \nITDS 6.0| [6.0.0.73-ISS-ITDS-IF0073](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.0.0.73&platform=All&function=all>)| GSKit 7.0.5.5 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:03", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-16T21:23:03", "id": "54BA402EA4BCED74476FC47E21B8C6DC1348A1A387EEBD705C63AACC1ABC570B", "href": "https://www.ibm.com/support/pages/node/257129", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:52:07", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM SPSS Collaboration and Deployment Services.\n\n## Vulnerability Details\n\n \n**CVEID**: [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n\n\n## Affected Products and Versions\n\nSPSS Collaboration and Deployment Services: 4.2.1, 5.0, 6.0, 7.0\n\n## Remediation/Fixes\n\n * * [SPSS Collaboration and Deployment Services 4.2.1 Interim Fix installs JRE 6.0.16.3 Update to address security vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24039876>)\n * [SPSS Collaboration and Deployment Services 5.0 Interim Fix installs JRE 6.0.16.3 Update to address security vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24039877>)\n * [SPSS Collaboration and Deployment Services 6.0 Interim Fix installs JRE 6.0.16.3 Update to address security vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg24039878>)\n\n## Workarounds and Mitigations\n\nSPSS Collaboration and Deployment Services 7.0 \n \nDisable RC4 cipher. \n \nDetailed steps: \n\n 1. Install JRE security update which addresses CVE-2015-0138 - \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" vulnerability in TLS/SSL client and server. The Security Bulletin is located here: [http://www.ibm.com/support/docview.wss?uid=swg21699579](<http://www-01.ibm.com/support/docview.wss?uid=swg21699579>) \n \n\n 2. For each of the affected JRE, locate the file &lt;install-dir&gt;/jre/lib/security/java.security and make a backup copy. Then using a text editor change the value of the property jdk.tls.disabledAlgorithms to include RC4. \n \nFor example: \njdk.tls.disabledAlgorithms=SSLv3, RC4\n \nThis modification is applicable to JRE used in BIRT Designer, Deployment Manager, Enterprise View Driver, Remote Scoring Server. Additionally, we advise that applicable JRE updates are installed on the Java Application Server where Repository Services Server is installed. \n \nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-16T13:14:44", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher in IBM SDK Java Technology Edition, Versions 1.6 and 1.7 affects IBM SPSS Collaboration and Deployment Services (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-2808"], "modified": "2018-06-16T13:14:44", "id": "2FB4FF139EDC1B119C8ACAD6329B87D66299B1B8A6E243F0B8077975B5DFD305", "href": "https://www.ibm.com/support/pages/node/262497", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:46", "description": "## Summary\n\nGSKit is an IBM component that is used by InfoSphere BigInsights. The GSKit that is shipped with InfoSphere BigInsights contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. InfoSphere BigInsights has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. You are not affected if you do not use TLS 1.2. \n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nCustomers who have Secure Sockets Layer (SSL) support enabled in their Big SQL component are affected. SSL support is not enabled in Big SQL by default. \n \nIBM InfoSphere BigInsights 3.0, 3.0.0.1 and 3.0.0.2\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \nFor versions 3.0, 3.0.0.1, and 3.0.0.2: Please contact technical support to obtain fix for this issue. \n\n## ", "cvss3": {}, "published": "2021-04-08T20:59:42", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect InfoSphere BigInsights (CVE-2015-0138, CVE-2015-0159)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0159"], "modified": "2021-04-08T20:59:42", "id": "41E28066AA2C3218C163447E6DEC287793F1F01FABF7D32B958220AD8A07D8F1", "href": "https://www.ibm.com/support/pages/node/261017", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:49:00", "description": "## Summary\n\nThis security bulletin is a notice of security vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and in Apache Tomcat server, version 6, which impacts IBM Rational Directory Server 5.2.x, 5.1.1.x and Rational Directory Administrator 6.x\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-0227_](<https://vulners.com/cve/CVE-2014-0227>) \n**DESCRIPTION:** Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.\n\n \n\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100751>_ for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n**Product**\n\n| **Version** \n---|--- \nRational Directory Server (Tivoli) | 5.2 - 5.2.1_iFix005 \nRational Directory Server (Apache)| 5.1.1 - 5.1.1.2_iFix006 \nRational Directory Administrator| 6.0 - 6.0.0.2 \n \n## Remediation/Fixes\n\n**Product**\n\n| **Download link** \n---|--- \nIBM Rational Directory Server 5.2 (Tivoli) and above| [_RDS 5.2.1 iFix006_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039681>) \nIBM Rational Directory Server 5.1.1 (Apache) and above| [_RDS 5.1.1.2 iFix007_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039683>) \nIBM Rational Directory Administrator 6.0 and above| [_RDA 6.0.0.2 iFix01_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039664>) \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:07", "type": "ibm", "title": "Security Bulletin: Rational Directory Server and Rational Directory Administrator can be affected by vulnerabilities (CVE-2015-0138 and CVE-2014-0227)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0227", "CVE-2015-0138"], "modified": "2018-06-17T05:01:07", "id": "8E52B580FD40A2463235A900C053978088551052E8CED206AAA5FACA17727B55", "href": "https://www.ibm.com/support/pages/node/258593", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:58", "description": "## Summary\n\nIBM DB2 is shipped as a component of WebSphere Remote Server. Information about security vulnerabilities affecting IBM DB2 has been published in a security bulletin. \n\n## Vulnerability Details\n\nFor vulnerability details, see the security bulletin** **[**_Vulnerabilities in GSKit affect IBM\u00ae DB2\u00ae (CVE-2015-0138, CVE-2015-0159 and CVE-2014-6221)_**_._](<http://www.ibm.com/support/docview.wss?uid=swg21699543>)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Remote Server version V6.2, V6.2.1, 7.0, 7.1, 8.5 | IBM DB2 Workgroup Server Edition \nV9.5, 9.7, 10.1, 10.5 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:53", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with WebSphere Remote Server (CVE-2015-0138, CVE-2015-0159 and CVE-2014-6221)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-15T07:02:53", "id": "14BBFA6B49B2B32EC845FF39AD1F8D82849547A8D26A823F85483D3C123772AE", "href": "https://www.ibm.com/support/pages/node/260751", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:37:16", "description": "## Summary\n\nGSKit is an IBM component that is used by Security Access Manager components on DataPower. The GSKit that is shipped with Security Access Manager contains several security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. The Security Access Manager components on DataPower have addressed the applicable CVEs. \n \nBoth the Access Manager Reverse Proxy introduced in DataPower version 7.1 and the Access Manager Client are affected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM DataPower Gateway appliances all versions through 6.0.0.12, 6.0.1.8, 7.0.0.5, 7.1.0.3\n\n## Remediation/Fixes\n\nFix is available in versions 6.0.0.13, 6.0.1.9, 7.0.0.6, 7.1.0.4. Refer to [APAR IT07604](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT07604>). \n \nThe remediation for CVE-2015-0138 also remediates CVE-2014-8730 \"TLS Padding Vulnerability\" (also known as \"POODLE 2\"). Communication errors can occur if both ends of the TLS connection do not observe the same strict CBC padding requirements required to remediate POODLE 2. See the Workarounds and Mitigations section below for more detail. \n\n_For DataPower customers using versions 5.x and older versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nYou should verify applying this fix does not cause any compatibility issues. \n \nThe remediation for CVE-2014-8730 enforces strict CBC padding checks by the client. If the server does not implement strict CBC padding checks, the client will reject the TLS data packet and report an error. \n \nIBM STRONGLY recommends that all servers in the Access Manager environment be upgraded to a version of GSKit (or third-party SSL stack) that remediates the TLS Padding Vulnerability (CVE-2014-8730). If clients and servers are mis-matched with respect to this remediation, intermittent communication errors can occur when the client expects strict padding and the server does not implement it. \n \n\n\n## ", "cvss3": {}, "published": "2021-06-08T22:18:27", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect Security Access Manager for DataPower (CVE-2015-0159, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8730", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2021-06-08T22:18:27", "id": "EBC1C6CDC42FFB6CBAA0946487190015CE14CE671172E8DB970CA2D247556358", "href": "https://www.ibm.com/support/pages/node/258923", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:55:02", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6.0 that is used by WebSphere Business Compass. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n \n \n**CVEID**: [CVE-2015-0395](<https://vulners.com/cve/CVE-2015-0395>) \n**DESCRIPTION**: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100143> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n\n\n**CVEID:** [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nThis vulnerability affects WebSphere Business Compass V7.0.0.4.\n\n## Remediation/Fixes\n\nTo fully mitigate these vulnerabilities, an additional fix for IBM WebSphere Application Server is required for WebSphere Business Compass V7.0.0.4 ([PI37014](<http://www.ibm.com/support/docview.wss?uid=swg24039698>)). \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:47", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Business Compass (CVE-2015-0138, CVE-2015-0395, CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0395", "CVE-2015-0410"], "modified": "2018-06-15T07:02:47", "id": "81047986010C961F0CCF8408EE2B3A547524F7496722224C588139E9A9D7DB26", "href": "https://www.ibm.com/support/pages/node/260251", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:55:00", "description": "## Summary\n\nWebSphere MQ is shipped as a component of WebSphere Remote Server. Information about a security vulnerability affecting WebSphere MQ has been published in a security bulletin. \n\n## Vulnerability Details\n\nFor vulnerability details, see the security bulletin [**_Vulnerabilities in GSKit affect IBM WebSphere MQ (CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)_**_._](<http://www.ibm.com/support/docview.wss?uid=swg21699055>)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Remote Server \nV7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere MQ \nV7.0, 7.0.1, 7.1, 7.5, 8.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:51", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere MQ shipped with WebSphere Remote Server (CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-15T07:02:51", "id": "BA9A0F723D5B8F641EEA021DCFA0290BCCA064A65992E8781648D9FEEF4982C3", "href": "https://www.ibm.com/support/pages/node/260535", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:51:10", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>) \n** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \n \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>) \n** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nIBM Security SiteProtector System 3.0, 3.1.0 and 3.1.1\n\n## Remediation/Fixes\n\nApply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view: \n \n**For SiteProtector 3.0:** \n \nSiteProtector Core Component: ServicePack3_0_0_7.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_0_0_6.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_37.xpu \n \n \n**For SiteProtector 3.1.0:** \n \nSiteProtector Core Component: ServicePack3_1_0_4.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_1_0_4.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_19.xpu \n \n \n**For SiteProtector 3.1.1:** \n \nSiteProtector Core Component: ServicePack3_1_1_2.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_1_1_2.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_7.xpu \nUpdate Server Component: UpdateServer_3_1_1_2.pkg \nEvent Archiver Component: EventArchiver_3_1_1\u00ad_2.pkg \nEvent Archiver Importer Component: EventArchiverImporter_3_1_1_2.zip \nManual Upgrader Component: MU_3_1_1_3.xpu\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:11", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2014-6593, CVE-2015-0138 , CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-16T21:23:11", "id": "A49F9EFECEFD840DBA180620BA6247AF2908F0E8D2F8C691E6322205046D5645", "href": "https://www.ibm.com/support/pages/node/258085", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:38:02", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, that is used by Rational Developer for System z. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nRational Developer for System z, versions 9.1.x, 9.0.x, 8.5.x, 8.0.x | \n\n * IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 8 and earlier releases\n * IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 2 and earlier releases\n * IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 2 and earlier releases\n * IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 and earlier releases\n * IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2 and earlier releases \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nBy default Rational Developer for System z relies on System SSL defaults for active cipher suites, and by default, System SSL enables the RSA-EXPORT cipher suites for SSLv3 and TLSv1.0 (The cipher is not supported in TLSv1.1 and TLSv1.2). \nThe RSA-EXPORT ciphers are:\n\n * TLS_RSA_EXPORT_WITH_RC4_40_MD5 (\"03\" or \"0003\") \n * TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (\"06\" or \"0006\")\n \n \nYou can explicitly disable the usage of the RSA-EXPORT ciphers by adding the GSK_V3_CIPHER_SPECS environment variable, ensuring that the environment variable character string does not include ciphers \"03\" or \"06\". \n \nRational Developer for System z has two components that utilize System SSL: \n\n * RSE, which is used when a client connects to the host. You must specify the GSK_V3_CIPHER_SPECS environment variable in rsed.envvars, by default located in /etc/rdz. \n * Debug Manager, by means of an AT-TLS policy. You must create a file holding the GSK_V3_CIPHER_SPECS environment variable and reference it via the Envfile keyword in the TTLSGroupAdvancedParms section.\n \n** \nNotes:**\n\n * The RSED started task must be recycled for changes in rsed.envvars to be picked up. \n * The AT-TLS policy must be re-activated for the update to be picked up.\n * \n\n\nYou should verify applying this configuration change does not cause any compatibility issues.\n\n## ", "cvss3": {}, "published": "2020-10-27T15:51:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for System z CVE-2015-0138", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2020-10-27T15:51:50", "id": "3087E890AD1B34329596C16C2C76C102E962CDA62DC06323CFC97E0BC299949A", "href": "https://www.ibm.com/support/pages/node/259571", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:38:03", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM Rational Synergy. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\n\u00b7 Rational Synergy release 7.2.1.3 ifix01 or earlier. \n\u00b7 Rational Synergy release 7.2.0.7 or earlier. \n\u00b7 Rational Synergy release 7.1.0.7.005 or earlier.\n\n## Remediation/Fixes\n\nReplace the JRE used in Rational Synergy. \n \n**Steps to download and replace JRE in Rational Synergy:** \n1\\. Open the list of [_Synergy downloads on Fix Central_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Synergy&release=All&platform=All&function=all&source=fc>)\n\n2\\. Select the SDK and Readme for Rational Synergy which applied to your release as follows: \n \n**Note:** The fix will use the following naming convention: \n**_&lt;V.R.M.F&gt;_**_-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-_**_&lt;platform&gt;_**** \n \n**Where **&lt;V.R.M.F&gt; = release **&amp; **&lt;platform&gt; = operating system**\n\n \no Rational Synergy 7.2.1 (uses 7.2.1.3 release designation) \n \nExample: **7.2.1.3-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Linux**\n\no Rational Synergy 7.2.0 (uses 7.2.0.7 release designation) \n \nExample: **7.2.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Windows **\n\no Rational Synergy 7.1 (uses 7.1.0.7 release designation) \n \nExample: **7.1.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-AIX \n**Example: **7.1.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Solaris**\n\n3\\. Follow the steps in the [_Install instructions_](<http://www.ibm.com/support/docview.wss?uid=swg27042896>) to replace the JRE.\n\n \nFollow the steps in the [_HPUX_Install Instructions_](<http://www.ibm.com/support/docview.wss?uid=swg27045456>) to replace the JRE if your Synergy Platform is on HPUX. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-12-22T16:37:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Synergy (CVE-2015-0138, CVE-2014-6593,CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2020-12-22T16:37:26", "id": "6A04D5E4C99A2F50DCD4C5B4FAF20AD2C3B16AD9EA922F5FEE4DF718AE506672", "href": "https://www.ibm.com/support/pages/node/258745", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:38:02", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that is used by Rational Developer for System z. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability..\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nRational Developer for System z, versions 9.1.x, 9.0.x, 8.5.x| \n\n * IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 FP3 and earlier\n * IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 FP10 and earlier \n \n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. \n \nFollow the installation instructions in the README files included with the patch. \n \nThe fix can be obtained at the following locations: \n\n\n * [Rational Developer for System z Interim Fix 3 for 8.5.x](<http://www-01.ibm.com/support/docview.wss?uid=swg24039791>)\n * [Rational Developer for System z Interim Fix 3 for 9.0.x](<http://www-01.ibm.com/support/docview.wss?uid=swg24039792>)\n * [Rational Developer for System z Interim Fix 3 for 9.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg24039793>)\n\n## ", "cvss3": {}, "published": "2020-10-27T15:51:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for System z (CVE-2015-0138, CVE-2015-0410, CVE-2014-6593)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2020-10-27T15:51:50", "id": "86342A16183C947600A2D12FE2134D8199BF66CC53E099BBBD76E9F235DE5D41", "href": "https://www.ibm.com/support/pages/node/261495", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:55:11", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7R1 Service Refresh 2 and earlier releases that is used by IBM MQLight. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [](<https://vulners.com/cve/CVE-2014-6593>)[_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n \n\n\n**CVEID: **[](<https://vulners.com/cve/CVE-2015-0138>)[](<https://vulners.com/cve/CVE-2015-0138>)[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)_ \n_**DESCRIPTION: **A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n\n**CVEID: **[_CVE-2015-0410 \n_](<https://vulners.com/cve/CVE-2015-0410>)**DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nThe vulnerabilities affect users of IBM MQ Light V1.0 and V1.0.0.1 on all platforms.\n\n## Remediation/Fixes\n\nDownload and install the appropriate MQ Light Server for your platform as shown below: \n \n\n\n**Platform**| **License Type**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nWindows| Developer| IT07780| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Windows-x64-developer-L150325-IT07780&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-developer-L150325-IT07780&includeSupersedes=0>) \nWindows| Production| IT07780| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Windows-x64-production-L150325-IT07780&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Windows-x64-production-L150325-IT07780&includeSupersedes=0>) \nLinux| Developer| IT07780| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Linux-x64-developer-L150325-IT07780&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-developer-L150325-IT07780&includeSupersedes=0>) \nLinux| Production| IT07780| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Linux-x64-production-L150325-IT07780&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Linux-x64-production-L150325-IT07780&includeSupersedes=0>) \nMac| Developer| IT07780| [http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&amp;product=ibm/WebSphere/IBM+MQ+Light&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=IBM-MQ-Light-Mac-x64-developer-L150325-IT07780&amp;includeSupersedes=0](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/IBM+MQ+Light&release=All&platform=All&function=fixId&fixids=IBM-MQ-Light-Mac-x64-developer-L150325-IT07780&includeSupersedes=0>) \n \nThe following link describes how to re-use the data from your existing installation: \n[_http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm _](<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:40", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light (CVE-2014-6593, CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-15T07:02:40", "id": "7E327BBFF3C6248340BB4D02D0AED4CFA65A1C13329D0793D3B72E11E963D084", "href": "https://www.ibm.com/support/pages/node/257819", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:51:34", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 SR8 that is used by IBM B2B Advanced Communications. