Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7E9F876A2794D8A1968D52FB411FEB6A68DC80CC8BC69B1ABA1C5493ECA0E485
HistoryJun 16, 2018 - 9:23 p.m.

Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Web (CVE-2015-0159, CVE-2015-0138, CVE-2014-6221)

2018-06-1621:23:22
www.ibm.com
7

EPSS

0.005

Percentile

76.0%

JSON

Summary

GSKit is an IBM component that is used by IBM Security Access Manager for Web. The GSKit that is shipped with IBM Security Access Manager for Web contains multiple security vulnerabilities including the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. IBM Security Access Manager for Web has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2014-6221 **
DESCRIPTION:** Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise.

CVSS Base Score: 8.8
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/98929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N)

CVEID: CVE-2015-0138

DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0159

DESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations.

CVSS Base Score: 2.6
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

  • IBM Tivoli Access Manager for e-business 6.0, 6.1 and 6.1.1.
  • IBM Security Access Manager for Web 7.0.
  • IBM Security Access Manager for Web 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, and 8.0.1.0.

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.

You should verify applying this fix does not cause any compatibility issues.

Product VRMF APAR Remediation
IBM Tivoli Access Manager for e-business 6.0 IV70928 Apply the 6.0.0.37 fixpack. The README instructions will direct you to update GSKit in your environment:
6.0.0-ISS-TAM-IF0037
IBM Tivoli Access Manager for e-business 6.1 IV70928 Apply the 6.1.0.18 fixpack. The README instructions will direct you to update GSKit in your environment:
6.1.0-ISS-TAM-IF0018
IBM Tivoli Access Manager for e-business 6.1.1 IV70926 Apply the 6.1.1.15 fixpack. The README instructions will direct you to update GSKit in your environment:
6.1.1-ISS-TAM-IF0015
IBM Security Access Manager for Web (Software-installations) 7.0.0.0 -
7.0.0.11 IV70922 Apply the 7.0.0.12 fixpack. The README instructions will direct you to update GSKit in your environment:
7.0.0-ISS-SAM-FP0012
_IBM Security Access Manager for Web (Appliance-based) _ _7.0.0.0 -
7.0.0.11_ IV70922 Apply the 7.0.0.12 fixpack:
7.0.0-ISS-WGA-FP0012
IBM Security Access Manager for Web 8.0.0.0 -
8.0.1.0 IV70920 Upgrade to the 8.0.1.2 package:
8.0.1-ISS-WGA-FP0002

For Tivoli Access Manager for e-business 5.1, IBM recommends upgrading to a fixed, supported release of the product.

Workarounds and Mitigations

For workaround and mitigation steps, see security bulletin:

Security Bulletin: Vulnerability in GSKit affects Tivoli Access Manager for e-business and Security Access Manager for Web (CVE-2015-0138)

Related

ibm 142
prion 2
cve 3
nvd 3
cvelist 3
aix 1
nessus 17
openvas 12
kaspersky 1
suse 8
redhat 4
veracode 3
ibm
ibm
Security Bulletin: Vulnerabilities in GSKit affect IBM WebSphere MQ (CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)
2018-06-15 07:02:39
Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with WebSphere Remote Server (CVE-2015-0138, CVE-2015-0159 and CVE-2014-6221)
2018-06-15 07:02:53
Security Bulletin: A security vulnerability has been identified in WebSphere MQ shipped with WebSphere Remote Server (CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)
2018-06-15 07:02:51
prion
prion
Information disclosure
2015-04-06 00:59:00
Design/Logic Flaw
2015-03-25 01:59:00
cve
cve
CVE-2014-6221
2015-04-06 00:59:00
CVE-2015-0159
2015-03-25 01:59:19
CVE-2015-0138
2015-03-25 01:59:17
nvd
nvd
CVE-2014-6221
2015-04-06 00:59:00
CVE-2015-0159
2015-03-25 01:59:19
CVE-2015-0138
2015-03-25 01:59:17
cvelist
cvelist
CVE-2014-6221
2015-04-06 00:00:00
CVE-2015-0159
2015-03-25 01:00:00
CVE-2015-0138
2015-03-25 01:00:00
aix
aix
AIX IBM SDK Java JSSE vulnerability
2015-04-13 12:11:24
nessus
nessus
IBM HTTP Server 8.5.0.0 <= 8.5.5.5 / 8.0.0.0 <= 8.0.0.10 / 7.0.0.0 <= 7.0.0.37 / 6.1.0.0 <= 6.1.0.47 / 6.0.0.0 <= 6.0.2.43 (257477)
2020-12-15 00:00:00
AIX Java Advisory : Multiple Vulnerabilities (Bar Mitzvah)
2015-04-30 00:00:00
IBM DB2 10.5 < Fix Pack 6 Multiple Vulnerabilities (Bar Mitzvah)
2016-04-15 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2015:1073-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:1085-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:1086-2)
2021-06-09 00:00:00
kaspersky
kaspersky
KLA10503 Multiple vulnerabilities in IBM products
2015-03-24 00:00:00
suse
suse
Security update for java-1_7_0-ibm (important)
2015-06-16 22:06:38
Security update for IBM Java (important)
2015-06-18 16:05:20
Security update for java-1_6_0-ibm (important)
2015-06-30 17:05:18
redhat
redhat
(RHSA-2015:1021) Important: java-1.5.0-ibm security update
2015-05-20 00:00:00
(RHSA-2015:1091) Low: Red Hat Satellite IBM Java Runtime security update
2015-06-11 00:00:00
(RHSA-2015:1006) Critical: java-1.6.0-ibm security update
2015-05-13 00:00:00
veracode
veracode
Sandbox Restrictions Bypass
2019-05-02 05:39:14
Sandbox Restrictions Bypass
2019-05-02 05:39:15
Sandbox Restrictions Bypass
2019-05-02 05:39:14

EPSS

0.005

Percentile

76.0%

JSON
Related for 7E9F876A2794D8A1968D52FB411FEB6A68DC80CC8BC69B1ABA1C5493ECA0E485
ibm142prion2cve3nvd3cvelist3aix1nessus17openvas12kaspersky1suse8redhat4veracode3