Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM57AE56E6244A837DD5B76BFE6B2CD547EC628D4BC37C92FB7C246C0E84579316
HistoryAug 03, 2018 - 4:23 a.m.

Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects Rational Developer for i, Rational Developer for AIX and Linux and Rational Developer for Power Systems Software

2018-08-0304:23:43
www.ibm.com
5

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 6 and 7 that is used by IBM Rational Application Developer for WebSphere Software (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204). These issues were disclosed as part of the IBM Java SDK updates in April 2015.

This bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.

Vulnerability Details

CVEID: CVE-2015-0488

DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0478

DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2808

DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1916

DESCRIPTION: Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0204

DESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Product Name

| Versions Affected
—|—
Rational Developer for Power Systems Software| 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.3, 8.0.3.1, 8.5, 8.5.1
Rational Developer for i| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1
Rational Developer for AIX and Linux, AIX COBOL Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1
Rational Developer for AIX and Linux, C/C++ Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1

Remediation/Fixes

Product

| VRMF|Remediation/First Fix
—|—|—
Rational Developer for Power Systems Software| 8.0 through 8.5.1|

Workarounds and Mitigations

None.

Related

ibm 126
nessus 20
f5 5
aix 1
suse 7
prion 4
openvas 16
cve 4
cisa 1
cisco 1
ubuntucve 3
debiancve 3
threatpost 1
hackerone 1
thn 1
veracode 1
fortinet 1
openssl 1
checkpoint_security 1
cert 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Secure Proxy and Sterling External Authentication Server (CVE-2015-0488, CVE-2015-1916, CVE-2015-2808, CVE-2015-0478, CVE-2015-0204)
2019-12-17 22:56:50
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business
2018-06-16 21:26:05
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool, IBM Tivoli Asset Discovery for Distributed and IBM Endpoint Manager for Software Use Analysis (April 2015 CPU)
2022-08-19 21:04:31
nessus
nessus
Oracle JRockit R28.3.5 Multiple Vulnerabilities (April 2015 CPU) (FREAK)
2015-04-16 00:00:00
AIX Java Advisory : java_april2015_advisory.asc (Bar Mitzvah) (FREAK)
2015-06-10 00:00:00
SUSE SLES10 Security Update : IBM Java (SUSE-SU-2015:1085-1) (Bar Mitzvah) (FREAK)
2015-06-19 00:00:00
f5
f5
SOL17136 - Java and JRockit vulnerabilities CVE-2015-0478 and CVE-2015-0488
2015-08-24 00:00:00
K17136 : Java and JRockit vulnerabilities CVE-2015-0478 and CVE-2015-0488
2015-08-24 00:00:00
K16139 : OpenSSL vulnerability CVE-2015-0204
2015-10-02 00:00:00
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2015-06-03 12:58:42
suse
suse
Security update for IBM Java (important)
2015-06-18 16:05:20
Security update for IBM Java (important)
2015-06-18 16:05:48
Security update for IBM Java (important)
2015-06-22 16:04:54
prion
prion
Code injection
2015-07-02 21:59:00
Buffer overflow
2015-04-16 16:59:00
Buffer overflow
2015-04-16 16:59:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2015:1085-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:1138-1)
2021-06-09 00:00:00
SUSE: Security Advisory for IBM Java (SUSE-SU-2015:1086-2)
2015-10-13 00:00:00
cve
cve
CVE-2015-1916
2015-07-02 21:59:00
CVE-2015-0488
2015-04-16 16:59:00
CVE-2015-0478
2015-04-16 16:59:00
cisa
cisa
FREAK
2015-03-06 00:00:00
cisco
cisco
OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
2015-01-13 19:57:19
ubuntucve
ubuntucve
CVE-2015-0488
2015-04-15 00:00:00
CVE-2015-0478
2015-04-15 00:00:00
CVE-2015-0204
2015-01-08 00:00:00
debiancve
debiancve
CVE-2015-0478
2015-04-16 16:59:00
CVE-2015-0488
2015-04-16 16:59:00
CVE-2015-0204
2015-01-09 02:59:00
threatpost
threatpost
Flawed TLS Implementations Leak RSA Keys
2015-09-08 15:09:28
hackerone
hackerone
Internet Bug Bounty: FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
2015-03-05 16:18:06
thn
thn
'FREAK' — New SSL/TLS Vulnerability Explained
2015-03-03 20:30:00
veracode
veracode
Brute Force Decryption
2017-02-10 01:27:34
fortinet
fortinet
TLS FREAK Attack
2015-03-04 00:00:00
openssl
openssl
Vulnerability in OpenSSL CVE-2015-0204
2015-01-06 00:00:00
checkpoint_security
checkpoint_security
Check Point response to TLS FREAK Attack (CVE-2015-0204)
2015-03-03 22:00:00
cert
cert
SSL/TLS implementations accept export-grade RSA keys (FREAK attack)
2015-03-06 00:00:00

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON
Related for 57AE56E6244A837DD5B76BFE6B2CD547EC628D4BC37C92FB7C246C0E84579316
ibm126nessus20f55aix1suse7prion4openvas16cve4cisa1cisco1ubuntucve3debiancve3threatpost1hackerone1thn1veracode1fortinet1openssl1checkpoint_security1cert1