5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
The RC4 “Bar Mitzvah” Attach for SSL/TLS affects IBM Rational Business Developer.
CVE-ID: CVE-2015-2808
Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
RBD version 9.1.1 and earlier
Please upgrade your SDK to the following interim fix level below:
Product
| VRMF|Remediation/First Fix
—|—|—
Rational Business Developer| v7.5.1.x
v8.0.1.x| IBM Java Platform Standard Edition Version 6 SR16 FP3 iFix (IV70681 + IV71888)
Rational Business Developer| v8.5.0
v8.5.1.x
v9.0
v9.0.1.x
v9.1.1| None
If you are using RBD v8.5.0 v8.5.1.x v9.0 v9.0.1.x and v9.1.1, then the following steps can be used to remove RC4 from the list of available algorithms:
1. Ensure the product is not running.
2. Locate the java.security file used by the project:
<install_root>/jdk/jre/lib/security/java.security
3. Edit the java.security file with a text editor and add RC4 as one of disabled algorithms, For example
jdk.tls.disabledAlgorithms=SSLv3,RC4
4. Save the file and restart the product