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nIBM Multi-Enterprise Integration Gateway 1.0 - 1.0.0.1 \nIBM B2B Advanced Communications 1.0.0.2\n\n## Remediation/Fixes\n\nThe recommended solution is to upgrade to the current release as soon as practical. Please see below for information about the fixes available. \n \n\n\n**_Fix_**| **_VRMF_**| **_APAR_**| **_How to acquire fix_** \n---|---|---|--- \nInterim Fix 1.0.0.2_2| 1.0.0.2| IT07760| IBM Fix Central &gt; [](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.1&platform=All&function=fixId&fixids=IBM_Multi-Enterprise_Integration_Gateway_V1.0.0.1_3_iFix_Media&includeSupersedes=0>)[B2B_Advanced_Communications_V1.0.0.2_2_iFix_Media](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.2&platform=All&function=fixId&fixids=IBM_B2B-Advanced_Communications_V1.0.0.2_2_iFix_Media&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T19:43:33", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM B2B Advanced Communications (CVE-2015-0138, CVE-2014-6593, CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-16T19:43:33", "id": "B2AF94E4B4104CFC171D34D738F1AFC4758C45D61D537CBC43031028CB7E0EA4", "href": "https://www.ibm.com/support/pages/node/259077", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:55:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition. These vulnerabilities affect WebSphere DataPower XC10 versions 2.1 and 2.5. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange cipher suite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n \n \n\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n## Affected Products and Versions\n\nWebSphere DataPower XC10 Appliance 2.1 \nWebSphere DataPower XC10 Appliance 2.5 \nWebSphere DataPower XC10 Virtual Appliance 2.5\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nWebSphere DataPower XC10 Appliance| \n\n2.1\n\n| \n\nIT07840 \n\n| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&amp;release=2.1.0.3&amp;platform=All&amp;function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all>) \nWebSphere DataPower XC10 Appliance| \n\n2.5\n\n| \n\nIT07840 \n\n| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&amp;release=2.5.0.4&amp;platform=All&amp;function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all>) \nWebSphere DataPower XC10 Virtual Appliance| \n\n2.5\n\n| \n\nIT07840 \n\n| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&amp;release=2.5.0.4&amp;platform=All&amp;function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nThe only mitigation is to apply the recommended fix. If you are using the WebSphere eXtreme Scale Java client to communicate with the appliance, a fix must be applied to the client as well, if that client is used to make SSL connections to servers other than the appliance. Refer to CVE-2015-0138 in the latest WebSphere eXtreme Scale security bulletin for more information. \n\n \n \n--- \n--- \n \n## ", "cvss3": {}, "published": "2018-06-15T07:02:45", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance: CVE-2015-0138, CVE-2014-6593, CVE-2015-0410", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-15T07:02:45", "id": "6D535A3AEF65DAA651A7961CBD4354AE631F476BC694CF73D20623E7518799AB", "href": "https://www.ibm.com/support/pages/node/260341", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:35:09", "description": "## Abstract\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 that is used the following IMS\u2122 Enterprise Suite components: Connect API for Java, SOAP Gateway, and Explorer for Development. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Content\n\n**Vulnerability Details** \n\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**AFFECTED PRODUCTS and VERSIONS:** \nExplorer for Development of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \nThe SOAP Gateway component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \nConnect API for Java component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \n \n**REMEDIATION: ** \nThe recommended solution is to apply the fix as soon as is practical. Please see below for information on the fixes available. \n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**AFFECTED PRODUCTS and VERSIONS:** \nExplorer for Development of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \nThe SOAP Gateway component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \nConnect API for Java component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \n \n \n**REMEDIATION: ** \nThe recommended solution is to apply the fix as soon as is practical. Please see below for information on the fixes available. \n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n \n**AFFECTED PRODUCTS and VERSIONS:** \nExplorer for Development of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \nThe SOAP Gateway component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \nConnect API for Java component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier. \n \n \n**REMEDIATION: ** \nThe recommended solution is to apply the fix as soon as is practical. Please see below for information on the fixes available. \n \n \n \n \n**Fixes:** \n \n\n\n**_Product_**\n\n| \n\n**_VRMF_**\n\n| \n\n**_APAR_**\n\n| **_Download URL_** \n---|---|---|--- \n \n_IMS Enterprise Suite Connect API for Java V3.1_\n\n| \n\n_3.1.0.7_\n\n| \n\n_N/A_ \n\n\n \n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \nPlease follow the instructions on the download site to get the updated Java. \n \n_IMS Enterprise Suite Connect API for Java V2.2_\n\n| \n\n_2.2.0.7_\n\n| \n\n_N/A_\n\n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \nPlease follow the instructions on the download site to get the updated Java. \n \n_IMS Enterprise Suite Explorer for Development V3.1_\n\n| \n\n_3.1.1.4_\n\n| \n\n_N/A_ \n\n\n \n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \n \n_IMS Enterprise Suite SOAP Gateway V3.1_\n\n| \n\n_3.1.0.3_\n\n| \n\n_N/A_ \n\n\n \n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \nPlease follow the instructions on the download site to get the updated Java. \n \n_IMS Enterprise Suite SOAP Gateway V2.2_\n\n| \n\n_2.2.0.5_\n\n| \n\n_N/A_ \n\n\n \n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \nPlease follow the instructions on the download site to get the updated Java. \n \n \n \n**Workarounds and Mitigations** \nNone known \n\n\n**Acknowledgement**\n\nCVE-2015-0138 was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA\n\n \n \n \n**Change History** \n_2 April 2015: Original_ \n \n**", "cvss3": {}, "published": "2022-09-25T21:21:12", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IMS\u2122 Enterprise Suite: Connect API for Java, SOAP Gateway, and Explorer for Development (CVE-2015-0138, CVE-2015-0410, CVE-2014-6593)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2022-09-25T21:21:12", "id": "EC972C692BE3023B72017E1A0E500647A4508BA18E2201793D3A30F3A4FFF8F1", "href": "https://www.ibm.com/support/pages/node/258963", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:40:54", "description": "## Summary\n\nMultiple security vulnerabilities exist in the IBM\u00ae Runtime Environments Java\u2122 Technology Edition, Versions 6 and 7 that are shipped in TPF Toolkit.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nTPF Toolkit 4.0.x and 4.2.x\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nTPF Toolkit| 4.2.x| JR52787| \n\n 1. Install the latest version of IBM Installation Manager.\n 2. Apply Interim Fix 4.2.3 by using IBM Installation Manager.\n 3. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from [_http://www.ibm.com/developerworks/java/jdk/_](<http://www.ibm.com/developerworks/java/jdk/>) \nTPF Toolkit| 4.0.x| JR52788| \n\n 1. Install the latest version of IBM Installation Manager.\n 2. Apply Interim Fix 4.0.6 by using IBM Installation Manager.\n 3. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from [_http://www.ibm.com/developerworks/java/jdk/_](<http://www.ibm.com/developerworks/java/jdk/>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM Runtime Environments Java Technology Edition, Versions 6 and 7 in TPF Toolkit (CVE-2014-6593, CVE-2015-0410, and CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-08-03T04:23:43", "id": "C1C602B37EDF70C48D650440743C29740F6A8F38FA9C0E6F1E9E01FCB3C6658C", "href": "https://www.ibm.com/support/pages/node/258541", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:48:59", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6.0.16.2 that is used by Rational License Key Server Administration and Reporting Tool. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)\n\n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**CVEID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>) \n \n**DESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>) \n \n**DESCRIPTION**: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \n \nCVSS Base Score: 4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability impacts the following RLKS components and its releases: \n\n\n * RLKS Administration and Reporting Tool version 8.1.4 \n * RLKS Administration and Reporting Tool version 8.1.4.2 \n * RLKS Administration and Reporting Tool version 8.1.4.3 \n * RLKS Administration and Reporting Tool version 8.1.4.4 \n * RLKS Administration and Reporting Tool version 8.1.4.5\n * RLKS Administration and Reporting Tool version 8.1.4.6\n * RLKS Administration and Reporting Tool version 8.1.4.7\n * RLKS Administration Agent version 8.1.4 \n * RLKS Administration Agent version 8.1.4.2 \n * RLKS Administration Agent version 8.1.4.3 \n * RLKS Administration Agent version 8.1.4.4 \n * RLKS Administration Agent version 8.1.4.5\n * RLKS Administration Agent version 8.1.4.6\n\n## Remediation/Fixes\n\nReplace the JRE used in IBM RLKS Administration and Reporting Tool and IBM RLKS Administration Agent. \n\n**_Steps to replace the JRE in IBM RLKS Administration and Reporting Tool (All Versions)_**\n\n \n \n1\\. Go to [_Fix Central_](<http://www.ibm.com/support/fixcentral>) \n \n2\\. On the **Find product** tab, enter _Rational Common Licensing_ in the **Product Selector** field and hit enter. \n \n3\\. Select the **Installed Version** and hit continue button. \n \n4\\. Select the platform of the machine where RLKS Administration and Reporting Tool is installed and hit continue button. \n \n5\\. On the **Identify fixes** page, select **Browse for fixes** and select **Show fixes that apply to this version** and hit continue button. \n \n6\\. Download the Java runtime iFix for RLKS Administration and Reporting Tool. \n** \nNote:** Although the name of the iFix is **RLKS_Administration_And_Reporting_Tool_8146_Admin_iFix_1_&lt;Platform&gt;_&lt;Architecture&gt;**, the same ifix is applicable to all previous RLKS Administration and Reporting Tool versions. \n \n7\\. Shutdown RLKS Administration and Reporting Tool. \n \n8\\. Go to the installation location of RLKS Administration and Reporting Tool. \n \n9\\. Rename &lt;install location&gt;/server/jre folder to **&lt;install location&gt;/server/jre_back**. \nThis step backs up the existing JRE. \n \n10\\. Extract the downloaded JRE into &lt;install location&gt;/server/ folder \n \nExample: &lt;install location&gt;/server/jre \n \n11\\. Startup RLKS Administration and Reporting Tool. \n \n12\\. Login to the tool using rcladmin user and verify that you see the configured license servers under 'Server' tab. \n\n**_How to fix this vulnerability in IBM RLKS Administration Agent (All Versions)?_**\n\nUpgrade to the IBM RLKS Administration Agent version 8.1.4.7.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-17T05:01:08", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational License Key Server Administration and Reporting Tool (CVE-2015-0138, CVE-2014-3566, CVE-2014-6593, )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6593", "CVE-2015-0138"], "modified": "2018-06-17T05:01:08", "id": "213AF3FD1E9EA001D7FD1F71FBA0E5A5E6FA9D1C1CACB638CC005673F5140EC1", "href": "https://www.ibm.com/support/pages/node/258733", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:20", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM DB2. The GSKit that is shipped with IBM DB2 contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM DB2 has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. You are not affected if you do not use the DB2 LDAP security plugin with SSL connection to LDAP server. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. You are not affected if you do not use TLS 1.2.\n\n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6221_](<https://vulners.com/cve/CVE-2014-6221>)** \nDESCRIPTION:** Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise. You are affected by this vulnerability if you are on Windows systems and you use the keyword GSK_MS_CERTIFICATE_STORE for the keystore file name which configures GSKit to use the Microsoft Certificate Store as the keystore. \n\n \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N)\n\n## Affected Products and Versions\n\nCustomers who have Secure Sockets Layer (SSL) support enabled in their DB2 database system are affected. SSL support is not enabled in DB2 by default. \n \nAll fix pack levels of IBM DB2 V9.5, V9.7, V10.1 and V10.5 editions listed below and running on AIX, Linux, HP, Solaris or Windows are affected. \n \nIBM\u00ae DB2\u00ae Express Edition \nIBM\u00ae DB2\u00ae Workgroup Server Edition \nIBM\u00ae DB2\u00ae Enterprise Server Edition \nIBM\u00ae DB2\u00ae Advanced Enterprise Server Edition \nIBM\u00ae DB2\u00ae Advanced Workgroup Server Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Application Server Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Enterprise Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Unlimited Edition for System i\u00ae \nIBM\u00ae DB2\u00ae Connect\u2122 Unlimited Edition for System z\u00ae \n \nThe DB2 Connect products mentioned are affected only if a local database has been created. \n \nIBM\u00ae DB2\u00ae pureScale\u2122 Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected. \n \nThe IBM data server client and driver types are as follows: \n \nIBM Data Server Driver Package \nIBM Data Server Driver for ODBC and CLI \nIBM Data Server Runtime Client \nIBM Data Server Client \n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \n**FIX:** \n \nThe fix for DB2 and DB2 Connect V9.7 is in FP11, V10.1 is in V10.1 FP5 and V10.5 is in V10.5 FP6, available for download from Fix Central. \n \nCustomers running any vulnerable fixpack level of an affected Program, V9.5 or V9.8 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.5 FP10 or DB2 V9.8 FP5. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. Additionally fixes based on DB2 V9.5 FP9, DB2 V9.7 FP10, DB2 V10.1 FP4 or V10.5 FP5 will be made available on request. \n \nRefer to the following chart to determine how to proceed to obtain a needed fixpack or special build. \n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV9.5| TBD| [IT07649](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT07649>)| Please contact technical support. \nV9.7 | FP11| [IT07648](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT07648>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24040935> \nV9.8| TBD| [IT07647](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT07647>)| Please contact technical support. \nV10.1| FP5| [IT07646](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT07646>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24040170> \nV10.5 | FP6| [IT07635](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT07635>)| <http://www-01.ibm.com/support/docview.wss?uid=swg24040522> \n \n \n_For customer running IBM data __server client and driver types_ \n \nGSKit upgrade is required only if you are using LDAP security plugin with SSL connection to LDAP server, otherwise you may ignore this section. \n \nUpgrading of GSKit is required if either of the following applies to you: \n\n * IBM data server client and driver types V9.5, V9.7, V9.8, V10.1 level and any V10.5 level before fixpack 5.\n * IBM data server client and driver types V10.5 fixpack 5 and have additionally installed GSKit.\n * Where to obtain the GSKit depends on the DB2 release and platform: \n * IBM data server client and driver types V10.5 fix pack 5 on Inspur or Linux 64-bit POWER\u2122 little endian on Power System, please contact customer support to obtain the \"IBM DB2 Support Files for SSL Functionality\".\n * IBM data server client and driver types V9.5, V9.7, V9.8, V10.1 level and any V10.5 level before fixpack 5: \n * _Client and the server are on the same physical computer_: For the Windows platform, you do not need to upgrade the GSKit as GSKit is automatically installed with the DB2 server image. For all other platforms, you will need to download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae.\n * _Client and the server are on different computer_: For all platforms, download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae and perform the GSKit upgrade.\n * Refer to the following chart below for the proper version of GSKit \n\n\n \n**Release**| **GSkit Version** \n---|--- \nV9.5| V7.0.5.5 \nV9.7 | V8.0.50.41 \nV9.8| V8.0.50.41 \nV10.1| V8.0.50.41 \nV10.5 | V8.0.50.41 \n \n \n \n \n\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/data/db2/support/db2_9/probsub.html>) with DB2 Technical Support. \n\n**_Note:_**_ IBM\u2019s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM\u2019s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T13:10:15", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM\u00ae DB2\u00ae (CVE-2015-0138, CVE-2015-0159 and CVE-2014-6221)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-16T13:10:15", "id": "0456C9C7612612A7E5DC4B2140FBBB8D910E4628352202CD358F518AF374FE51", "href": "https://www.ibm.com/support/pages/node/258161", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:52:51", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects IBM Cognos Command Center.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Command Center 10.1 All Editions \n\nIBM Cognos Command Center 10.2 All Editions\n\nIBM Cognos Command Center 10.2.1 All Editions\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the IBM JRE 6.0 SR16FP3 to the following versions of \nIBM Cognos Command Center: \n\n\n * IBM Cognos Command Center 10.1\n * IBM Cognos Command Center 10.2\n * IBM Cognos Command Center 10.2.1\n \nThe fix for all affected versions is found here: [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+Command+Center&amp;fixids=10.2.1-BA-CCC-Win32-JRE-60SR16FP3](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+Command+Center&fixids=10.2.1-BA-CCC-Win32-JRE-60SR16FP3>) \n \n \n**Installation instructions for applying this fix**. \n \nFor Microsoft Windows servers where the Agent or Server component is installed. \n\n 1. Download the 32 bit IBM Java JRE (file name: ibm-java-jre-60-win-i386.zip, Size: 75 MB).\n 2. Stop the CccServer, CccQueue and CccAgent Microsoft Windows services.\n 3. For IBM Cognos Command Center 10.1 and 10.2: Rename the &lt;INSTALLDIR&gt;\\Common\\java directory to &lt;INSTALLDIR&gt;\\Common\\java.orig\n 4. For IBM Cognos Command Center 10.2.1:Rename the &lt;INSTALLDIR&gt;\\Common\\java.6.0.16.0 directory to &lt;INSTALLDIR&gt;\\Common\\java.6.0.16.0.orig\n 5. For IBM Cognos Command Center 10.1 and 10.2: Unpack the content of the ibm-java-jre-60-win-i386.zip file to &lt;INSTALLDIR&gt;\\Common\\java\n 6. For IBM Cognos Command Center 10.2.1: Unpack the content of the ibm-java-jre-60-win-i386.zip file to &lt;INSTALLDIR&gt;\\Common\\java.6.0.16.0\n 7. Start the CccAgent, CccQueue and CccServer Microsoft Windows services.\n 8. Validate the installation by testing the connectivity to the agent using the CCC Client.\n \n \nFor Microsoft Windows servers where the Server or Web Client component is installed apply these additional steps. \n\n 1. Apply the Microsoft Security Advisory 2960358 titled \"Update for Disabling RC4 in .NET TLS\". (<https://technet.microsoft.com/en-us/library/security/2960358.aspx>)\n 2. Ensure that the Microsoft Security Advisory 286875 has been applied to the server. (<https://technet.microsoft.com/en-us/library/security/2868725.aspx>)\n 3. Follow the instructions described in the Microsofy Security Research and Defence Blog entry accompying security advisory 286875to disable RC4 support for the server by changing registry settings.[(http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx](<http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx>), section \"How to Completely Disable RC4\")\n \n \nFor IBM Cognos Command Center 10.1 and 10.2 with above fix applied: Before upgrading your installation from 10.1 to 10.2 respectively from 10.2 to 10.2.1 please revert to original \\java\\ directory: \n\n 1. Stop the CccServer, CccQueue and CccAgent Windows services.\n 2. Rename the &lt;INSTALLDIR&gt;\\Common\\java directory to &lt;INSTALLDIR&gt;\\Common\\java.cve\n 3. Rename the &lt;INSTALLDIR&gt;\\Common\\java.orig directory to &lt;INSTALLDIR&gt;\\Common\\java\n 4. Proceed to upgrade your Cognos Command Center installation to a newer version.\n 5. After upgrade to newer version is done, please reapply \"Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2014-6593, CVE-2015-0138)\" fix starting Step 1.\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {}, "published": "2018-06-15T22:36:19", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Cognos Command Center (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-2808"], "modified": "2018-06-15T22:36:19", "id": "ABC98047893C64437B4D319A76B42B91E4EACA64C57D45187916AD3A179D264F", "href": "https://www.ibm.com/support/pages/node/261141", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:55:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 1.6 and 1.7 that is used by IBM Integration Designer (IID) and WebSphere Integration Developer (WID). These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2014-6593](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM Integration Designer and WebSphere Integration Developer.