Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Synergy (CVE-2015-0138, CVE-2014-6593,CVE-2015-0410)

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped with IBM Rational Synergy. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability.

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6593**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2015-0410**
DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

· Rational Synergy release 7.2.1.3 ifix01 or earlier.
· Rational Synergy release 7.2.0.7 or earlier.
· Rational Synergy release 7.1.0.7.005 or earlier.

Remediation/Fixes

Replace the JRE used in Rational Synergy.

Steps to download and replace JRE in Rational Synergy:
1. Open the list of Synergy downloads on Fix Central

2. Select the SDK and Readme for Rational Synergy which applied to your release as follows:

Note: The fix will use the following naming convention: <V.R.M.F>-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-**<platform>****

Where<V.R.M.F> = release &<platform> = operating system**

o Rational Synergy 7.2.1 (uses 7.2.1.3 release designation)

Example: 7.2.1.3-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Linux

o Rational Synergy 7.2.0 (uses 7.2.0.7 release designation)

Example: 7.2.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Windows

o Rational Synergy 7.1 (uses 7.1.0.7 release designation)

Example: **7.1.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-AIX **Example: 7.1.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.3-Solaris

3. Follow the steps in the Install instructions to replace the JRE.

Follow the steps in the HPUX_Install Instructions to replace the JRE if your Synergy Platform is on HPUX.

Workarounds and Mitigations

None