IBM90B187AAB18271430FE3CD85277543D3D711DFD634CA7A0214510FF1F866C460Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects Tivoli Storage Productivity Center (CVE-2015-4000)
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%
Summary
The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects Tivoli Storage Productivity Center.
UPDATED 1/29/2018: Even after fixing this vulnerability some vulnerability checks might still demand for an even tighter fix. A more comprehensive fix has been provided in IBM Spectrum Control.
Vulnerability Details
CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
Tivoli Storage Productivity Center 5.2.0 through 5.2.6
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.7
The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.
The following versions are NOT affected:
- Tivoli Storage Productivity Center 4.2.x
- Tivoli Storage Productivity Center 4.1.x
- TotalStorage Productivity Center 3.3.x
UPDATED 1/29/2018: New installations of IBM Spectrum Control 5.2.15 contain a more comprehensive fix. Older and upgraded installations can apply the more comprehensive fix by upgrading to 5.2.16.
Remediation/Fixes
The solution is to apply an appropriate Tivoli Storage Productivity Center fix maintenance for each named product. The solution should be implemented as soon as practicable. (See Latest Downloads.)
| Affected TPC Version | APAR | Fixed TPC Version | Availability |
|---|---|---|---|
| 5.2.x | IT10948 | 5.2.7 | August 2015 |
| 5.1.x | IT10948 | 5.1.1.8 | July 2015 |
UPDATED 1/29/2018: Apply a more comprehensive fix by upgrading to IBM Spectrum Control 5.2.16 (March 2018) or by upgrading to IBM Spectrum Control 5.2.15 and following the local fix for APAR IT23276.
Related
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%