\n\n## Remediation/Fixes\n\nTo fully mitigate these vulnerabilities, an additional fix for IBM Integration Designer and WebSphere Integration Developer is required (JR52950): \n\n\n * [_WebSphere Integration Developer V7.0.0.x_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FWebSphere+Integration+Developer&fixids=7.0.0.5-WS-IID-IFJR52950&source=SAR>)\n * [_IBM Integration Designer V7.5.x_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=7.5.1.2-WS-IID-IFJR52950&source=SAR>)\n * [_IBM Integration Designer V8.0.1.x_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.0.1.3-WS-IID-IFJR52950&source=SAR>)\n * [_IBM Integration Designer V8.5.0.x_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.0.1-WS-IID-IFJR52950&source=SAR>)\n * [_IBM Integration Designer V8.5.5_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.5.0-WS-IID-IFJR52950&source=SAR>)\n * [_IBM Integration Designer V8.5.6_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.6.0-WS-IID-IFJR52950&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:47", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer (IID) and WebSphere Integration Developer (WID)(CVE-2015-0138, CVE-2015-0410, CVE-2014-6593)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-15T07:02:47", "id": "FDB57FF6EA60D91604B03B14B5C488515270CCC82B932E16CB8CF68BB9DEC1A9", "href": "https://www.ibm.com/support/pages/node/259779", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:55:13", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM WebSphere MQ. The GSKit that is shipped with IBM WebSphere MQ contains multiple security vulnerabilities including the \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-6221_](<https://vulners.com/cve/CVE-2014-6221>)** \nDESCRIPTION:** Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise. \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N) \n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n\n\n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM WebSphere MQ V7.0.1 \n\n * AIX, HP-UX, Linux, Solaris &amp; Windows\n \nIBM WebSphere MQ 7.1 \n\n * AIX, HP-UX, Linux, Solaris &amp; Windows\n \nIBM WebSphere MQ 7.5 \n\n * AIX, HP-UX, Linux, Solaris &amp; Windows\n \nIBM WebSphere MQ 8.0 \n\n * AIX, HP-UX, Linux, Solaris &amp; Windows\n \nIBM MQ Appliance M2000 \n\n## Remediation/Fixes\n\nIBM strongly recommends immediately changing any channel definitions that use any of the following MQ CipherSpecs to use a stronger encryption algorithm; \n\n * RC4_MD5_EXPORT\n * TLS_RSA_EXPORT_WITH_RC4_40_MD5\n * RC2_MD5_EXPORT\n * TLS_RSA_EXPORT_WITH_RC2_40_MD5\n \nNote that IBM may need to deprecate the use of weaker algorithms in response to a security vulnerability, for example MQ CipherSpecs which are not certified as FIPS 140-2 compliant via future product maintenance. Further details on the MQ CipherSpecs that are currently available can be found [here](<http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm>). \n\n**_IBM WebSphere MQ_**\n\nDownload and install the ifix for [APAR IV70568](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=All&platform=All&function=aparId&apars=IV70568&source=fc>) from Fix Central\n\n**_IBM MQ Appliance M2000_**\n\nA firmware update containing this fix is available, please contact your IBM Support Representative for further details.\n\n## Workarounds and Mitigations\n\nNote that IBM WebSphere MQ for IBM i (all releases) is not affected by any of these vulnerabilities, however IBM recommends that customers review [system value QSSLCSL](<http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzakz/rzakzqsslcsl.htm>) to limit the use of export strength cipher specifications. \n\nOn other distributed platforms, enabling [FIPS mode](<http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q010140_.htm>) on a queue manager prevents export strength ciphers from being accepted by inbound connections and also from being used by outbound connections.\n\nThe MQ channel protocol protects against a man-in-the-middle downgrade of secure socket protocol and/or ciphersuites through channel SSLCIPH validation. After a successful handshake, the MQ protocol exchanges communications flows to negotiate channel startup, this processing detects an export ciphersuite being used where a stronger level of ciphersuite is required. In this scenario, the channel does not exchange any messages and logs an AMQ9631 error in the queue manager error logs before ending the connection.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:39", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM WebSphere MQ (CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-15T07:02:39", "id": "2483CE3BC4388BF3ED4BF4034FC203E9E2D49840844093C2C8B0B7A4F178DD96", "href": "https://www.ibm.com/support/pages/node/257609", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:46:37", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by IBM Tivoli Monitoring (ITM). \n \nGSKit is an IBM component that is used by IBM Tivoli Monitoring. The GSKit that is shipped with IBM Tivoli Monitoring contains a security vulnerability for the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. ITM has addressed the CVE.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**\n\n### \n\n** \nThe Java remediation below also includes fixes for the following CVEs: \n \nCVEID: [CVE-2014-6593 ](<https://vulners.com/cve/CVE-2014-6593>) \nDESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the \ncurrent score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \nCVEID: [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>) \nDESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the \ncurrent score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nThe following components of IBM Tivoli Monitoring (ITM) are affected by this vulnerability \n\n * Portal server when configured to use SSL over IIOP - ITM versions 6.2.0 through 6.3.0 FP4\n * Java (CANDLEHOME) - ITM Java-based agents using JSSE. - ITM versions 6.2.2 through 6.3.0 FP4\n * GSKit - portal server, monitoring servers, and agents - ITM versions 6..20 through 6.2.1 FP4\n\n## Remediation/Fixes\n\n**\n\n### _Java (CANDLEHOME) Remediation:_\n\n** \nThe IBM Tivoli Monitoring servers and base agents (those shipped as part of IBM Tivoli Monitoring Fix Packs) are not affected by this vulnerability. Only Java-based agents utilizing Java Secure Socket Extension (JSSE) which rely on the JRE in the IBM Tivoli Monitoring installation directory (for example, CANDLEHOME) can be affected. Agents affected will publish separate security bulletins and reference this bulletin for the remediation. \n \nFor systems where the affected agents are installed, the patch below (or later patch) should be installed which will update the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or Embedded JVM (JVM component on Windows). \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n**_Fix_**| **_VMRF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \n6.X.X-TIV-ITM_JRE_CANDLEHOME-20150409| 6.2.2 through 6.3.0 FP4| None.| [**__http://www.ibm.com/support/docview.wss?uid=swg24039756__**](<http://www.ibm.com/support/docview.wss?uid=swg24039756>) \n6.3.0-TIV-ITM-FP0005| 6.3.0.x| None.| [**__http://www.ibm.com/support/docview.wss?uid=swg24039236__**](<http://www.ibm.com/support/docview.wss?uid=swg24039236>) \n \nThe technote [Upgrading Shared Components for IBM Tivoli Monitoring Agents](<http://www.ibm.com/support/docview.wss?uid=swg21673490>) provides information on how shared libraries are used. \n \n**\n\n### _Portal Server:_\n\n** \n**\n\n### __\n\n**Portal Server Communication with Portal Clients: \nPortal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true: \n\\- HTTPS is not being used \n\\- applet.html file does not have the tep.connection.protocol=http or https AND \n\\- tep.jnlp file does not have tep.connection.protocol=https \n\\- the KFW_INTERFACE_cnps_SSL is set to \"Y\" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config) \n \n**_Fix_**| **_VMRF_**| **_Remediation/First Fix_** \n---|---|--- \n6.3.0-TIV-ITM-FP0005-IV74486| 6.3.0 | [**__http://www.ibm.com/support/docview.wss?uid=swg24040448__**](<http://www.ibm.com/support/docview.wss?uid=swg24040448>) \n6.2.3-TIV-ITM-FP0005-IV74486| 6.2.3| [**__http://www.ibm.com/support/docview.wss?uid=swg24040448__**](<http://www.ibm.com/support/docview.wss?uid=swg24040448>) \n6.2.2-TIV-ITM-FP0009-IV74486| 6.2.2| [**__http://www.ibm.com/support/docview.wss?uid=swg24040448__**](<http://www.ibm.com/support/docview.wss?uid=swg24040448>) \n6.3.0-TIV-ITM-FP0006| 6.3.0.x| **__<http://www.ibm.com/support/docview.wss?uid=swg24040390>__** \nCheck link for status on availability. \n \nFor IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above. \n \nYou should verify applying this fix does not cause any compatibility issues. \n \n \n**\n\n### _GSKit Remediation:_\n\n** \nThe GSKit with IBM Tivoli Monitoring 6.2.0 through 6.2.1 FP4 is affected. Customers running IBM Tivoli Monitoring version 6.2.0 through 6.2.1.FP4 should upgrade to 6.2.2 or higher for the IBM Tivoli Monitoring infrastrucutre (e.g. portal server, monitoring servers). Call support if unable to upgrade. Recommend to upgrade to 6.22 FP9, 6.23 FP5, or 6.30 FP4 (or higher). \n \nFor IBM Tiovli Monitoring 6.2.0 and 6.2.1 Agents, once the infrastructure is at 6.2.2 (or higher), then the shared components of the agents need to be upgraded to the same level. The technote [Upgrading Shared Components for IBM Tivoli Monitoring Agents](<http://www.ibm.com/support/docview.wss?uid=swg21673490>) contains the commands that can be used to upgrade the shared components (e.g. GSKit). \n\n## Workarounds and Mitigations\n\n**\n\n### __\n\n**Portal Server Communication with Portal Clients Workaround: \nA configuration change is required when the portal server is configured to use the SSL over IIOP protocol if the patch above is not installed.. SSL over IIOP is being used if both conditions below are true: \n\n * HTTPS is not being used \n * applet.html file does not have the tep.connection.protocol=http or https AND \n * tep.jnlp file does not have tep.connection.protocol=https\n * the KFW_INTERFACE_cnps_SSL is set to \"Y\" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config) \n \nEdit the portal server configuration file: \nWindows: &lt;install_dir&gt;/CNPS/KFWENV \nLinux/AIX: &lt;install_dir&gt;/config/cq.ini \nAdd/modify the following variable: \nITM version 6.30 through 6.30 FP4: \nKFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only -Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_ \nWITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \n \nITM version 620 through 6.23 FP5: \nKFW_ORBPARM=-Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_ \nWITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA \nStop and restart portal server for the changes to take affect. \n\n * You should verify applying this configuration change does not cause any compatibility issues. \n\n## ", "cvss3": {}, "published": "2018-06-17T15:23:40", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Tivoli Monitoring (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-17T15:23:40", "id": "FDF9FD00EFCC980759F170CDD7E7B4194C96047EAB6D513B03471DE0D5A423DC", "href": "https://www.ibm.com/support/pages/node/260569", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:20", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Tivoli Network Manager IP Edition. The GSKit that is shipped with IBM Tivoli Network Manager IP Edition contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys \" TLS/SSL client and server vulnerability. IBM Tivoli Network Manager IP Edition and WebSphere Application Server shipped with IBM Tivoli Network Manager have addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-6221_](<https://vulners.com/cve/CVE-2014-6221>)** \nDESCRIPTION:** Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise. \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N) \n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n \n \nPlease consult the security bulletin [**Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>)** **[](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>)[](<Vulnerability%20with%20RSA%20Export%20Keys%20may%20affect%20IBM%20WebSphere%20Application%20Server%20\\(CVE-2015-0138\\)>) for vulnerability details and information about IBM WebSphere Application Server fixes. \n\n## Affected Products and Versions\n\n \n**_Tivoli Network Manager IP Edition Interim _****_Fixes for GSKit_****_:_** \n**Note: **The SSL connection between Tivoli Network Manager IP Edition and Tivoli Netcool/OMNIbus is affected. \nSingle server SSL users should upgrade to an appropriate OMNIbus fixpack to obtain the GSKit fix. \nRemote OMNIbus SSL connection users should install the Interim Fix below on Tivoli Network Manager IP Edition. \n \n**_Download _****_IV71123__****_IV76121_****_ gskit Interfim_****_ Fix or higher level of fix pack from Fix Central_** \n \n\n\n**_Affected_****_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nTivoli Network Manager IP Edition| 3.8.0.7 | IV71123| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24039199>) \n \n[_https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766_](<https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766>) \nTivoli Network Manager IP Edition| 3.9.0.4| IV71123| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039199>) \n[_https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766_](<https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766>) \nTivoli Network Manager IP Edition | 4.1.1.1| IV71123| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24039346>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039199>) \n[_https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766_](<https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766>) \nTivoli Network Manager IP Edition| 4.1| IV71123| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036690>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039199>) \n[_https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766_](<https://www.ibm.com/support/entry/myportal/product/tivoli/tivoli_network_manager_ip_edition?productContext=1740397766>) \n \n**_IBM WebSphere Application Server fixes:_** \n \n[**Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) **_Affected Product and Version(s)_**| **_Product and Version shipped as a component_** \n---|--- \nTivoli Network Manager IP Edition 3.8| Bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 5. \nTivoli Network Manager IP Edition 3.9| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Manager IP Edition 4.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Manager IP Edition 4.1.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \n \nNote: If TIP has been upgraded, please follow the TIP security bulletin to upgrade the appropriate IBM WebSphere version. \n\n## ", "cvss3": {}, "published": "2018-06-17T14:58:18", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Tivoli Network Manager IP Edition and may affect WebSphere Application Server shipped with IBM Tivoli Network Manager IP Edition (CVE-2015-0159, CVE-2015-0138, CVE-2014-6221).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-17T14:58:18", "id": "99E31E099E724B85CF1AECBF87479CA0CFED830918634216EB01E833E526C4C8", "href": "https://www.ibm.com/support/pages/node/258367", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:51:16", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Security Access Manager for Web. The GSKit that is shipped with IBM Security Access Manager for Web contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM Security Access Manager for Web has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2014-6221_](<https://vulners.com/cve/CVE-2014-6221>) \n** \nDESCRIPTION:** Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise. \n \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>) \n \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * IBM Tivoli Access Manager for e-business 6.0, 6.1 and 6.1.1.\n * IBM Security Access Manager for Web 7.0.\n * IBM Security Access Manager for Web 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, and 8.0.1.0.\n\n## Remediation/Fixes\n\nThe table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch. \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n**Product**| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \n_IBM Tivoli Access Manager for e-business_| _6.0_| IV70928| Apply the 6.0.0.37 fixpack. The README instructions will direct you to update GSKit in your environment: \n[6.0.0-ISS-TAM-IF0037](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.0.0&platform=All&function=all>) \n_IBM Tivoli Access Manager for e-business_| _6.1_| IV70928| Apply the 6.1.0.18 fixpack. The README instructions will direct you to update GSKit in your environment: \n[6.1.0-ISS-TAM-IF0018](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.0&platform=All&function=all>) \n_IBM Tivoli Access Manager for e-business_| _6.1.1_| IV70926| Apply the 6.1.1.15 fixpack. The README instructions will direct you to update GSKit in your environment: \n[6.1.1-ISS-TAM-IF0015](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1&platform=All&function=all>) \n_IBM Security Access Manager for Web (Software-installations)_| _7.0.0.0 -_ \n_7.0.0.11_| IV70922| Apply the 7.0.0.12 fixpack. The README instructions will direct you to update GSKit in your environment: \n[7.0.0-ISS-SAM-FP0012](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>) \n_IBM Security Access Manager for Web (Appliance-based) _| _7.0.0.0 - \n7.0.0.11_| IV70922 | Apply the 7.0.0.12 fixpack: \n[7.0.0-ISS-WGA-FP0012](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=Linux&function=all>) \n_IBM Security Access Manager for Web_| _8.0.0.0 -_ \n_8.0.1.0_| IV70920| Upgrade to the 8.0.1.2 package: \n[8.0.1-ISS-WGA-FP0002](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=Linux&function=all>) \n \nFor Tivoli Access Manager for e-business 5.1, IBM recommends upgrading to a fixed, supported release of the product.\n\n## Workarounds and Mitigations\n\nFor workaround and mitigation steps, see security bulletin: \n \n[Security Bulletin: Vulnerability in GSKit affects Tivoli Access Manager for e-business and Security Access Manager for Web (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21698891>)\n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:22", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Web (CVE-2015-0159, CVE-2015-0138, CVE-2014-6221)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2018-06-16T21:23:22", "id": "7E9F876A2794D8A1968D52FB411FEB6A68DC80CC8BC69B1ABA1C5493ECA0E485", "href": "https://www.ibm.com/support/pages/node/258969", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:52:09", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 1.5, 1.6 and 1.7 that are used by IBM SPSS Collaboration and Deployment Services. These issues were disclosed as part of the IBM Java SDK updates in January 2015 and the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability disclosure.\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n \n**CVEID:** [CVE-2014-6593](<https://vulners.com/cve/CVE-2014-6593>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n \n\n\n## Affected Products and Versions\n\nIBM SPSS Collaboration and Deployment Services: 4.2.1, 5.0, 6.0, 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n[**SPSS Collaboration and Deployment Services 4.2.1 Interim Fix installs JRE 6.0.16.3 Update to address security vulnerabilities**](<http://www-01.ibm.com/support/docview.wss?uid=swg24039657>) \n \n \n[**SPSS Collaboration and Deployment Services 5.0 Interim Fix installs JRE 6.0.16.3 Update to address security vulnerabilities**](<http://www-01.ibm.com/support/docview.wss?uid=swg24039676>) \n \n \n[**SPSS Collaboration and Deployment Services 6.0 Interim Fix installs JRE 6.0.16.3 Update to address security vulnerabilities**](<http://www-01.ibm.com/support/docview.wss?uid=swg24039677>) \n \n \n[**SPSS Collaboration and Deployment Services 7.0 Interim Fix installs JRE 7.0.8.10 Update to address security vulnerabilities**](<http://www-01.ibm.com/support/docview.wss?uid=swg24039660>) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T13:14:44", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 1.5, 1.6 and 1.7 affect IBM SPSS Collaboration and Deployment Services: (CVE-2015-0138, CVE-2014-6593, CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-16T13:14:44", "id": "B54B951BA69A45A42C22316F65849B1B272FBE0A1CC0C81E82AED4F7B134F2FE", "href": "https://www.ibm.com/support/pages/node/258207", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:40:05", "description": "## Summary\n\nThe IBM PureData System for Operational Analytics V1.0 (A1791) ships with IBM DB2 10.1. GSKit is an IBM component that is used by IBM DB2. The GSKit that is shipped with IBM DB2 contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM DB2 has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \n** \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. You are not affected if you do not use the DB2 LDAP security plugin with SSL connection to LDAP server. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0159_](<https://vulners.com/cve/CVE-2015-0159>)** \n** \n**DESCRIPTION:** An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. You are not affected if you do not use TLS 1.2. \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2014-6221_](<https://vulners.com/cve/CVE-2014-6221>)** \n** \n**DESCRIPTION:** Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise. You are affected by this vulnerability if you are on Windows systems. \n \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N)\n\n## Affected Products and Versions\n\nIBM PureData System for Operational Analytics V1.0 (A1791)\n\n## Remediation/Fixes\n\nFind your IBM PureData System for Operational Analytics product in the table below, download the recommended fix, and install using the link in the **Installation Instructions** column. \n \nFor more information about IBM IDs, see the [Help and FAQ](<https://www.ibm.com/account/profile/us?page=faqhelp>). \n \n\n\n**Product**| **Affected Component**| **APAR**| **Download Link**| **Installation Instructions** \n---|---|---|---|--- \nIBM PureData System for Operational Analytics V1.0 (A1791)| DB2 V10.1| [_IT07646_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT07646>) | [IBM Fix Central: IBM PureData System for Operational Analytics Fix Pack V1.0.0.4](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=PureData%2BSystems&product=ibm/Information+Management/PureData+System+for+Operational+Analytics&release=1.0.*&platform=All&function=all>)| [PureData System for Operational Analytics Fix Pack V1.0.0.4 readme document](<http://www-01.ibm.com/support/docview.wss?uid=swg21695949>) \n \n \n**For assistance, contact IBM Support:**\n\n * In the United States and Canada dial **1-800-IBM-SERV**\n * View the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \n * Electronically [_open a Service Request_](<http://www.ibm.com/software/data/db2/support/db2_9/probsub.html>) with IBM Support.\n\n## ", "cvss3": {}, "published": "2019-10-18T03:50:04", "type": "ibm", "title": "Security Bulletin: IBM PureData System for Operational Analytics V1.0 (A1791) is affected by vulnerabilities in GSKit (CVE-2015-0138, CVE-2015-0159 and CVE-2014-6221)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6221", "CVE-2015-0138", "CVE-2015-0159"], "modified": "2019-10-18T03:50:04", "id": "D102E2140E7D53EA80968441FDE4E303EE1D9452F71494DC9DA3CBC50DC3D323", "href": "https://www.ibm.com/support/pages/node/531679", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:40:44", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 SR7 FP1 and Version 6 SR16 FP1 that is used by Rational Business Developer. