Security Bulletin: Vulnerability in RC4 stream cipher affects IBM SONAS (CVE-2015-2808)

2018-06-1800:09:28

www.ibm.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM SONAS

Vulnerability Details

CVEID: CVE-2015-2808

DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM SONAS

All products are affected when running code releases 1.3, 1.4 and 1.5 except for version 1.5.2.0 and above.

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SONAS to the following code level or higher:

1.5.2.0

Please contact IBM support for assistance in upgrading your system.

CPENameOperatorVersion
network attached storage (nas)->scale out network attached storageeq1.3
network attached storage (nas)->scale out network attached storageeq1.4
network attached storage (nas)->scale out network attached storageeq1.5

Name	Operator	Version
network attached storage (nas)->scale out network attached storage	eq	1.3
network attached storage (nas)->scale out network attached storage	eq	1.4
network attached storage (nas)->scale out network attached storage	eq	1.5