9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Various vulnerabilities in the Java Runtime Environment could affect IBM DB2 Recovery Expert for Linux, UNIX and Windows.
CVEID:CVE-2015-0204**
DESCRIPTION:*A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99707for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:CVE-2015-0138**
DESCRIPTION:*A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/100691for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:CVE-2015-2808**
DESCRIPTION:*The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/101851for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
The following CVEs only apply to the HP-UX and Solaris platforms:
CVEID:CVE-2015-0460**
DESCRIPTION:*An unspecified vulnerability in Oracle Java SE related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102330>for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID:CVE-2015-0470**
DESCRIPTION:*An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102338>for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
IBM DB2 Recovery Expert for Linux, UNIX, and Windows versions 3.1 through 4.1
Replace existing JRE with JRE V7 SR9-Fix Pack 1 (<http://www-01.ibm.com/support/docview.wss?uid=swg21639279>).
You can replace the IBM Runtime Environment, Java™ Technology Edition that is installed with IBM DB2 Recovery Expert for Linux, UNIX, and Windows with the latest IBM Runtime Environment, Java™ Technology Edition following the detailed instructions provided in the tech-note “Updating the JRE for DB2 Recovery Expert for Linux, UNIX and Windows”.
Only CVE-2015-2808 can be mitigated. The other applicable CVEs have no mitigation and the JRE must be upgraded.
Mitigation instructions for CVE-2015-2808 are available here:
CPE | Name | Operator | Version |
---|---|---|---|
db2 recovery expert for linux, unix and windows | eq | 4.1.0 | |
db2 recovery expert for linux, unix and windows | eq | 3.1.0 |