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-0400_](<https://vulners.com/cve/CVE-2015-0400>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100149> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nRBD version 9.1.1 and earlier.\n\n## Remediation/Fixes\n\nPlease upgrade your SDK to the following interim fix level below: \n \n\n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nRational Business Developer| v7.5.1.x \nv8.0.1.x| [IBM Java Platform Standard Edition Version 6 SR16 FP3 iFix (IV70681) ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=8.0.1&platform=All&function=fixId&fixids=Rational-RBD-Java6SR16FP3a-ifix&includeSupersedes=0>) \nRational Business Developer| v8.5.0 \nv8.5.1.x \nv9.0 \nv9.0.1.x \nv9.1.1| [IBM Java Platform Standard Edition Version 7 SR8 FP10 iFix (IV70681) ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=8.5.0&platform=All&function=fixId&fixids=Rational-RBD-Java7SR8FP10a-ifix&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer (CVE-2015-0410, CVE-2015-0400, CVE-2014-6593 and CVE-2015-0138 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0400", "CVE-2015-0410"], "modified": "2018-08-03T04:23:43", "id": "9FD0A2153D7653CA93FDABF4A80D4F63FFD425F2201F266B744D51C1F6F9AB82", "href": "https://www.ibm.com/support/pages/node/260805", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6.0.15, 7.1.2, 7.0.8 that is used by IBM SPSS Modeler. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [CVE-2014-6593](<https://vulners.com/cve/CVE-2014-6593>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n \n**CVEID:** [CVE-2015-0383](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100148> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C) \n \n\n\n## Affected Products and Versions\n\nIBM SPSS Modeler 17 and earlier\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM SPSS Modeler| 14.2| PI37334| [__IBM SPSS Modeler 14.2 FP3 IF022__](<http://www.ibm.com/support/docview.wss?uid=swg24039672>)_ _ \nIBM SPSS Modeler| 15.0| PI37334| [__IBM SPSS Modeler 15.0 FP3 IF010__](<http://www.ibm.com/support/docview.wss?uid=swg24039673>)_ _ \nIBM SPSS Modeler| 16.0| PI37334| [__IBM SPSS Modeler 16.0 FP2__](<http://www.ibm.com/support/docview.wss?uid=swg24039510>) \nIBM SPSS Modeler| 17.0| PI37334| [__IBM SPSS Modeler 17.0 IF 004__](<http://www.ibm.com/support/docview.wss?uid=swg24039675>)_ _ \n \n## ", "cvss3": {}, "published": "2018-06-16T13:18:27", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SPSS Modeler (CVE-2015-0138, CVE-2015-0383, CVE-2015-0410, CVE-2014-6593)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-06-16T13:18:27", "id": "D23B506F373F085D0D95234FF39AA0BCD38839F8B4D1BDF9584496C6B93F1F28", "href": "https://www.ibm.com/support/pages/node/258811", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T05:57:33", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition Version 6 that is used by IBM Workload Deployer. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: \u201cFactoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)_ \n_DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)_ _for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Workload Deployer version 3.1 and later\n\n## Remediation/Fixes\n\nThe solution is to apply the following IBM Workload Deployer fix: \n \nUpgrade the IBM Workload Deployer to the following fix level: \n \n\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \nIBM Workload Deployer System| Release V3.1.0.7| V3.1.0.7 Interim fix8, \n \n[_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Workload+Deployer&amp;release=3.1.0.7&amp;platform=All&amp;function=fixId&amp;fixids=3.1.0.7-ifix8-IBM_Workload_Deployer&amp;includeSupersedes=0_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix8-IBM_Workload_Deployer&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, and CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:26", "id": "1A46129AC809B41F500970B41C9B22522A13E7E9D6A44839DC2EC0A7BF599993", "href": "https://www.ibm.com/support/pages/node/533135", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-09-26T13:51:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that are used by Rational Application Developer. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [_CVE-2014-6593_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0410_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-0400_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0400>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100149> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Application Developer 9.1.1 and earlier.\n\n## Remediation/Fixes\n\nUpdate the Java Development Kit of the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nRational Application Developer| 7.5 through 9.1.1| PI37421 \nPI33290| \n\n * For all versions, except version 8.5.5.2, apply [IBM SDK Java Technology Edition Critical Patch Update - January 2015 and \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg24039778>). Version 8.5.5.2 includes the updated IBM JDK update.\n * For the WebSphere Application Server 7.0 Test Environment, apply [WebSphere Application Server 7.0 Test Environment Extension Fix Pack 37 (7.0.0.37)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039444>)\n * For WebSphere Application Server version 8.0 and 8.5 used by the product, see [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>) \nRational Agent Controller| 7.0 through to 9.1.1| PI37421 \nPI33290| \n\n * Apply [Rational Agent Controller FixPack 1 Interim Fix 1 (9.1.1.1 iFix1) for 9.1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg24039779>) \nRational Build Utility| 7.5 through to 9.1.1| PI37421 \nPI33290| \n\n * For use on Windows or Linux: apply [IBM SDK Java Technology Edition Critical Patch Update - January 2015 and \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg24039778>)\n * For use on System z:\n * Version 7.5 and 8.0: Apply the latest [Java Technology Edition, V6.0.0 PTF](<http://www-03.ibm.com/systems/z/os/zos/tools/java/>).\n * Version 8.5, 9.0 and 9.1: Apply the latest [Java Technology Edition, V7.0.0](<http://www-03.ibm.com/systems/z/os/zos/tools/java/>). \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n* 15 April 2015: Original copy published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nPSIRT 2696, record 48551 \nPSIRT 2913, record 50644\n\n[{\"Product\":{\"code\":\"SSRTLW\",\"label\":\"Rational Application Developer for WebSphere Software\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF022\",\"label\":\"OS X\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.5;7.5.1;7.5.2;7.5.3;7.5.4;7.5.5;7.5.5.1;7.5.5.2;7.5.5.3;7.5.5.4;7.5.5.5;8.0;8.0.1;8.0.2;8.0.3;8.0.4;8.0.4.1;8.0.4.2;8.0.4.3;8.5;8.5.1;8.5.5;8.5.5.1;9.0;9.0.1;9.0.1.1;9.1;9.1.0.1;9.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2020-02-05T00:09:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Application Developer for WebSphere (CVE-2015-0138, CVE-2014-6593, CVE-2015-0410, CVE-2015-0400)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0400", "CVE-2015-0410"], "modified": "2020-02-05T00:09:48", "id": "45287357CDFF0CBDD9F6FBC98FE84205AFD006DFB984C6B589393F8B09465C66", "href": "https://www.ibm.com/support/pages/node/260531", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:55", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by Rational Insight. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilitie/100148>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C) \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n## Affected Products and Versions\n\nRational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5 and 1.1.1.6\n\n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 11 (Implemented by file 10.1.6305.1016)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039727>) \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 11 (Implemented by file 10.1.6305.1016)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039727>) \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 10 (Implemented by file 10.2.5000.1153)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039726>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 ** \n \n\n\n 1. If the Data Collection Component or Jazz Reporting Serivce are used, perform this step first. \nReview the topics in <http://www-01.ibm.com/support/docview.wss?uid=swg21699296> for addressing the listed vulnerabilities in their underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 9 (Implemented by file 10.2.5006.1016)](<http://www-01.ibm.com/support/docview.wss?uid=swg24039726>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:01:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-0138, CVE-2015-0383, CVE-2015-0410, CVE-2014-6593)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-06-17T05:01:48", "id": "527AEB02DC4029326B0DDB6C7A93716F28D3B32A5D2FFCEAC8C4A9ACE4F8F863", "href": "https://www.ibm.com/support/pages/node/261799", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T21:42:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 5, 6, and 7 that are used by Tivoli Netcool/OMNIbus. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined\n\n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus 7.3.0 \nTivoli Netcool/OMNIbus 7.3.1 \nTivoli Netcool/OMNIbus 7.4.0 \nTivoli Netcool/OMNIbus 8.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus | 7.3.0.15 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24039199> \nOMNIbus | 7.3.1.12 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24036687> \nOMNIbus | 7.4.0.6 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24036690> \nOMNIbus | 8.1.0.3 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24039346> \n \n## ", "cvss3": {}, "published": "2019-12-19T16:54:08", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2019-12-19T16:54:08", "id": "D995BFD7F2FE7D2B6BD9B254E3A2FFCCE7B6FC8B44FD9CE6285A91BD366E9BE9", "href": "https://www.ibm.com/support/pages/node/714315", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T01:37:42", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\nIBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the IBM\u00ae Java SDK updates in January 2015: \n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100148> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)\n\n \n\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 5.0.2 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2\n\n## Remediation/Fixes\n\nIf your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions: \n[_ Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)_](<http://www.ibm.com/support/docview.wss?uid=swg21698613>) \n \n**Otherwise:** \n_Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades._ \nUpgrade your products to version **3.0.1.6 or 4.0.7** or **5.0.2** or later, apply the latest ifix, and then perform the following upgrades: \n \n[_How to update the IBM SDK for Java of IBM Rational products based on version 3.0.1.6 or later of IBM's Jazz technology_](<http://www.ibm.com/support/docview.wss?uid=swg21674139>)\n\n * * For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, if you cannot upgrade to 4.0.7 or 5.0, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for guidance.\n * For the 2.x releases, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for additional details on the fix. \n\n * For the 1.x releases of Rational Engineering Lifecycle Manager, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for additional details on the fix.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2014-6593, CVE-2015-0383, CVE-2015-0410, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2021-04-28T18:35:50", "id": "CC1740D85628549D6FAC223D34127F158CD233478F25DBA7737A26EE508DE9C0", "href": "https://www.ibm.com/support/pages/node/257893", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T01:48:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6, that is used by IBM Content Collector and IBM CommonStore for Lotus Domino. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C) \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nIBM Content Collector 2.1 - 4.0.1 \nIBM CommonStore for Lotus Domino 8.4\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Content Collector| 2.1.0 - 4.0.1| Apply Interim Fix [4.0.1.0-IBM-ICC-IF001](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF001&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central \nCommonStore for Lotus Domino| 8.4.0| Contact IBM Software Support for further assistance \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T12:10:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector and IBM CommonStore for Lotus Domino (CVE-2015-0138, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-06-17T12:10:38", "id": "BEA07EDC91E13190C2A3ABBA624D78B396A3BCC91954CBB1DADC8EFF96F132EF", "href": "https://www.ibm.com/support/pages/node/259233", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T01:48:18", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 5 and 7, that is used by Content Manager Enterprise Edition. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)\n\n## Affected Products and Versions\n\nContent Manager Enterprise Edition v8.4.3 - 8.5\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Content Manager Enterprise Edition_| _8.5.x_| _NA_| _Please contact Level 2 support. Request fix level _ \n004_850002tf. Note: This fix can be loaded on CM 8.5.0.0, 8.5.0.1, or 8.5.0.2. \n_Content Manager Enterprise Edition_| _8.4.3.x_| _NA_| _Please contact Level 2 support.. Request fix level 009_84304tf. _Note: This fix must be loaded on top of CM 8.4.3.4. Please ugrade to this level before applying the fix. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T12:10:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition ((CVE-2015-0410, CVE-2014-6593, CVE-2015-0383, CVE-2015-0138))", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-06-17T12:10:42", "id": "F004C66C5DF9777B5459C5EAD540BC9EE931AC626AFE24770D598EF0EA06D52A", "href": "https://www.ibm.com/support/pages/node/260183", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T05:57:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7, that is used by IBM PureApplication System. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: \u201cFactoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)_ \n_DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)_ _for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM PureApplication System V2.1 \nIBM PureApplication System V2.0 \nIBM PureApplication System V1.1 \n\n## Remediation/Fixes\n\nThe PureSystems Manager on IBM PureApplication System is affected. The solution is to upgrade the IBM PureApplication System to the following fix level: \n \nIBM PureApplication System V2.1 \nUpgrade to IBM PureApplication System V2.1.0.2 \n \nIBM PureApplication System V2.0 \nUpgrade to IBM PureApplication System V2.0.0.1 Interim Fix 5 \n \nIBM PureApplication System V1.1 and earlier: \nContact IBM customer support for upgrade options.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:30", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System. (CVE-2015-2808, CVE-2015-0204, CVE-2015-1916, and CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:30", "id": "637E14D27427B4BF9FF4895FAFF50F421D76F11AF6EE8F320D07289D10CFD6E1", "href": "https://www.ibm.com/support/pages/node/535253", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:57:33", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7, that is used by IBM Image Construction and Composition Tool. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: \u201cFactoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)_ \n_DESCRIPTION:A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)_ _for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Image Construction and Composition Tool v2.2.1.3 \nIBM Image Construction and Composition Tool v2.3.1.0 \nIBM Image Construction and Composition Tool v2.3.2.0 \n\n## Remediation/Fixes\n\nThe solution is to apply the following IBM Image Construction and Composition Tool version fixes. \n \nUpgrade the IBM Image Construction and Composition Tool to the following fix levels: \n\n\n * For IBM Image Construction and Composition Tool v2.2.1.3\n * IBM Image Construction and Composition Tool v2.2.1.3 Build 32\n \n[__http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=1.1.0.5&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.2.1.3-32&amp;includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=1.1.0.5&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.2.1.3-32&includeSupersedes=0>)\n * For IBM Image Construction and Composition Tool v2.3.1.0\n * IBM Image Construction and Composition Tool v2.3.1.0 Build 43\n \n[__http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=2.0.0.1&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.3.1.0-43&amp;includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.0.0.1&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.1.0-43&includeSupersedes=0>)\n * For IBM Image Construction and Composition Tool v2.3.2.0\n * IBM Image Construction and Composition Tool v2.3.2.0 Build 16\n \n[__http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=2.1.0.0&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.3.2.0-16&amp;includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.1.0.0&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.2.0-16&includeSupersedes=0>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool (CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:26", "id": "72056D117D1C56EF62F5323A003769891AD19B85D61C951A4D99A0B00D5BBB96", "href": "https://www.ibm.com/support/pages/node/533133", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:55:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition. These vulnerabilities affect WebSphere eXtreme Scale version 7.1.0, 7.1.1, 8.5, and 8.6. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. \n \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 2 and earlier releases. \n \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 2 and earlier releases. \n \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 and earlier releases. \n \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2 and earlier releases.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange cipher suite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n \n \n\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\nThe following CVE only applies if you run WebSphere eXtreme Scale on Solaris or HP-UX:\n\n \n \n \n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C) \n\n## Affected Products and Versions\n\nWebSphere eXtreme Scale 7.1.0 \nWebSphere eXtreme Scale 7.1.1 \nWebSphere eXtreme Scale 8.5 \nWebSphere eXtreme Scale 8.6\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nWebSphere eXtreme Scale | 7.1 0| \n\nPI37460 \n\n| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+eXtreme+Scale&amp;release=7.1.0.3&amp;platform=All&amp;function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all>) \nWebSphere eXtreme Scale | 7.1 1| \n\nPI37459 \n\n| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+eXtreme+Scale&amp;release=7.1.1.1&amp;platform=All&amp;function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all>) \nWebSphere eXtreme Scale | 8.5| \n\nPI37459 \n\n| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+eXtreme+Scale&amp;release=8.5.0.3&amp;platform=All&amp;function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.5.0.3&platform=All&function=all>) \nWebSphere eXtreme Scale | 8.6| \n\nPI37459 \n\n| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+eXtreme+Scale&amp;release=8.6.0.7&amp;platform=All&amp;function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.6.0.7&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nThe only mitigation is to apply the recommended fix. The fix must be applied if you are running the WebSphere eXtreme Scale server or Java client in stand-alone mode. If either the server or Java client is running under WebSphere Application Server or the WebSphere Application Server Liberty Profile, then you must apply an interim fix as described here: [_http://www-01.ibm.com/support/docview.wss?uid=swg21698613_](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>). The default WebSphere Application Server cipher suite configuration does not apply to WebSphere eXtreme Scale Connections. Therefore, an interim fix must be applied. \n\n \n \n--- \n \nIt is possible to run WebSphere eXtreme Scale with a Java runtime not delivered with the product. IBM recommends that you ensure that the Java runtime you use has fixes for these vulnerabilities. \n \n**Important note: **IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www-03.ibm.com/systems/z/solutions/security_integrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. \n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:45", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere eXtreme Scale: CVE-2015-0138, CVE-2014-6593, CVE-2015-0410, CVE-2015-0383", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-06-15T07:02:45", "id": "5B64CD04ABB9490D1AF2C98978905293DD9A40FFD9AB6AF123907E7CBD147985", "href": "https://www.ibm.com/support/pages/node/260345", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-03-07T01:32:33", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7.1 that is used by Bluemix Workflow. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2014-3566](<https://vulners.com/cve/CVE-2014-3566>)** \nDESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2014-6593](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nThis vulnerability affected IBM Workflow for Bluemix.\n\n## Remediation/Fixes\n\nThe production system has been upgraded. A user action is not required.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2023-03-06T14:45:22", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2023-03-06T14:45:22", "id": "28A87AA21A3A63B76EB06532DDE145D08BAEA75DA55EB8D6ED802A5FCD8BF7CC", "href": "https://www.ibm.com/support/pages/node/258547", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:55:09", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is used by WebSphere Application Server underneath IBM Business Process Manager and WebSphere Lombardi Edition. These issues were disclosed as part of the IBM SDK Java\u2122 Technology Edition updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0400_](<https://vulners.com/cve/CVE-2015-0400>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100149> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\n * * IBM Business Process Manager V7.5.x through V8.5.6.0\n * WebSphere Lombardi Edition V7.2.0.x\n \n \n_For__ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Remediation/Fixes\n\nIBM SDK Java\u2122 Technology Edition is used in WebSphere Application Server. See the following two security bulletins for vulnerability details and information about fixes. \n\n * [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>)\n \nIBM SDK Java\u2122 Technology Edition is also used in IBM Process Designer. Install the interim fix for APAR IT07386 for your current version of IBM Business Process Manager or WebSphere Lombardi Edition. \n\n\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=IT07386>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=IT07386>)\n * [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=IT07386>)\n * [WebSphere Lombardi Edition](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Lombardi+Edition&release=All&platform=All&function=aparId&apars=IT07386>)\n * If you are on earlier unsupported releases, IBM strongly recommends to upgrade. