IBM53BF623AA722F72CE5ADFE866B98F9C352C7153B5036BD4F44218D79F03B13ECSecurity Bulletin: Vulnerability with RSA Export Keys May Affect IBM WebSphere Application Server on Asset and Service Management (CVE-2015-0138)
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.7%
Summary
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition.
Vulnerability Details
CVE-ID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
Principal Product and Version(s)
| Affected Supporting Product and Version
—|—
Maximo Asset Management 7.6, 7.5, 7.1
Maximo Asset Management Essentials 7.5, 7.1
Maximo for Government 7.5, 7.1
Maximo for Nuclear Power 7.5, 7.1
Maximo for Transportation 7.5, 7.1
Maximo for Life Sciences 7.5, 7.1
Maximo for Oil and Gas 7.5, 7.1
Maximo for Primavera 7.5, 7.1
Maximo for Utilities 7.5, 7.1
SmartCloud Control Desk 7.5
Tivoli Asset Management for IT 7.2, 7.1
Tivoli Service Request Manager 7.2, 7.1
Change and Configuration Management Database 7.2, 7.1
Intelligent Building Management 1.1 |
IBM WebSphere Application Server 8.5.5
IBM WebSphere Application Server 8.5
IBM WebSphere Application Server 8.0
IBM WebSphere Application Server 7.0
IBM WebSphere Application Server 6.1
Remediation/Fixes
Please refer to Workarounds and Mitigations below.
Workarounds and Mitigations
By default, the WebSphere Application Server SSL configuration is set to use the “STRONG” or “HIGH” secure cipher list which does not use RSA Export ciphers, so you would not be affected if you have not changed your ciphers.
If you have overridden the default configuration to use the “MEDIUM” secure cipher list then it will contain the RSA Export Ciphers. You should change this configuration to use “STRONG” or “HIGH”.
If you have configured to use “CUSTOM” list of ciphers that includes an RSA Export cipher, then you should remove those RSA Export ciphers from the Application Server configuration.
For any outbound connections, IBM recommends that any servers that WebSphere Application Server is connecting to needs to insure that RSA Export Ciphers are also disabled.
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.7%