IBM731FA112727B2A8CB08738E86A13435F3E4FCF392C86655870AE870BE2F79A56Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in April 2015.
Vulnerability Details
CVE-2015-0204 was fixed in IBM SDK, Java Technology Edition under CVE-2015-0138. Both CVEs are included in this advisory for completeness.
CVEID:CVE-2015-0488**
DESCRIPTION:*An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102336 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:CVE-2015-0478**
DESCRIPTION:*An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See_ https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_ for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID:CVE-2015-0204**
DESCRIPTION:A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See_ https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_ for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
**
CVEID:CVE-2015-2808*
DESCRIPTION:*The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See_ __<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>_ for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID:CVE-2015-1916**
DESCRIPTION:*Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101995 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:CVE-2015-0138**
DESCRIPTION:*A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100691> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
-
- IBM Business Process Manager V7.5.x through V8.5.6.0
- WebSphere Lombardi Edition V7.2.0.x
For_ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._
Remediation/Fixes
IBM SDK Java™ Technology Edition is used in WebSphere Application Server. See the following security bulletin for vulnerability details and information about fixes:
Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2015 CPU
The eclipse-based IBM Process Designer tool includes an instance of the IBM SDK Java™ Technology Edition. In order to provide the fix for this development tool, install APAR JR54070 for your version of IBM Business Process Manager or WebSphere Lombardi Edition:
- IBM Business Process Manager Express
- IBM Business Process Manager Standard
- IBM Business Process Manager Advanced
- WebSphere Lombardi Edition
The fix for IBM Business Process Manager V8.5.6.0 is included in Version 8.5.6.0 Cumulative Fix 1 for the IBM Business Process Manager products and all later cumulative fixes. See Fix list for the IBM Business Process Manager Version 8.5 products to determine the latest available cumulative fix for your release.
If you are on earlier unsupported releases, IBM strongly recommends to upgrade.
Workarounds and Mitigations
None
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P