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:02:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0400", "CVE-2015-0410"], "modified": "2018-06-15T07:02:43", "id": "D3FF1D0676CC80FF2D0493B6AE628B3CBE36C8135BEC8315CEDB0C7DA29160F1", "href": "https://www.ibm.com/support/pages/node/258599", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:59", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 and 7 that is used by IBM QRadar SIEM, and IBM QRadar Risk Manager. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>) \n** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n \n**CVEID:** [_CVE-2015-0400_](<https://vulners.com/cve/CVE-2015-0400>) \n** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100149_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100149>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>) \n** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \n \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n## Affected Products and Versions\n\n * IBM QRadar SIEM 7.2.4 Patch 4 and earlier\n * IBM QRadar Risk Manager 7.2.4 Patch 4 and earlier\n * IBM QRadar SIEM 7.1 MR2 Patch 10 and earlier\n * IBM QRadar Risk Manager 7.1 MR2 Patch 10 and earlier\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nQRadar SIEM / QRadar Risk Manager| 7.2.4| Patch 4 iFix01 - [7.2.4-QRADAR-QRSIEM-1076569INT](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=All&function=fixId&fixids=7.2.4-QRADAR-QRSIEM-1076569INT&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nQRadar SIEM / QRadar Risk Manager| 7.1 MR2| Patch 10 iFix01 - [7.1.0-QRADAR-QRSIEM-1076519INT](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.1.0&platform=All&function=fixId&fixids=7.1.0-QRADAR-QRSIEM-1076519INT&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:23:31", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM and IBM QRadar Risk Manager can be affected by Multiple Vulnerabilities in the IBM Java Runtime Environment (CVE-2015-0138, CVE-2015-0410, CVE-2015-0400, CVE-2014-6593)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0400", "CVE-2015-0410"], "modified": "2018-06-16T21:23:31", "id": "F6D7157F99CC742F7BD5E2247939078A44E409DE8500E68669891D8586C9FF13", "href": "https://www.ibm.com/support/pages/node/260025", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:52:10", "description": "## Summary\n\nIBM Security Identity Manager Virtual Appliance version 7.0 is affected by several Java vulnerabilies.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \n** \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n \nThis vulnerability is also known as the FREAK attack. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2015-1914_](<https://vulners.com/cve/CVE-2015-1914>)** \n** \n**DESCRIPTION:** A vulnerability in the IBM implementation of the Java Virtual Machine may allow untrusted code running under a security manager to bypass permission checks and view sensitive information. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101908_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101908>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \n** \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. \n \nThis vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n\n\n## Affected Products and Versions\n\nIBM Security Identity Manager Virtual Appliance: Versions 7.0.0.0 and 7.0.0.1\n\n## Remediation/Fixes\n\nEnsure that the version listed below is installed on the system. \n\nProduct Version| Fix level \n---|--- \nIBM Security Identity Manager (ISIM) 7.0 GA and 7.0.0.1 releases| Apply the following: \n1) IBM Security Identity Manager (ISIM) 7.0.0.2 fixpack [7.0.0-ISS-SIM-FP0002](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Identity+Manager&release=7.0.0&platform=All&function=fixId&fixids=7.0.0-ISS-SIM-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n2) IBM Security Identity Manager (ISIM) 7.0.0.2 Interim Fix 1 [7.0.0.2-ISS-SIM-IF0001](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Identity+Manager&release=7.0.0.2&platform=All&function=fixId&fixids=7.0.0.2-ISS-SIM-IF0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T21:25:18", "type": "ibm", "title": "Security Bulletin: IBM Security Identity Manager Virtual Appliance affected by Java vulnerabilities (CVE-2015-0138 CVE-2015-0204 CVE-2015-1914 CVE-2015-2808 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-1914", "CVE-2015-2808"], "modified": "2018-06-16T21:25:18", "id": "DE333229FB28AF093636DC6CBE79032163AA86CF0150EB713DB188D561F22992", "href": "https://www.ibm.com/support/pages/node/530189", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:48:02", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and 7 that is used by IBM Content Collector for SAP Applications. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [](<https://vulners.com/cve/CVE-2015-0138>)[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>_ [](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n[](<https://vulners.com/cve/CVE-2015-0138>)[](<https://vulners.com/cve/CVE-2015-0138>)[](<https://vulners.com/cve/CVE-2015-0138>)**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)\n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications V2.2\n\nIBM Content Collector for SAP Applications V3.0\n\nIBM Content Collector for SAP Applications V4.0\n\n## Remediation/Fixes\n\nIBM provides patches for the affected version. Follow the installation instructions in the README files that is included in the patch. \n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Content Collector for SAP Applications| 2.2.0.2| HE12282| Apply JRE Update 2.2.0.2-ICCSAP-Server-JRE-6.0.16.3.IV70681, and 2.2.0.2-ICCSAP-Client-JRE-6.0.16.3.IV70681, which are available from Fix Central \n \n**Note:** ICCSAP V2.2 has reached end of support, and is no longer available for download. \nIBM Content Collector for SAP Applications| 3.0.0.1| HE12281| Apply JRE Update 3.0.0.1-ICCSAP-Server-JRE-7.0.8.10.IV70681, and 3.0.0.1-ICCSAP-Client-JRE-7.0.8.10.IV70681, which are available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039624>. \nIBM Content Collector for SAP Applications| 4.0.0.0| HE12283| Apply JRE Update 4.0.0.0-ICCSAP-Base-JRE-7.0.8.10.IV70681, which is available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039608>. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T12:10:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector for SAP Applications (CVE-2014-6593, CVE-2015-0410, CVE-2015-0383, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-06-17T12:10:02", "id": "521E1D41EADBC58DD205928B95F91C47807C4ED0AC9E1AE8612FFF02D72B96D0", "href": "https://www.ibm.com/support/pages/node/526209", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T01:41:00", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 and 7 that are used by Rational Developer for i, Rational Developer for AIX and Linux, and Rational Developer for Power Systems Software. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0400_](<https://vulners.com/cve/CVE-2015-0400>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100149>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n## Affected Products and Versions\n\n**Product Name**\n\n| **Versions Affected** \n---|--- \nRational Developer for Power Systems Software| 7.6, 7.6.0.1, 7.6.0.2, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.3, 8.0.3.1, 8.5, 8.5.1 \nRational Developer for i| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1 \nRational Developer for AIX and Linux, AIX COBOL Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1 \nRational Developer for AIX and Linux, C/C++ Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1 \n \n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \nRational Developer for Power Systems Software| 7.6 through 8.5.1| \n\n * For all versions, apply [IBM Java Quarterly Critical Patch Update - January 2015 - RD Power](<http://www.ibm.com/support/docview.wss?uid=swg24039763>) \nRational Developer for i| 9.0 through to 9.1| \n\n * For all versions, update the currently installed product using Installation Manager. ** **For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSAE4W_9.1.0/com.ibm.etools.iseries.install.doc/topics/t_upgrading.html>) in the IBM Knowledge Center. \n * Or, you can optionally download the update manually and apply [IBM Java Quarterly Critical Patch Update - January 2015 - RDi](<http://www.ibm.com/support/docview.wss?uid=swg24039761>) \nRational Developer for AIX and Linux| 9.0 through to 9.1| \n\n * For all client versions, update the currently installed product using Installation Manager. For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSPSQF_9.1.0/com.ibm.etools.install.rdal.doc/topics/t_upgrading.html>) in the IBM Knowledge Center. \n * For server updates or to manually download and apply the client updates see [IBM Java Quarterly Critical Patch Update - January 2015 - RDAL](<http://www.ibm.com/support/docview.wss?uid=swg24039762>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, and Rational Developer for Power Systems Software (CVE-2015-0138, CVE-2015-0410, CVE-2015-0400, CVE-2014-6593)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0400", "CVE-2015-0410"], "modified": "2018-08-03T04:23:43", "id": "467691274B46B374ED94D3C8CECDDBB250DC781111B8D9EE9B6CFCF7F4C45BB6", "href": "https://www.ibm.com/support/pages/node/261019", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:57:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7, that is used by IBM OS Images for Red Hat Linux Systems, AIX, and Windows. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: \u201cFactoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)_ \n_DESCRIPTION:A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)_ _for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM OS Image for Red Hat Linux Systems 3.0.0.0 and earlier. \nIBM OS Image for AIX Systems 2.1.1.0 and earlier.\n\n## Remediation/Fixes\n\nVirtual machines deployed from IBM PureApplication Systems are affected. This includes RedHat Linux and AIX-based deployments. The solution is to apply the following IBM PureApplication System fix to the deployed virtual machines. \n \nJava Update for Linux \n[__http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=+Java_Update_Linux_2++&amp;includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=+Java_Update_Linux_2++&includeSupersedes=0>) \n \nJava Update for AIX \n[__http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=+Java_Update_AIX_2++&amp;includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=+Java_Update_AIX_2++&includeSupersedes=0>)__ __ \n \n \n1\\. Import the fix into the Emergency Fix catalogue. \n2\\. For deployed instances, apply this emergency fix on the VM. \n3\\. Restart the deployed instance after the fix is applied.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:30", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-2808, CVE-2015-0204, CVE-2015-1916, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:30", "id": "BB86AF26EFAC5E774B73ED4F6EA3CC2D4D70AAAEFF1EFE8255D4FF66723F6504", "href": "https://www.ibm.com/support/pages/node/535401", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:55:11", "description": "## Summary\n\nWebSphere Business Modeler, WebSphere Integration Developer, WebSphere Business Services Fabric, WebSphere Process Server and WebSphere Business Monitor are shipped as components of WebSphere Dynamic Process Edition. Information about security vulnerabilities affecting these products have been published in security bulletins. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0400_](<https://vulners.com/cve/CVE-2015-0400>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100149> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>)[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>) \n**DESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013>)[_https://exchange.xforce.ibmcloud.com/vulnerabilities/97013_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere Dynamic Process Edition 6.1, 6.2, 7.0 \n\nIf you are using an unsupported version, IBM strongly recommends to upgrade.\n\n## Remediation/Fixes\n\nPlease consult the security bulletins \n\n\n * [Security Bulletin: Vulnerability in IBM Java Runtimes affect Websphere Business Modeler Advanced and Websphere Business Modeler Basic (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21701056>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer (IID) and WebSphere Integration Developer (WID)(CVE-2015-0138, CVE-2015-0410, CVE-2014-6593) ](<http://www-01.ibm.com/support/docview.wss?uid=swg21700896>)\n * [Security Bulletin: Vulnerability in IBM WebSphere Application Server affects WebSphere Business Services Fabric (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21699929>)\n * [Security Bulletin: Multiple vulnerabilities in the IBM SDK for Java\u2122 Technology Edition January 2015 CPU affect WebSphere Business Services Fabric](<http://www-01.ibm.com/support/docview.wss?uid=swg21697228>)\n * [Security Bulletin: Vulnerability in IBM WebSphere Application Server affects WebSphere Process Server and WebSphere Process Server Hypervisor Editions (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21699922>)\n * [Security Bulletin: Multiple vulnerabilities in the IBM SDK for Java\u2122 Technology Edition January 2015 CPU affect WebSphere Process Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21697229>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Monitor (CVE-2015-0138)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700865>)\nfor vulnerability details and information about fixes. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-15T07:02:46", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in bundled products shipped with WebSphere Dynamic Process Edition (CVE-2015-0138, CVE-2014-3566, CVE-2014-6593, CVE-2015-0400, CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0400", "CVE-2015-0410"], "modified": "2018-06-15T07:02:46", "id": "F3758093EA44146C6BB9180D4A89ECCFA58C42ADF8707A861E087BF54975924C", "href": "https://www.ibm.com/support/pages/node/259559", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:51", "description": "## Summary\n\nThere are multiple security vulnerability exists in the IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 and 7 that is used by IBM WebSphere Application Server Community Edition 3.0.0.4. \nThese issues were disclosed as part of the IBM Java SDK updates in April, 2015.\n\n## Vulnerability Details\n\nCVEID:[](<https://vulners.com/cve/CVE-2015-0488>)[CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>) \nDESCRIPTION:An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\nCVEID:[](<https://vulners.com/cve/CVE-2015-2808>)[CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>) \nDESCRIPTION:The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\nCVEID:[](<https://vulners.com/cve/CVE-2015-1916>)[CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>) \nDESCRIPTION:Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\nCVEID:[](<https://vulners.com/cve/CVE-2015-0204>)[CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) \nDESCRIPTION:A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3\n\n \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nNote: CVE-2015-0204 was fixed by CVE-2015-0138, see <http://www-01.ibm.com/support/docview.wss?uid=swg21702783> for details on CVE-2015-0138 \n\n## Affected Products and Versions\n\nWebSphere Application Server Community Edition 3.0.0.4\n\n## Workarounds and Mitigations\n\nIf you use the IBM SDK for Java: upgrade your SDK to a level as noted below: \n \nIBM SDK for Java 6.0: \nIBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 4 and subsequent releases \nIBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 and subsequent releases \n \nIBM SDK for Java 7.0: \nIBM SDK, Java Technology Edition, Version 7 Service Refresh 9 and subsequent releases \nIBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 and subsequent releases\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:06", "type": "ibm", "title": "Security Bulletin: Multiple Security vulnerability in current IBM SDK for Java for WebSphere Application Server Community Edition 3.0.0.4 April 2015 CPU (CVE-2015-0488 CVE-2015-2808 CVE-2015-1916 CVE-2015-0204)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:06", "id": "6D6EC6F0856DE385EB6411289892FD9554BF439983EDDA3A3668DC4E4954EF8B", "href": "https://www.ibm.com/support/pages/node/264895", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:53:55", "description": "## Summary\n\nVarious vulnerabilities in the Java Runtime Environment could affect IBM DB2 Recovery Expert for Linux, UNIX and Windows.\n\n## Vulnerability Details\n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \nThe following CVEs only apply to the HP-UX and Solaris platforms: \n\n**CVEID:**[CVE-2015-0460](<https://vulners.com/cve/CVE-2015-0460>)** \nDESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102330>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:**[CVE-2015-0470](<https://vulners.com/cve/CVE-2015-0470>)** \nDESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102338>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM DB2 Recovery Expert for Linux, UNIX, and Windows versions 3.1 through 4.1 \n\n## Remediation/Fixes\n\nReplace existing JRE with JRE V7 SR9-Fix Pack 1 (<http://www-01.ibm.com/support/docview.wss?uid=swg21639279>). \n\nYou can replace the IBM Runtime Environment, Java\u2122 Technology Edition that is installed with IBM DB2 Recovery Expert for Linux, UNIX, and Windows with the latest IBM Runtime Environment, Java\u2122 Technology Edition following the detailed instructions provided in the tech-note \"[_Updating the JRE for DB2 Recovery Expert for Linux, UNIX and Windows_](<http://www-01.ibm.com/support/docview.wss?uid=swg21644942>)\". \n\n## Workarounds and Mitigations\n\nOnly CVE-2015-2808 can be mitigated. The other applicable CVEs have no mitigation and the JRE must be upgraded.\n\n \nMitigation instructions for CVE-2015-2808 are available here: \n\n * [_IBM SDK, Java Technology Edition, Version 8_](<http://www-01.ibm.com/support/docview.wss?uid=swg21672834>)\n * [_IBM SDK, Java Technology Edition, Version 7R1_](<http://www-01.ibm.com/support/docview.wss?uid=swg21639279>)\n * [_IBM SDK, Java Technology Edition, Version 7_](<http://www-01.ibm.com/support/docview.wss?uid=swg21499721>)\n\n## ", "cvss3": {}, "published": "2018-06-16T13:11:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Java Runtime Environment affects\u00a0IBM DB2 Recovery Expert for Linux, UNIX and Windows\u00a0(CVE-2015-0204, CVE-2015-0138, CVE-2015-2808, CVE-2015-0460, CVE-2015-470)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0460", "CVE-2015-0470", "CVE-2015-2808"], "modified": "2018-06-16T13:11:34", "id": "84148D1DF56ABF15F2C36A87D3E56B147FE5CE4A2EDE780059268C996ECCEE04", "href": "https://www.ibm.com/support/pages/node/531371", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:53:59", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. \n \nA vulnerability in RC4 stream cipher affects IBM WebSphere Application Server and Progress Software DataDirect Connect ODBC drivers that are shipped as components of IBM InfoSphere Information Server. Information about this Bar Mitzvah security vulnerability has been published in a WebSphere Application Server security bulletin. Information about this vulnerability and Progress Software DataDirect Connect ODBC drivers is below.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nThis issue is only applicable on HP and Solaris platforms. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C) \n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, and 11.3\n\n## Remediation/Fixes\n\n \n\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server| 11.3| JR52470| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR52470_services_engine_*>) \n\\--If the services tier is using Websphere Application Server Network Deployment then apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) PI36563 for V8.5.0.0 through 8.5.5.5 Full Profile \n\\--On all tiers, edit the &lt;IS_HOME&gt;/jdk/jre/lib/security/java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4 \nInfoSphere Information Server| 9.1| JR52470| \\--Apply [_JR52470_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR52470_services_engine*>) on all tiers \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) PI36563 for V8.0.0.x / 8.5.0.x / 8.5.5.x \nInfoSphere Information Server| 8.7| JR52470| \\--Apply IBM InfoSphere Information Server version [_8.7 Fix Pack 2_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034359>) \n\\--Apply [_JR52470_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8702_JR52470_services_engine*>) on all tiers \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) PI36563 for V7.0.0.0 through 7.0.0.37 \nInfoSphere Information Server| 8.5| JR52470| \\--Apply IBM InfoSphere Information Server version [_8.5 Fix Pack 3_](<http://www-01.ibm.com/support/docview.wss?uid=swg24033513>) \n\\--Apply [_JR52470_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8503_JR52470_services_engine*>) on all tiers \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>) PI36563 for V7.0.0.0 through 7.0.0.37 \n \n \nFor IBM InfoSphere Information Server versions 8.0 and 8.