5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
The RC4 “Bar Mitzvah Attack” for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) affects z/TPF.
CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
z/TPF Enterprise Edition Version 1.1.11 and earlier
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
z/TPF| 1.1.11 and earlier| None| Do not use the RC4 algorithm in SSL sessions. See Workarounds and Mitigations.
Disable the RC4 encryption algorithm from the OpenSSL library for z/TPF. To disable the RC4 encryption algorithm, complete the following steps:
cryp.mak
and cssl.mak
files:cryp.mak
file, add the following statement:CFLAGS_CRYP += -DOPENSSL_NO_RC4
cssl.mak
file, add the following statement:CFLAGS_CSSL += -DOPENSSL_NO_RC4
cryp.mak
file:#C_SRC += rc4_enc.c #C_SRC += rc4_skey.c
**maketpf**
with the force (-f
) option