Lucene search

K
ibmIBM84148D1DF56ABF15F2C36A87D3E56B147FE5CE4A2EDE780059268C996ECCEE04
HistoryJun 16, 2018 - 1:11 p.m.

Security Bulletin: Multiple vulnerabilities in Java Runtime Environment affects IBM DB2 Recovery Expert for Linux, UNIX and Windows (CVE-2015-0204, CVE-2015-0138, CVE-2015-2808, CVE-2015-0460, CVE-2015-470)

2018-06-1613:11:34
www.ibm.com
6

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Summary

Various vulnerabilities in the Java Runtime Environment could affect IBM DB2 Recovery Expert for Linux, UNIX and Windows.

Vulnerability Details

CVEID:CVE-2015-0204**
DESCRIPTION:*A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99707for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2015-0138**
DESCRIPTION:*A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/100691for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2015-2808**
DESCRIPTION:*The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/101851for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

The following CVEs only apply to the HP-UX and Solaris platforms:

CVEID:CVE-2015-0460**
DESCRIPTION:*An unspecified vulnerability in Oracle Java SE related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102330&gt;for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:CVE-2015-0470**
DESCRIPTION:*An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See<https://exchange.xforce.ibmcloud.com/vulnerabilities/102338&gt;for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM DB2 Recovery Expert for Linux, UNIX, and Windows versions 3.1 through 4.1

Remediation/Fixes

Replace existing JRE with JRE V7 SR9-Fix Pack 1 (<http://www-01.ibm.com/support/docview.wss?uid=swg21639279&gt;).

You can replace the IBM Runtime Environment, Java™ Technology Edition that is installed with IBM DB2 Recovery Expert for Linux, UNIX, and Windows with the latest IBM Runtime Environment, Java™ Technology Edition following the detailed instructions provided in the tech-note “Updating the JRE for DB2 Recovery Expert for Linux, UNIX and Windows”.

Workarounds and Mitigations

Only CVE-2015-2808 can be mitigated. The other applicable CVEs have no mitigation and the JRE must be upgraded.

Mitigation instructions for CVE-2015-2808 are available here:

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C