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \nYou should verify that applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. \n \nAdditionally, perform the remediation step for the DataDirect Connect ODBC drivers per information in the \"Workarounds and Mitigations\" section. \n\n## Workarounds and Mitigations\n\nFor all InfoSphere Information Server releases, disable RC4 stream cipher usage in the Progress Software DataDirect Connect ODBC drivers. For details, refer to TechNote [_http://www-01.ibm.com/support/docview.wss?uid=swg21883537_](<http://www-01.ibm.com/support/docview.wss?uid=swg21883537>)\n\n## ", "cvss3": {}, "published": "2018-06-16T13:09:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect IBM InfoSphere Information Server (CVE-2015-0383, CVE-2015-0410, CVE-2014-6593 CVE-2015-0138 CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410", "CVE-2015-2808"], "modified": "2018-06-16T13:09:38", "id": "2C748C312EB386AF074EF41BE80CC4B2740D8D2B3D069407B39739A9AD85D5D6", "href": "https://www.ibm.com/support/pages/node/527235", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T05:49:06", "description": "## Summary\n\nThe Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects Rational Service Tester. \n \nThere are also multiple vulnerabilities in IBM SDK Java Technology Edition, Version 1.7 that is used by Rational Service Tester. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \nCVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nRational Service Tester versions 8.2*, 8.3.*, 8.5.*, 8.6.* and 8.7.*.\n\n## Remediation/Fixes\n\nUpgrade to version 8.7.0.2 is recommended. A fix is available as described below \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRST| 8.7| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>)` \nRST| 8.6 - 8.6.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>)` \nRST| 8.5 - 8.5.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>)` \nRST| 8.3 -8.3.x| None| Download[ ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>)`[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>)` \nRST| 8.2 - 821.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>)` \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T05:04:20", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2015-4000, CVE-2015-0478, CVE-2015-1916).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0478", "CVE-2015-1916", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-17T05:04:20", "id": "E9D697890F273DADB14BA2E56AB33EFE80D0F44CDB73355C0FAA7C02A52EA536", "href": "https://www.ibm.com/support/pages/node/532327", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:49:08", "description": "## Summary\n\nThe Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects Rational Performance Tester. \n \nThere are also multiple vulnerabilities in IBM SDK Java Technology Edition, Version 1.7 that is used by Rational Performance Tester. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \nCVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nRational Performance Tester versions 8.2*, 8.3.*, 8.5.*, 8.6.* and 8.7.*.\n\n## Remediation/Fixes\n\nUpgrade to version 8.7.0.2 is recommended. A fix is available as described below \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRPT| 8.7| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>)` \nRPT| 8.6 - 8.6.x| None| Download [`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>) \nRPT| 8.5 - 8.5.x| None| Download [`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>) \nRPT| 8.3 -8.3.x| None| Download[ ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>)[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>) \nRPT| 8.2 - 821.x| None| Download [`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.2.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP1&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T05:04:20", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2015-4000, CVE-2015-0478, CVE-2015-1916).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0478", "CVE-2015-1916", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-17T05:04:20", "id": "F93F351432EE382962D63DF905127DFA76C55EACC58DBDA0A8FB03D2CD76B307", "href": "https://www.ibm.com/support/pages/node/532323", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:35:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 5, 6, 7, and 8** that are used by Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, TRIRIGA for Energy Optimization (previously known as Intelligent Building Management), and SmartCloud Control Desk. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n[CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n \n**CVEID:**[CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[CVE-2015-0478](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:**[CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nThe following IBM Java versions are affected: \n \n\u2022 IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 Fix Pack 10 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2 Fix Pack 10 and earlier releases \n\u2022 IBM SDK, Java Technology Edition, Version 8 GA ** \n \nIBM supplied the Java Runtime Environment (JRE) from the IBM SDK Java Technology Edition Versions with the following: \n \nThe 7.1.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java 2 Technology Edition Version 5. \n \nThe 7.2.x versions of Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java 2 Technology Edition Version 5. \n \nThe 7.5.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, and SmartCloud Control Desk bundled the JRE from IBM SDK Java Technology Edition Version 6. \n \nThe 7.6.x versions of Maximo Asset Management bundled the JRE from IBM SDK Java Technology Edition Version 7. \n \nTRIRIGA for Energy Optimization 1.1.x bundled the JRE from IBM SDK Java Technology Edition Version 6. \n \nIt is likely that earlier unsupported versions are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers running unsupported versions upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities.\n\n## Remediation/Fixes\n\nThere are two areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation: \n \n1\\. Application Server \u2013 Update the Websphere Application Server. Refer to [JDK Fixes for Websphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server. \n2\\. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on [developerWorks JavaTM Technology Security Alerts](<http://www.ibm.com/developerworks/java/jdk/alerts/>) or referenced on [Oracle\u2019s latest Critical Patch Update](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) (which can be accessed via [developerWorks JavaTM Technology Security Alerts](<http://www.ibm.com/developerworks/java/jdk/alerts/>)). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest [_Maximo Asset Management Scheduler Interim Fix_](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/Maximo+Asset+Management+Scheduler&release=All&platform=All&function=all&source=fc>) for Version 7.1 or [_Maximo Asset Management Fix Pack_](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Maximo+Asset+Management&release=All&platform=All&function=all&source=fc>) for Version 7.5.0.2 or later, which includes the resolution for APAR IV11560. \n \nDue to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible.\n\n## Workarounds and Mitigations\n\nUntil you apply the fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem. \n \nMitigation instructions for CVE-2015-2808 are available here: \n\n[\u2022 IBM SDK, Java Technology Edition, Version 8](<http://www-01.ibm.com/support/docview.wss?uid=swg21672834>)\n\n \n[\u2022 IBM SDK, Java Technology Edition, Version 7R1](<http://www-01.ibm.com/support/docview.wss?uid=swg21639279>) \n[\u2022 IBM SDK, Java Technology Edition, Version 7](<http://www-01.ibm.com/support/docview.wss?uid=swg21499721>)\n\n \nNo equivalent mitigation is available for IBM SDK, Java Technology Edition, Version 6, and IBM SDK, Java 2 Technology Edition, Version 5.0.\n\n## ", "cvss3": {}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Asset and Service Management", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2022-09-22T03:02:31", "id": "363F1E6A6B5C2A70D13E0D8374B17FDF5930E05DCB5525830BB35B47CB16585E", "href": "https://www.ibm.com/support/pages/node/265319", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:52:10", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 5.0 , Version 6.0 and Version 7.0 that is used by Security Directory Integrator. Some of these issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability RC4 Bar Mitzvah Attack for SSL/TLS vulnerability and the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol .\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n \n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n \nIBM Tivoli Directory Integrator 6.1.1 \nIBM Tivoli Directory Integrator 7.0.0 \nIBM Tivoli Directory Integrator 7.1.0 \nIBM Tivoli Directory Integrator 7.1.1 \nIBM Security Directory Integrator 7.2.0\n\n## Remediation/Fixes\n\nAffected Products and Versions\n\n| Fix availability \n---|--- \nTDI 6.1.1| [7.0.0-TIV-TDI-LA0024](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040301>) \nTDI 7.0| [7.0.0-TIV-TDI-LA0024](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040301>) \nTDI 7.1| [7.1.1-TIV-TDI-LA0027](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040295>) \nTDI 7.1.1| [7.1.1-TIV-TDI-LA0027](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24040295>) \nSDI 7.2| [7.2.0-ISS-SDI-LA0008](<http://www.ibm.com/support/docview.wss?uid=swg24040294>) \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nAs the length of the server key size are increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted. \n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T21:25:20", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-16T21:25:20", "id": "6DF3814722A33BAC4382EFDB9DF33B5A2FFEA62B91E068C5925CD8FDD7EED52D", "href": "https://www.ibm.com/support/pages/node/530247", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:14", "description": "## Summary\n\nAddresses multiple vulnerabilities disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6 that is used by Tivoli Composite Application Manager for SOA. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability. These fixes were also previously included in 7.2.0.1-TIV-ITCAMSOA-IF0003. \n \n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n** \n****CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager for SOA 7.2\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_ | \n\n_APAR_ | \n\n_Remediation/First Fix_ \n---|---|---|--- \n \nIBM Tivoli Composite Application Manager for SOA | \n\n7.2.0.1 | \n\nIV73049 | \n\n[7.2.0.1-TIV-ITCAMSOA-IF0004](<http://www-01.ibm.com/support/docview.wss?uid=isg400002197>) \n \nThis fix also resolves the LogJam vulnerability in Diffie-Hellman ciphers. For details see here: <http://www-01.ibm.com/support/docview.wss?uid=swg21902710> \n \nFor earlier releases IBM recommends upgrading to a fixed, supported version of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:01:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime (April 2015)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T15:01:51", "id": "F0ABD172DAB727B9E1A590E26426CC6FC3FB7572FBBAACB844B6C8AA844A1A2D", "href": "https://www.ibm.com/support/pages/node/264073", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:42:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition Version 6 and 7, which is used by IBM Content Collector for SAP Applications. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n\n**CVEID: **[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \nDESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID: **[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \nDESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID: **[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \nDESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID: **[_CVE-2015-2808 \n_](<https://vulners.com/cve/CVE-2015-2808>)DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_ CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \nDESCRIPTION: Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID: **[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \nDESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications V2.2 \n\nIBM Content Collector for SAP Applications V3.0\n\nIBM Content Collector for SAP Applications V4.0\n\n## Remediation/Fixes\n\nIBM provides patches for the affected version. Follow the installation instructions in the README files that is included in the patch. \n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Content Collector for SAP Applications| 2.2.0| HE12317| Apply JRE Update 2.2.0.2-ICCSAP-Server-JRE-6.0.16.4, and 2.2.0.2-ICCSAP-Client-JRE-6.0.16.4, which are available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039994>. \nIBM Content Collector for SAP Applications| 3.0.0| HE12318| Apply JRE Update 3.0.0.2-ICCSAP-Server-JRE-7.0.9, and 3.0.0.2-ICCSAP-Client-JRE-7.0.9, which are available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039992>. \nIBM Content Collector for SAP Applications| 4.0.0| HE12319| Apply JRE Update 4.0.0.0-ICCSAP-Base-JRE-7.0.9, which is available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24039993>. \n \n## ", "cvss3": {}, "published": "2018-06-25T05:54:54", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector for SAP Applications (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-25T05:54:54", "id": "42E120F033799AC7E1B18D852BA65973034A0861B261895FEE37D36B6D3EAAC7", "href": "https://www.ibm.com/support/pages/node/264479", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:36:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6.0 that is used by IBM WebSphere Application Server embedded in IBM Global Name Management. These issues were disclosed as part of the IBM Java SDK updates in April 2015.\n\n## Vulnerability Details\n\n \n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)\n\n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM InfoSphere Global Name Management 5.0\n\n## Remediation/Fixes\n\nFrom the Websphere Security Bulletin: \n \n**For 8.0.0.0 through 8.0.0.10: ** \n\uf0b7 Apply Interim Fix [_PI39866_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 \n\n**\\--OR--**\n\n\uf0b7 Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 11 (8.0.0.11) or later (targeted to be available 17 August 2015). \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-04-20T17:04:55", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Global Name Management 5.0 ( CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2022-04-20T17:04:55", "id": "84675A12010348000987B3B23199431634511DDFAE93164E5909BC080FB29130", "href": "https://www.ibm.com/support/pages/node/264751", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-23T21:52:27", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM&amp;reg; SDK Java&amp;trade; Technology Edition, Version 7.0 that is used by IBM Fabric Manager. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015.\n\n## Vulnerability Details\n\n## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7.0 that is used by IBM Fabric Manager. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015.\n\nThis bulletin also addresses the \"FREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-0138](<https://vulners.com/cve/CVE-2015-0138>)\n\n**Description:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.\n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/100691> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVE-ID:** [CVE-2015-0410](<https://vulners.com/cve/CVE-2015-0410>)\n\n**Description:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/100151> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVE-ID:** [CVE-2014-6593](<https://vulners.com/cve/CVE-2014-6593>)\n\n**Description:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.\n\nCVSS Base Score: 4 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/100153> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-3566](<https://vulners.com/cve/CVE-2014-3566>)\n\n**Description:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97013> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVE-ID:** [CVE-2014-6457](<https://vulners.com/cve/CVE-2014-6457>)\n\n**Description:** An unspecified vulnerability related to the JSSE component has no partial confidentiality impact, partial integrity impact, and no availability impact.\n\nCVSS Base Score: 4 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97148> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVE-ID:** [CVE-2014-6558](<https://vulners.com/cve/CVE-2014-6558>)\n\n**Description:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97151> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)\n\n## Affected products and versions\n\n * IBM Fabric Manager 4.1.00.24 and earlier versions.\n\n## Remediation/Fixes:\n\nIBM recommends updating to version [ 4.1.02.0031](<http://www-933.ibm.com/support/fixcentral/systemx/selectFixes?parent=x222+Compute+Node&product=ibm/systemx/7916&&platform=All&function=fixId&fixids=ibm_sw_ifm-4.1.02.0031_linux_32-64&includeSupersedes=0>) or later. Firmware updates are available through IBM Fix Central - <http://www.ibm.com/support/fixcentral/> . \n\nIBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.\n\n## Workarounds and Mitigations:\n\nTo avoid CVE-2014-3566 (POODLE), SSL 3.0 can be disabled by using the IFM \"TLS 1.2 only\" setting. You should verify disabling SSLv3 does not cause any compatibility issues.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2019-01-31T01:55:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager (CVE-2015-0138, CVE-2015-0410, CVE-2014-6593, CVE-2014-3566, CVE-2014-6457, CVE-2014-6558)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6558", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2019-01-31T01:55:01", "id": "9B73D553C5721DEF146CFAFEC1F0FF71EB7E3943ED00FB587A9862A47029FA57", "href": "https://www.ibm.com/support/pages/node/866792", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:57:42", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:**[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_ https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n** \nCVEID:**[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See_ __<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:**[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:**A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n * * IBM Business Process Manager V7.5.x through V8.5.6.0\n * WebSphere Lombardi Edition V7.2.0.x\n_For__ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Remediation/Fixes\n\nIBM SDK Java\u2122 Technology Edition is used in WebSphere Application Server. See the following security bulletin for vulnerability details and information about fixes: \n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU](<https://www.ibm.com/support/docview.wss?uid=swg21902260>) \n \nThe eclipse-based IBM Process Designer tool includes an instance of the IBM SDK Java\u2122 Technology Edition. In order to provide the fix for this development tool, install APAR JR54070 for your version of IBM Business Process Manager or WebSphere Lombardi Edition: \n\n\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR54070>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR54070>)\n * [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR54070>)\n * [WebSphere Lombardi Edition](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Lombardi+Edition&release=7.2.0.5&platform=All&function=aparId&apars=JR54070>)\n \nThe fix for IBM Business Process Manager V8.5.6.0 is included in Version 8.5.6.0 Cumulative Fix 1 for the IBM Business Process Manager products and all later cumulative fixes. See [Fix list for the IBM Business Process Manager Version 8.5 products](<http://www.ibm.com/support/docview.wss?uid=swg27039722>) to determine the latest available cumulative fix for your release. \n \nIf you are on earlier unsupported releases, IBM strongly recommends to upgrade. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:13", "id": "731FA112727B2A8CB08738E86A13435F3E4FCF392C86655870AE870BE2F79A56", "href": "https://www.ibm.com/support/pages/node/528601", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:57:46", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nWebSphere Service Registry and Repository 6.3, 7.0, 7.5, 8.0, 8.5, 8.5.5 \n\nWebSphere Service Registry and Repository Studio 6.3, 7.0, 7.5, 8.0, 8.5, 8.5.5\n\n## Remediation/Fixes\n\nTo fix the WebSphere Service Registry and Repository server, please apply the fix indicated in the WebSphere Application Server bulletin at <https://www-304.ibm.com/support/docview.wss?uid=swg21902260>\n\nIf you wish to also apply a fix to WebSphere Service Registry and Repository Studio, please either contact IBM support for a fix, or replace Studio's bundled JRE with IBM JRE, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 4 and subsequent releases. The fixed JRE can be downloaded from <https://www.ibm.com/developerworks/java/jdk/>\n\n \n_For WebSphere Service Registry and Repository version 6.3, __IBM recommends upgrading to a fixed, supported version of the product._\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:08", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:08", "id": "0ABAD79A1E5919C3C1BBA78B75BABD96320D05680BD1E0F4A51175A11334B8E2", "href": "https://www.ibm.com/support/pages/node/527739", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:54:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2015 Critical Patch Update and additional vulnerabilties which affect IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. \n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n** \n****CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n** \n****CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n\n\n## Affected Products and Versions\n\nIBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.5, Version 8.0.0.0 through 8.0.0.10, Version 7.0.0.0 through 7.0.0.37, Version 6.1.0.0 through 6.1.0.47 \n\n * This _does not occur_ on IBM Java SDK shipped with WebSphere Application Servers Fix Packs 8.5.5.6, 8.0.0.11 and 7.0.0.39 or later. \n**Warning: ** \nFor mixed cells that contain WebSphere Application Server version 6.0.2 nodes where Java 2 security is enabled, ensure APAR PM92206 or its circumvention is applied to the Deployment Manager to prevent sync operation failure. PM92206 has been delivered with an Interim Fix or with WebSphere Application Server Fix Packs 8.5.5.1 and 8.0.0.7 and 7.0.0.31 or later. \n\n## Remediation/Fixes\n\n**_For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition_** **:** \n \nDownload and apply the interim fix APARs below, for your appropriate release: \n** \n****For V8.5.0.0 through 8.5.5.5 Full Profile:**\n\n * Apply Interim Fix [PI39865](<http://www-01.ibm.com/support/docview.wss?uid=swg24039957>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038091>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036965>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036506>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035399>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034999>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034798>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034589>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 (required) \n * Apply Interim Fix [PI39864](<http://www-01.ibm.com/support/docview.wss?uid=swg24039958>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039665>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039312>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038810>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038089>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037534>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037709>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 (optional) \n * Apply Interim Fix [PI39863](<http://www-01.ibm.com/support/docview.wss?uid=swg24039961>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039311>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038809>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038165>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>): Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) (optional) \n * Apply Interim Fix [PI39862](<http://www-01.ibm.com/support/docview.wss?uid=swg24039962>): Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 1(optional)\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 6 (8.5.5.6) or later.