Security Bulletin: RC4 Bar Mitzvah Attack for SSL/TLS (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM.

Vulnerability Details

CVEID: CVE-2015-2808

DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Releases 6.1, 7.1 and 7.2 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying PTF’s to IBM i and following the remediation plan below. NOTE: Please read this entire section for the list PTF numbers for IBM i:

Please review this document for IBM i remediation steps: http://www.ibm.com/support/docview.wss?uid=nas8N1020681

Releases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed.

The IBM i PTF numbers are:

IBM i OS and options:

**Release 6.1 –**SI56418

Release 7.1 – SI56419
**Release 7.2 –**SI56643

IBM i Java:

Java for IBM i: 5761-JV1 & 5770-JV1

For details on Java for IBM i, see the details on the Java for IBM i page on developerWorks:
http://www.ibm.com/developerworks/ibmi/techupdates/java

The IBM i Group PTF numbers for Java are:
Release 6.1 – SF99562 level 32 Release 7.1 – SF99572 level 21 Release 7.2 – SF99716 level 6

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

N/A