Security Bulletin: Vulnerability in IBM Java SDK affects Build Forge (CVE-2015-0138)

Summary

The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM® SDK Java™ Technology Edition, Version JDK7sr8, JDK6sr16fp2 that is used by Build Forge.

Vulnerability Details

CVEID: CVE-2015-0138**
DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

BuildForge Versions: 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.3, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.3.5, 7.1.3.6, 8.0, 8.0.0.1, 8.0.0.2.

Remediation/Fixes

Affected Version

| Fix
—|—
Build Forge 7.1.2.0 - 7.1.2.3| 7.1.2.3 iFix 7
Build Forge 7.1.3.0 - 7.1.3.6| 7.1.3.6 iFix 6
Build Forge 8.0 - 8.0.0.2| 8.0.0.2 iFix 7