IBM8BD055970F3AEBC1072117F86120DD4963EB2275EBA431FFD601E7A2B2DB2B6CSecurity Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Rational RequisitePro (CVE-2015-0138)
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
Summary
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Versions 6.1, 7, 8, 8.5, and 8.5.5 that are used by IBM Rational RequisitePro.
Vulnerability Details
Please consult the Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138) for vulnerability details and information about fixes.
CVEID: CVE-2015-0138**
DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Rational RequisitePro, RequisiteWeb Server component.
Version
|
Status
—|—
7.1.3.x, 7.1.4.x| This vulnerability only applies to RequisiteWeb component, and it only applies if one of the following conditions exist:
- You have installed RequisiteWeb server into an existing WAS profile, and that profile supports a non-default set of ciphers.
- You modified the default set of ciphers in the WAS profile created during the installation of RequisitePro.
7.1.0.x, 7.1.1.x, 7.1.2.x| This vulnerability only applies to the RequisiteWeb component, other parts of RequisitePro are not affected. In addition, this vulnerability only applies if you modified the RequisiteWeb WAS profile by changing its set of supported ciphers.
Remediation/Fixes
Review the security bulletin referenced above and apply the relevant fixes to your WAS installation and WAS profiles used for RequisiteWeb.
Affected version
|
Applying the fix
—|—
7.1.3.x, 7.1.4.x| Apply the appropriate WebSphere Application Server directly to your RequisiteWeb server host. No particular RequisitePro steps are necessary.
7.1.0.x, 7.1.1.x and 7.1.2.x| Document 1390803 explains how to update WebSphere Application Server for RequisiteWeb servers for 7.1.0.x, 7.1.1.x and 7.1.2.x releases.
Workarounds and Mitigations
None
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N