4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
GSKit is an IBM component that is used by IBM Security/Tivoli Directory Server. The GSKit that is shipped with IBM Security/Tivoli Directory Server contains multiple security vulnerabilities including the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability, IBM Security/Tivoli Directory Server has addressed the applicable CVE.
CVEID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-0159
DESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Affected Product Name and Release
| Fix level|GSKit version
—|—|—
ISDS 6.3.1| 6.3.1.9-ISS-ISDS-IF0009| GSKit 8.0.50.41
ITDS 6.3| 6.3.0.35-ISS-ITDS-IF0035| GSKit 8.0.50.41
ITDS 6.2| 6.2.0.42-ISS-ITDS-IF0042| GSKit 7.0.5.5
ITDS 6.1| 6.1.0.66-ISS-ITDS-IF0066| GSKit 7.0.5.5
ITDS 6.0| 6.0.0.73-ISS-ITDS-IF0073| GSKit 7.0.5.5
None