Security Bulletin: Multiple Security vulnerability in current IBM SDK for Java for WebSphere Application Server Community Edition 3.0.0.4 April 2015 CPU (CVE-2015-0488 CVE-2015-2808 CVE-2015-1916 CVE-2015-0204)

Summary

There are multiple security vulnerability exists in the IBM® SDK Java™ Technology Edition, Version 6 and 7 that is used by IBM WebSphere Application Server Community Edition 3.0.0.4.
These issues were disclosed as part of the IBM Java SDK updates in April, 2015.

Vulnerability Details

CVEID:CVE-2015-0488
DESCRIPTION:An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-2808
DESCRIPTION:The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2015-1916
DESCRIPTION:Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-0204
DESCRIPTION:A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Note: CVE-2015-0204 was fixed by CVE-2015-0138, see <http://www-01.ibm.com/support/docview.wss?uid=swg21702783&gt; for details on CVE-2015-0138

Affected Products and Versions

WebSphere Application Server Community Edition 3.0.0.4

Workarounds and Mitigations

If you use the IBM SDK for Java: upgrade your SDK to a level as noted below:

IBM SDK for Java 6.0:
IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 4 and subsequent releases
IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 and subsequent releases

IBM SDK for Java 7.0:
IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 and subsequent releases
IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 and subsequent releases