\n** \nFor 8.0.0.0 through 8.0.0.10:**\n\n * Apply Interim Fix [PI39866](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039668>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039304>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038812>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038093>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037708>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036967>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036505>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035398>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034998>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034447>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 [](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>)Fix Pack 4 \n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 11 (8.0.0.11) or later.\n** \nFor V7.0.0.0 through 7.0.0.37:**\n\n * Apply Interim Fix [PI39867](<http://www-01.ibm.com/support/docview.wss?uid=swg24039964>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039694>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039292>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038816>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038094>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037515>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036968>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036504>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035397>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034997>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034443>) Will upgrade you to IBM SDK, Java Technology Edition, Version 6 Service Refresh 16[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) Fix Pack 4\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 39 (7.0.0.39) or later.\n** \nFor V6.1.0.0 through 6.1.0.47:**\n\n * Contact IBM Support and apply Interim Fix PI39868[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037458>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035396>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034996>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034418>): Will upgrade you to IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 10\n**_ \nFor IBM WebSphere Application Server for i5/OS operating systems:_** \n \nThe IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to [_Java on IBM i_](<https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20i%20Technology%20Updates/page/Java%20on%20IBM%20i>) for updates on when these fixes will be available. \n\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-15T07:03:02", "id": "3D2BA838E870B8857BE2FA142F996E4B48BB78A52BC727BF3328ED478FA98B94", "href": "https://www.ibm.com/support/pages/node/263523", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:12", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server as a component of IBM Tivoli Network Performance Manager . These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2015 Critical Patch Update and additional vulnerabilties which affect IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. \n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as component \n---|--- \nTivoli Network Performance Manager 1.4| Bundled the Jazz for Service Management version 1.1.0.2, IBM WebSphere version 8.5.0.1 and the JRE from IBM SDK Java 2 Technology Edition Version 7. \nTivoli Network Performance Manager 1.3.3| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Performance Manager 1.3.2| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Performance Manager 1.3.1| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \n \n## Remediation/Fixes\n\nDownload and apply interim fix based on your WebSphere version in [**_Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server Apr 2015 CPU_**](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>)\n\n## ", "cvss3": {}, "published": "2018-06-17T15:02:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU shipped with Tivoli Netcool Performance Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T15:02:23", "id": "694D3B7CF684931E1E178B6FDF78609D68407843FB33B1D31A233EEFD48DAFC6", "href": "https://www.ibm.com/support/pages/node/264893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:47:13", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server included in Tivoli Network Manager IP Edition. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n\n## Vulnerability Details\n\n \n**CVE IDs:** CVE-2015-0488 CVE-2015-0478 CVE-2015-0204 CVE-2015-2808 CVE-2015-1916 CVE-2015-0138 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2015 Critical Patch Update and additional vulnerabilties which affect IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. \n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nTivoli Network Manager 3.8| Bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nTivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 7. \nTivoli Network Manager 4.1 and 4.1.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 7. \nUpgrade your SDK to an interim fix level as determined below: \n<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>\n\n## ", "cvss3": {}, "published": "2018-06-17T15:02:03", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server included in Tivoli Network Manager IP Edition April 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T15:02:03", "id": "B0A8528C5B7260F238809AFE84C73C427F4F789344CCD8F90DC5F1984C53BD6A", "href": "https://www.ibm.com/support/pages/node/264309", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:49:09", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server, which is needed for the RequisiteWeb component of Rational RequisitePro. These issues were disclosed as part of the IBM Java SDK updates in April 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)** \n \nCVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** \n \nCVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** \n \nCVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n \n7.1.4.x (all versions)\n\n| \n\nAffected \n \n7.1.3.x (all versions)\n\n| \n\nAffected \n \n7.1.2.x (all versions)\n\n| \n\nAffected \n \n7.1.1.x (all versions)\n\n| \n\nAffected \n \n## Remediation/Fixes\n\nReview [Security Bulletin 1902260](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) from WebSphere Application Server for instructions on upgrading your corresponding WebSphere Application Server installation with the IBM Java SDK fix. \n \nFor 7.1.1.x and 7.1.2.x, review [Document 1390803](<http://www-01.ibm.com/support/docview.wss?uid=swg21390803>) for instructions on how to apply updates for WebSphere Application Server. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:03:07", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational RequisitePro", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T05:03:07", "id": "EA9E75BBEC6BA9ADA633156B467353320E007F4F6D8146EDA54E8FC2FCF771FE", "href": "https://www.ibm.com/support/pages/node/528519", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:49:10", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by Rational Insight. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID: **[_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID: **[_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID: **[_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID: **[_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:**Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**CVEID:**[_ CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:**A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nRational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6 and 1.1.1.7\n\n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 13 (Implemented by file 10.1.6305.506)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040116>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 13 (Implemented by file 10.1.6305.506)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040116>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 11 (Implemented by file 10.2..5000.1156)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040114>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 and 1.1.1.7 ** \n \n\n\n 1. If the Data Collection Component or Jazz Reporting Serivce are used, perform this step first. \nReview the topics in <http://www-01.ibm.com/support/docview.wss?uid=swg21964625> for addressing the listed vulnerabilities in their underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 10 (Implemented by file 10.2.5007.509)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040114>) \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T05:03:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0488, CVE-2015-0138, CVE-2015-0204)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2808"], "modified": "2018-06-17T05:03:01", "id": "EB71F37AE79D10570F97CA3FC53F42E19ADC7017181D81804A759E38C876802E", "href": "https://www.ibm.com/support/pages/node/528089", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:41:40", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Rational ClearCase. The GSKit that is shipped with IBM Rational ClearCase contains multiple security vulnerabilities including the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. IBM Rational ClearCase has addressed the applicable CVEs. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nRational ClearCase 7.1.2.9 through 7.1.2.17, 8.0.0.4 through 8.0.0.14, and 8.0.1 through 8.0.1.7. \nThe IBM GSKit is used if ClearCase on Windows platforms is configured to integrate with IBM Rational ClearQuest, Rational Team Concert, or Jira with communication over SSL (https). This applies to any integration using Change Management Interface (CMI), and to non-CMI based UCM-enabled CQ integration via OSLC. If your ClearCase deployment is not using these integrations, or not using SSL with the integrations, then your deployment is not sensitive to this attack. The UCM-enabled CQ integration without using OSLC (SQUID) is not sensitive to this attack. \n**CMI and OSLC integrations** \n \n\n\n**ClearCase Windows Client Version**\n\n| \n\n**Status** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| \n\nAffected if you use CMI or OSLC integrations \n \n8.0.0.4 through 8.0.0.14\n\n| \n\nAffected if you use CMI or OSLC integrations \n \n8.0 through 8.0.0.3\n\n| \n\nNot affected \n \n7.1.2.9 through 7.1.2.16\n\n| \n\nAffected if you use CMI or OSLC integrations \n \n7.1.2 through 7.1.2.8\n\n| \n\nNot affected \n \n7.0.x, 7.1.0.x, 7.1.1.x\n\n| \n\nNot affected \n \n \n**Note: **other components of ClearCase are subject to the \"FREAK\" attack, as disclosed in the following security bulletins: \n[Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698831>) \n[Security Bulletin: Vulnerabilities in OpenSSL affect Rational ClearCase (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21694288>) \n[Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-0138, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410)](<http://www.ibm.com/support/docview.wss?uid=swg21698749>)\n\n## Remediation/Fixes\n\nThe solution is to update to the latest fix pack. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| Install [Rational ClearCase Fix Pack 8 (8.0.1.8) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24039865>) \n \n8.0 through 8.0.0.14\n\n| Install [Rational ClearCase Fix Pack 15 (8.0.0.15) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24039863>) \n \n7.1.2 through 7.1.2.17 \n7.1.1.x (all fix packs) \n7.1.0.x (all fix packs)\n\n| Customers on extended support contracts should install [Rational ClearCase Fix Pack 18 (7.1.2.18) for 7.1.2](<http://www.ibm.com/support/docview.wss?uid=swg24039861>) \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearCase (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3572", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-07-10T08:34:12", "id": "098E1724D0D22BD8E0B54429E8D6B7A2A5B2B8403A792BB9788E96F4B4565340", "href": "https://www.ibm.com/support/pages/node/257187", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T01:45:06", "description": "## Summary\n\nMultiple components are shipped with IBM Intelligent Operations Center. Information about security vulnerabilities affecting some components has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the following security bulletins for vulnerability details: \n\n * [Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)](<http://www.ibm.com/support/docview.wss?uid=swg21698703>)\n * [Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>)\n * [Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21698574>)\n * [Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server January 2015 CPU](<http://www.ibm.com/support/docview.wss?uid=swg21695362>)\n * [Potential Security Vulnerabilities fixed in IBM WebSphere Application Server Version 7.0.0.37](<http://www.ibm.com/support/docview.wss?uid=swg21697369>)\n * [Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.10](<http://www.ibm.com/support/docview.wss?uid=swg21695392>)\n * [Cognos Business Intelligence 10.2.x interim fixes address a security vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg24038861>)\n * [Vulnerabilities in GSKit affect IBM WebSphere MQ (CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)](<http://www.ibm.com/support/docview.wss?uid=swg21699055>)\n * [TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730)](<https://www.ibm.com/support/docview.wss?uid=swg21692502>)\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nIBM Intelligent Operations Center version 1.6.0.3| \n\n * IBM GSKit 8.0.50.41\n * IBM WebSphere Application Server 8.0.0.10 (Fix Pack 10 and interim fix PI33406)\n * IBM WebSphere Application Server 7.0.0.37 (Fix Pack 37)\n * IBM Worklight 6.2.0.1 (Fix Pack 1 and interim fix PI34896)\n * IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3\n * IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3\n * IBM HTTP Server 8.0.0.10 (Fix Pack 10 and interim fix PI31516)\n * IBM Cognos 10.2.1.5 (Fix Pack 5 interim fix 8)\n * IBM WebSphere MQ 7.5.0.4 (Fix Pack 4 and Fix LAIV70568) \n \n## Remediation/Fixes\n\nDownload and install [IBM Intelligent Operations Center 1.6.0.3 multiple security fixes (April 2015)](<http://www.ibm.com/support/docview.wss?uid=swg24039699>). \n\nSecurity fixes are not cumulative. You must install all earlier security fixes in addition to the current fix.\n\n## ", "cvss3": {}, "published": "2018-06-17T22:28:24", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in multiple components shipped with IBM Intelligent Operations Center (April 2015)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3572", "CVE-2014-6221", "CVE-2014-8730", "CVE-2015-0138", "CVE-2015-0159", "CVE-2015-0204"], "modified": "2018-06-17T22:28:24", "id": "F98C6B1EAC8D235F19136FBD257D2C504AAE6912C5BCB9B73AE39565E359364A", "href": "https://www.ibm.com/support/pages/node/260269", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2023-02-21T01:41:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 5 and 6 that are used by IBM Rational ClearCase. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\nOnly the ClearCase Remote Client/ClearTeam Explorer component of ClearCase is affected by **CVE-2014-6593, CVE-2015-0383, CVE-2015-0410. ** \n \n\n\n**ClearCase Remote Client/ClearTeam Explorer version**\n\n| \n\n**Status** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| \n\nAffected by all CVEs listed above \n \n8.0 through 8.0.0.14\n\n| \n\nAffected by all CVEs listed above \n \n7.1.2 through 7.1.2.17\n\n| \n\nAffected by all CVEs listed above \n \n7.1.0.x, 7.1.1.x (all versions and fix packs)\n\n| \n\nAffected by all CVEs listed above \n \n \nHowever, other ClearCase components are affected by the \"FREAK\" attack, as disclosed in CVE-2015-0138 and CVE-2015-0204. See the following bulletins for additional fixes for other components of ClearCase: \n[Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698831>) \n[Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearCase (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698750>) \n[Security Bulletin: Vulnerabilities in OpenSSL affect Rational ClearCase (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21694288>)\n\n## Remediation/Fixes\n\nThe solution is to update to the latest fix pack. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| Install [Rational ClearCase Fix Pack 8 (8.0.1.8) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24039865>) \n \n8.0 through 8.0.0.14\n\n| Install [Rational ClearCase Fix Pack 15 (8.0.0.15) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24039863>) \n \n7.1.2 through 7.1.2.17 \n7.1.1.x (all fix packs) \n7.1.0.x (all fix packs)\n\n| Customers on extended support contracts should install [Rational ClearCase Fix Pack 18 (7.1.2.18) for 7.1.2](<http://www.ibm.com/support/docview.wss?uid=swg24039861>) \n \n_For unsupported versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n**Notes: **\n\n * If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), you should update the Java\u2122 Virtual Machine used by Eclipse to include a fix for the above issues. Contact the supplier of your Eclipse or Java\u2122 Virtual Machine for instructions on updating Eclipse.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-0138, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3572", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-07-10T08:34:12", "id": "DF89B2395C4DB15E1FF631A136BB1301E179B1A5D4A2BF72B8D0EF9E4A730437", "href": "https://www.ibm.com/support/pages/node/257185", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-13T09:36:49", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7, IBM SDK Java Technology Edition, Version 6, and IBM SDK Java 2 Technology Edition, Version 5 that are used by IBM Virtualization Engine TS7700. These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015. This bulletin also addresses the \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2014-6512_](<https://vulners.com/cve/CVE-2014-6512>) \n**DESCRIPTION:** An unspecified vulnerability related to the Libraries component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97147_](<http://xforce.iss.net/xforce/xfdb/97147>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2014-6457_](<https://vulners.com/cve/CVE-2014-6457>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97148_](<http://xforce.iss.net/xforce/xfdb/97148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2014-6558_](<https://vulners.com/cve/CVE-2014-6558>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97151_](<http://xforce.iss.net/xforce/xfdb/97151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)** \n** \n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/100151_](<http://xforce.iss.net/xforce/xfdb/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>)** \nDESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/97013_](<http://xforce.iss.net/xforce/xfdb/97013>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/100153_](<http://xforce.iss.net/xforce/xfdb/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)** \nDESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \nThis vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \nIBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues. \n\n## Affected Products and Versions\n\nAll versions of microcode for the IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB) prior to release R2.1 are affected. In addition, microcode versions of releases R2.1, R3.0, R3.1 and R3.2 prior to and including the following are also affected: \n\n**Release**\n\n| **Version** \n---|--- \nR3.2| 8.32.0.88 \nR3.1| 8.31.0.92 \nR3.0| 8.30.3.4 \nR2.1| 8.21.0.178 \n \n## Remediation/Fixes\n\nContact IBM Service at 1-800-IBM-SERV to arrange an upgrade to the latest microcode level followed by the installation of vtd_exec.202, vtd_exec.213, vtd_exec.214 and vtd_exec.215 as needed. Minimum microcode levels are shown below: \n\n**Release**\n\n| **Fix** \n---|--- \nR3.2| 8.32.0.88 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \n**\\- OR -** \n8.32.1.8 + vtd_exec.202 \nR3.1| 8.31.0.92 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \nR3.0| 8.30.3.4 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 \nR2.1| 8.21.0.178 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \nOlder Releases| 8.21.0.178 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 \n \nPlease note that vtd_exec packages carry their own internal version numbers. For the vulnerabilities reported in this Security Bulletin, the minimum required vtd_exec versions are as follows: **Package**| **Version** \n---|--- \nvtd_exec.202| 1.5 \nvtd_exec.213| 1.03 \nvtd_exec.214| 1.03 \nvtd_exec.215| 1.03 \n \n## Workarounds and Mitigations\n\nAlthough IBM recommends that you upgrade to the fixes identified above, you can mitigate, but not eliminate the risk of these vulnerabilities by restricting physical and network access to the TS7700 to authorized users and IBM Service Personnel only.