4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM® SDK Java™ Technology Edition, Version 5, 6 and 7 that is used by Rational Service Tester related to the use of TLS/SSL.
CVEID: CVE-2015-0138**
DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Rational Service Tester versions 8.2., 8.3., 8.5., 8.6. and 8.7.
A fix is available as described below
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
RST | 8.7 | None | Download Java 7 SR8 FP10 +IV70681 |
RST | 8.6 - 8.6.x | None | Download Java 7 SR8 FP10 +IV70681 |
RST | 8.5 - 8.5.x | None | Download Java 7 SR8 FP10 +IV70681 |
RST | 8.3 - 8.3.x | None | Download Java 7 SR8 FP10 +IV70681 |
RST | 8.2 - 8.2.1.x | None | Download Java 7 SR8 FP10 +IV70681 |
None