Security Bulletin: Vulnerabilities in OpenSSL affect IBM WebSphere Cast Iron Solution(CVE-2014-3572,CVE-2015-0204,CVE-2014-8275)

Summary

OpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by IBM WebSphere Cast Iron Solution has addressed the applicable CVEs (CVE-2014-3572,CVE-2015-0204,CVE-2014-8275).

Vulnerability Details

CVEID: CVE-2014-3572 DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99705 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0204 DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-8275**
DESCRIPTION:** OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 1.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

This vulnerability affects all versions of the product
WebSphere Cast Iron v 7.0,0,x,
WebSphere Cast Iron v 6.4.0.x
WebSphere Cast Iron v 6.3.0.x
WebSphere Cast Iron v 6.1.0.x
WebSphere Cast Iron v 6.0.0.x

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
Cast Iron Appliance| 7.*| LI78411| iFix 7.0.0.2-CUMUIFIX-008
Cast Iron Appliance| 6.4.0.x| LI78411| iFix 6.4.0.1-CUMUIFIX-026
Cast Iron Appliance| 6.3.0.x| LI78411| iFix 6.3.0.2-CUMUIFIX-011
Cast Iron Appliance| 6.1.0.x| LI78411| iFix 6.1.0.15-CUMUIFIX-018

Workarounds and Mitigations

Customers on Cast Iron v6.0.0.x should contact IBM Support for migrating to one of the remediated releases.