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-18T00:09:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 - October 2014 & January 2015", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6512", "CVE-2014-6558", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410"], "modified": "2018-06-18T00:09:23", "id": "B34877D991F21B254E16D92D7328B03658AA2122E7631AA85688801D398E5BAF", "href": "https://www.ibm.com/support/pages/node/690373", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:42:06", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability. OpenSSL is used by Rational ClearCase. Rational ClearCase has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-3570_](<https://vulners.com/cve/CVE-2014-3570>) \n**DESCRIPTION:** An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2014-3572_](<https://vulners.com/cve/CVE-2014-3572>) \n**DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 1.2 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Rational ClearCase versions: \n \n\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| \n\nAffected \n \n8.0 through 8.0.0.14\n\n| \n\nAffected \n \n7.1.2 through 7.1.2.17\n\n| \n\nAffected \n \n \nNot all deployments of Rational ClearCase use OpenSSL in a way that is affected by these vulnerabilities. \n \nYou are vulnerable if your use of Rational ClearCase includes _any_ of these configurations: \n\n\n 1. You use the base ClearCase/ClearQuest V2 (perl-based) integration client on any platform, configured to use SSL to communicate with a ClearQuest server. \n\n 2. You use the UCM/ClearQuest integration on UNIX/Linux clients, configured to use SSL to communicate with a ClearQuest server. \n**Note:** Windows clients using the UCM/ClearQuest integration are not vulnerable. \n\n 3. You use the Change Management Integration on UNIX/Linux clients, configured to use SSL to communicate with a change management server. \n**Note:** Windows clients using the CMI integration are not vulnerable. \n\n 4. You use ratlperl, ccperl, or cqperl to run your own perl scripts, **and** those scripts use SSL connections. In this situation, you should review all the fixes provided by the OpenSSL project to see which ones apply to your use of OpenSSL. See the references link below.\n**Note: **other components of ClearCase are subject to the \"FREAK\" attack, as disclosed in the following security bulletins: \n[Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698831>) \n[Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearCase (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698750>) \n[Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-0138, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410)](<http://www.ibm.com/support/docview.wss?uid=swg21698749>)\n\n## Remediation/Fixes\n\nThe solution is to update to the latest fix pack. This fix pack includes OpenSSL 1.0.1m. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n8.0.1 through 8.0.1.7\n\n| Install [Rational ClearCase Fix Pack 8 (8.0.1.8) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24039865>) \n \n8.0 through 8.0.0.14\n\n| Install [Rational ClearCase Fix Pack 15 (8.0.0.15) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24039863>) \n \n7.1.2 through 7.1.2.17 \n7.1.1.x (all fix packs) \n7.1.0.x (all fix packs)\n\n| Customers on extended support contracts should install [Rational ClearCase Fix Pack 18 (7.1.2.18) for 7.1.2](<http://www.ibm.com/support/docview.wss?uid=swg24039861>) \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n_For unsupported versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nDisable the ClearCase/ClearQuest integration and any customized defined use of ratlperl, ccperl, or cqperl with SSL until you apply the fixes listed above.\n\n## ", "cvss3": {}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect Rational ClearCase (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3572", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-07-10T08:34:12", "id": "E68E5D49895E346B1BD1565BDFE4BED2B268158881FF2DADACB7C8175F9BACBB", "href": "https://www.ibm.com/support/pages/node/523737", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T01:41:43", "description": "## Summary\n\nThe \u201cFREAK: Factoring Attack on RSA-EXPORT keys\" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Versions 6.1, 7, 8, 8.5, and 8.5.5 that are used by IBM Rational ClearCase.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>) for vulnerability details and information about fixes. \n\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, CCRC WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component, not to other parts of IBM Rational ClearCase. In addition, this vulnerability only applies if one of these conditions apply: \n(a) You have installed CCRC WAN server into an existing profile, and that profile supports a non-default set of ciphers \n\n(b) You modified the set of supported ciphers in the WAS profile that was created during installation of ClearCase\n\n**Versions 7.1.x.x:**\n\n \nThis vulnerability only applies to the CM server component, not to other parts of IBM Rational ClearCase. \n\nIn addition, this vulnerability only applies if you modified the ClearCase WAS profile by changing its list of supported ciphers.\n\n**Note: **other components of ClearCase are subject to the \"FREAK\" attack, as disclosed in the following security bulletins: \n[Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearCase (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698750>) \n[Security Bulletin: Vulnerabilities in OpenSSL affect Rational ClearCase (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21694288>) \n[Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-0138, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410)](<http://www.ibm.com/support/docview.wss?uid=swg21698749>)\n\n## Remediation/Fixes\n\nReview the security bulletin referenced above and apply the relevant fixes to your WAS installation and WAS profiles used for ClearCase. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n7.1.0.x, 7.1.1.x, and 7.1.2.x| [Document 1390803](<http://www.ibm.com/support/docview.wss?uid=swg21390803>) explains how to update WebSphere Application Server for ClearCase CM Servers at release 7.1.x. Consult those instructions when applying the fix. \n8.0.0.x \n8.0.1.x| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## ", "cvss3": {}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.4, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3570", "CVE-2014-3572", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0383", "CVE-2015-0410"], "modified": "2018-07-10T08:34:12", "id": "667F0CF2183A320CE4B9915860CC3C8A240BD2538D26B2B33B64838AA863BD14", "href": "https://www.ibm.com/support/pages/node/257295", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-02-21T05:49:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6.0.16.2 that is used by RLKS Administration and Reporting Tool.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)\n\n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)\n\n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.\n\n \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**Description**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n** \n**CVSS Base Score: 5.0** \n**CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>_ for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \nFor more details, refer the technote at [1702789](<http://www-01.ibm.com/support/docview.wss?uid=swg21702789>) \n \n \n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n \n \nFor more details, refer the technote at [1959284](<http://www-01.ibm.com/support/docview.wss?uid=swg21959284>) \n \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n \nFor more details, refer the technote at [1700073](<http://www-01.ibm.com/support/docview.wss?uid=swg21700073>)\n\n## Affected Products and Versions\n\nThese vulnerabilities impact following components and their releases: \n\n\n * RLKS Administration and Reporting Tool version 8.1.4 \n * RLKS Administration and Reporting Tool version 8.1.4.2 \n * RLKS Administration and Reporting Tool version 8.1.4.3 \n * RLKS Administration and Reporting Tool version 8.1.4.4 \n * RLKS Administration and Reporting Tool version 8.1.4.5\n * RLKS Administration and Reporting Tool version 8.1.4.6\n * RLKS Administration and Reporting Tool version 8.1.4.7\n * RLKS Administration and Reporting Tool version 8.1.4.8\n * RLKS Administration and Reporting Tool version 8.1.4.9\n * RLKS Administration Agent version 8.1.4 \n * RLKS Administration Agent version 8.1.4.2 \n * RLKS Administration Agent version 8.1.4.3 \n * RLKS Administration Agent version 8.1.4.4 \n * RLKS Administration Agent version 8.1.4.5\n * RLKS Administration Agent version 8.1.4.6\n * RLKS Administration Agent version 8.1.4.7\n * RLKS Administration Agent version 8.1.4.8 [Affected only by [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>), [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>), [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>), [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) and [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)]\n\n## Remediation/Fixes\n\nReplace the JRE used in IBM RLKS Administration and Reporting Tool and IBM RLKS Administration Agent. \n\n**_Steps to replace the JRE in IBM RLKS Administration and Reporting Tool (All Versions)_**\n\n \n \n1\\. Go to [_Fix Central_](<http://www.ibm.com/support/fixcentral>) \n \n2\\. On the **Find product** tab, enter _Rational Common Licensing_ in the **Product Selector** field and hit enter. \n \n3\\. Select the **Installed Version** and hit continue button. \n \n4\\. Select the platform of the machine where RLKS Administration and Reporting Tool is installed and hit continue button. \n \n5\\. On the **Identify fixes** page, select **Browse for fixes** and select **Show fixes that apply to this version** and hit continue button. \n \n6\\. Download the Java runtime iFix for RLKS Administration and Reporting Tool. \n** \nNote:** Although the name of the iFix is **RLKS_Administration_And_Reporting_Tool_8148_Admin_iFix_1_&lt;Platform&gt;_&lt;Architecture&gt;**, the same ifix is applicable to all previous RLKS Administration and Reporting Tool versions. \n \n7\\. Shutdown RLKS Administration and Reporting Tool. \n \n8\\. Go to the installation location of RLKS Administration and Reporting Tool. \n \n9\\. Rename &lt;install location&gt;/server/jre folder to **&lt;install location&gt;/server/jre_back**. \nThis step backs up the existing JRE. \n \n10\\. Extract the downloaded JRE into &lt;install location&gt;/server/ folder \n \nExample: &lt;install location&gt;/server/jre \n \n11\\. Startup RLKS Administration and Reporting Tool. \n \n12\\. Login to the tool using rcladmin user and verify that you see the configured license servers under 'Server' tab. \n\n**_How to fix these vulnerabilities in IBM RLKS Administration Agent (All Versions)?_**\n\nUpgrade to the IBM RLKS Administration Agent version 8.1.4.9\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:04:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect RLKS Administration and Reporting Tool (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-2808, CVE-2015-4000, CVE-2015-1916, CVE-2015-0488, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-17T05:04:34", "id": "34CFE8125A8881CC719C7F836804991085EA547A7871860AB1BFE0DB8E83422D", "href": "https://www.ibm.com/support/pages/node/533949", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:45:04", "description": "## Summary\n\nMultiple components are shipped with IBM Intelligent Operations Center. Information about security vulnerabilities that affect some components has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the following security bulletins for vulnerability details: \n\n * [Vulnerability in Dojo Toolkit affects WebSphere Application Server (CVE-2014-8917) ](<http://www.ibm.com/support/docview.wss?uid=swg21697284>)\n * [Fixes are available for Security Vulnerabilities in Dojo that affect IBM WebSphere Portal (CVE-2014-8917)](<http://www.ibm.com/support/docview.wss?uid=swg21694652>)\n * [Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698613>)\n * [Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>)\n * [Vulnerability in RC4 stream cipher affects IBM WebSphere Portal (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882563>)\n * [IBM Websphere Message Broker and IBM Integration Bus are affected by SSLv3 Vulnerability (CVE-2014-3566 and CVE-ID: CVE-2014-3568)](<http://www.ibm.com/support/docview.wss?uid=swg21687678>)\n * [IBM Integration Bus and WebSphere Message Broker: Multiple security vulnerabilities in IBM JREs 6 &amp; 7](<http://www.ibm.com/support/docview.wss?uid=swg21690741>)\n * [Multiple vulnerabilities in IBM Java SDK affect IBM Notes and Domino](<http://www.ibm.com/support/docview.wss?uid=swg21692733>)\n * [Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino (Oracle January 2015 Critical Patch Update)](<http://www.ibm.com/support/docview.wss?uid=swg21698222>)\n * [Fixes for Multiple Security Vulnerabilities in IBM Security Identity Manager available (CVE-2014-6110, CVE-2014-6098, CVE-2014-6096, CVE-2014,6105, CVE-2014-6107, CVE-2014-6095)](<http://www.ibm.com/support/docview.wss?uid=swg21689779>)\n * [Vulnerabilities in GSKit affect IBM Tivoli/Security Directory Integrator (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701302>)\n * [IBM Tivoli/Security Directory Integrator can be affected by a vulnerability in the current IBM SDK for Java (CVE-2014-3566)](<https://www.ibm.com/support/docview.wss?uid=swg21690583>)\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nIBM Intelligent Operations Center version 1.6.0.3| \n\n * IBM WebSphere Portal CF15\n * IBM WebSphere Application Server 8 fixes (PI33012 + PI36563 + PI38186)\n * IBM WebSphere Application Server 7 fixes (PI36563 + PI37013) + UpdateInstaller 7.0.0.37\n * IBM WebSphere Web 2.0 and Mobile Feature Pack Fix - PI34238 (IBM WebSphere Application Server Version 7 and IBM WebSphere Application Server Version 8)\n * IBM Message Broker 8.0.0.5 + IT06830 + IT07249\n * Lotus Domino 8.5.3 Fix Pack 6 + Interim Fix 6\n * Lotus Domino - Java JRE Version 6 Service Refresh 16 Fix Pack 3\n * IBM Security Identity Manager 6 Fix Pack 5\n * Tivoli Directory Integrator 7.1.1 Fix Pack 4 + LA0023 (POODLE) + LA0025 (FREAK)\n * IBM Java v7r1 SR2-FP10\n * SPSS Modeler 15 - IBM JRE 6.0 Service Refresh 16 Fix Pack 3 iFix\n * HTTP Server (configuration update to address the \"Bar Mitzvah Attack\" issue) \n \n## Remediation/Fixes\n\nDownload and install [IBM Intelligent Operations Center version 1.6.0.3 interim fix PO04697](<http://www.ibm.com/support/docview.wss?uid=swg24039899>). \n\nSecurity fixes are not cumulative. You must install all earlier security fixes in addition to the current fix.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2018-06-17T22:28:25", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in multiple components shipped with IBM Intelligent Operations Center (May 2015)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-3568", "CVE-2014-6095", "CVE-2014-6096", "CVE-2014-6098", "CVE-2014-6107", "CVE-2014-6110", "CVE-2014-8917", "CVE-2015-0138", "CVE-2015-2808"], "modified": "2018-06-17T22:28:25", "id": "D9B33FAA9F87D18625F5A08EF5634D73168FBB4A49FD551EFF5B173DEC473E84", "href": "https://www.ibm.com/support/pages/node/263755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:44:49", "description": "## Summary\n\nIBM SmartCloud Cost Management is shipped as a component of IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM SmartCloud Cost Management has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletins for IBM SmartCloud Cost Management for vulnerability details and information about fixes. \n\n\n * [Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg2C1000121>)\n * [Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg2C1000003>) \n\n * * [Security Bulletin: A security vulnerability has been found in IBM WebSphere Application Server 8.5.5.6 shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21964651>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management. (CVE-2015-1932)](<http://www.ibm.com/support/docview.wss?uid=swg21965064>) \n \n\n * [Security Bulletin: A security vulnerability has been found in IBM WebSphere Application Server 8.5.5.6 shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-1885)](<http://www.ibm.com/support/docview.wss?uid=swg21964504>)** \n \n**\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21964499>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management. (CVE-2015-4938)](<http://www.ibm.com/support/docview.wss?uid=swg21964864>) \n \n\n * [Security Bulletin: Security vulnerabilities have been identified in IBM\u00ae DB2\u00ae shipped with SmartCloud Cost Management (SCCM/TUAM) (CVE-2013-6747, CVE-2014-0963)](<http://www.ibm.com/support/docview.wss?uid=swg21675921>) \n \n\n * [Security Bulletin: Tivoli Usage and Accounting Manager / SmartCloud Cost Management (CVE-2015-1920) ](<http://www.ibm.com/support/docview.wss?uid=swg21957821>) \n \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli usage and Accounting Manager / SmartCloud Cost Management (CVE-2015-2808, CVE-2015-0138 )](<http://www.ibm.com/support/docview.wss?uid=swg21883107>)\n\n## Affected Products and Versions\n\n** Principal Product and Version**\n\n| ** Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator Enterprise 2.5, 2.5.0.1| IBM SmartCloud Cost Management 2.1.0.5 \nIBM Cloud Orchestrator Enterprise 2.4 and 2.4.0.1, 2.4.0.2, 2.4.0.3| IBM SmartCloud Cost Management 2.1.0.4 \nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1| IBM SmartCloud Cost Management 2.1.0.3 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:51", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in IBM SmartCloud Cost Management shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6747", "CVE-2014-0963", "CVE-2015-0138", "CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1932", "CVE-2015-2017", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4938", "CVE-2015-7450"], "modified": "2018-06-17T22:30:51", "id": "705280D237DEDB26D3D68396BC2097819ADC8127D93D08AF8CFC027E9A703179", "href": "https://www.ibm.com/support/pages/node/262093", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:38:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.7.0 that is used by Sterling Connect:Direct Browser User Interface. These issues were disclosed as part of the IBM Java SDK updates in April 2015 and July 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability, the RC4 Bar Mitzvah Attack for SSL/TLS vulnerability, and the Logjam Diffie-Hellman (DH) key exchange vulnerability.\n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>) \n**DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct Browser 1.5.0 through 1.5.0.2 iFix 12 \n\nIBM Sterling Connect:Direct Browser 1.4.0 through 1.4.11.0 iFix 3 \n\n\n## Remediation/Fixes\n\nSterling Connect:Direct Browser\n\n| 1.5.0.2| iFix 13| [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+Browser+User+Interface&release=1.5.0.2&platform=All&function=all>) \n---|---|---|--- \nSterling Connect:Direct Browser| 1.4.11.0| iFix 4| Contact Support and request the fix package be published for you on the ECuRep server. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:49:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Connect:Direct Browser User Interface", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2020-07-24T22:49:37", "id": "CB1B87BF4874E8E4FDFF0C5D0245F1B8EA7AF72E1648F87D112407D83AC6BFA1", "href": "https://www.ibm.com/support/pages/node/536483", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:52:10", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by IBM Security Network Protection. These issues were disclosed as part of the IBM Java SDK updates in June 2015. (CVE-2015-0138, CVE-2015-0192, CVE-2015-0204, CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)\n\n## Vulnerability Details\n\n**CVE ID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>)\n\n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\n \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n\n**CVE ID:** [_CVE-2015-0192_](<https://vulners.com/cve/CVE-2015-0192>)\n\n**DESCRIPTION:** A vulnerability in the IBM implementation of the Java Virtual Machine may, under limited circumstances, allow untrusted code running under a security manager to elevate its privileges. \n\n \n \nCVSS Base Score: 6.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101008> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n\n**CVE ID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)\n\n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\n \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n\n**CVE ID:** [_CVE-2015-0458_](<https://vulners.com/cve/CVE-2015-0458>)\n\n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \n\n \n \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102332> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n\n\n**CVE ID:** [_CVE-2015-0459_](<https://vulners.com/cve/CVE-2015-0459>)\n\n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \n\n \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102328> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n\n**CVE ID:** [_CVE-2015-0469_](<https://vulners.com/cve/CVE-2015-0469>)\n\n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \n\n \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102327> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n\n**CVE ID:** [_CVE-2015-0477_](<https://vulners.com/cve/CVE-2015-0477>)\n\n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Beans component has no confidentiality impact, partial integrity impact, and no availability impact. \n\n \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102337> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n\n**CVE ID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)\n\n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \n\n \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n\n**CVE ID:** [_CVE-2015-0480_](<https://vulners.com/cve/CVE-2015-0480>)\n\n**DESCRIPTION:** A directory traversal vulnerability in Oracle Java SE related to the Tools component and the extraction of JAR archive files could allow remote attacker to overwrite files on the system with privileges of another user. \n\n \n \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102334> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P) \n\n\n**CVE ID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)\n\n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \n\n \n \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n\n**CVE ID:** [_CVE-2015-0491_](<https://vulners.com/cve/CVE-2015-0491>)\n\n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \n\n \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102329> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV