Security Bulletin: A vulnerbility in Bouncy Castle affects Rational Service Tester (CVE-2015-7940 )

Summary

Bouncy Castle could allow a remote attacker to obtain sensitive information, caused by an invalid curve attack. An attacker could exploit this vulnerability to extract private keys used in elliptic curve crytpography and obtain sensitive information.

Vulnerability Details

CVEID: CVE-2015-7940**
DESCRIPTION:** Bouncy Castle could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using an invalid curve attack to extract private keys used in elliptic curve cryptography and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107739 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

RST versions 8.2., 8.3., 8.5., 8.6., 8.7.*.

Remediation/Fixes

It is strongly recommended to upgrade to RPT version 9.0.

For older releases, you can alternatively update the Bouncy Castle library manually:

1. Download the bouncy castle version 1.5.3 ( the jar can be downloaded here https://www.bouncycastle.org/download/jce-jdk13-154.jar ).
2. Locate the previous bouncy castle librarie delivered, this will be typically at the following path:
   INSTALLATION_DIRECTORY/IBM_SHARED_PLUGINS/plugins/com.ibm.rational.ttt.common.models.core_plugin_version/lib/approvedbouncy
   For example::
   C:\Program Files\IBM\IBMIMSharedRPT8702\plugins\com.ibm.rational.ttt.common.models.core_8.5.210.v20150622_1524\lib\approvedbouncy
   for RPT v8.7.0.2.
3. Rename the bouncy castle jar version 1.5.3 downloaded to the name of the previous delivered jar ( jce-jdk13-134.jar ).
4. Replace the old jar with the new one.

Workarounds and Mitigations

None.