Security Bulletin: Vulnerabilities in OpenSSL affect Rational Automaiton Framework (CVE-2015-1793)

Summary

OpenSSL vulnerabilities were disclosed by the OpenSSL Project and affect Rational Automation Framework. This includes the alternate chains certificate forgery vulnerability (CVE-2015-1793). Rational Automation Framework has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-1793

DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by an implementation error of the alternative certificate chain logic. An attacker could exploit this vulnerability to bypass the CA flag and other specific checks on untrusted certificates and issue an invalid certificate.

CVSS Base Score: 7.5

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104500 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Rational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2.x, 3.0.1.3.x on all supported platforms.

Remediation/Fixes

Upgrade to RAF 3.0.1.3 ifix5 or later.

Workarounds and Mitigations

None