Security Bulletin: Vulnerabilities in IBM Tivoli Directory Server affect IBM Security Access Manager for Web and Tivoli Access Manager for e-business (CVE-2015-0138)

Summary

GSKit, an IBM component, contains multiple vulnerabilities including “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. GSKit is used by IBM Tivoli Directory Server. IBM Tivoli Directory Server is used by IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business.

OpenSSL is also affected by these vulnerabilities. IBM Security Access Manager for Web appliances use OpenSSL for secure connections to the embedded Tivoli Directory Server.

IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0138

DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Tivoli Access Manager for e-business 6.0, 6.1 and 6.1.1.
IBM Security Access Manager for Web 7.0 (software installations)
IBM Security Access Manager for Web 7.0 (appliances)
IBM Security Access Manager for Web 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, and 8.0.1.0.

Remediation/Fixes

Product

| VRMF|APAR|Remediation
—|—|—|—
IBM Tivoli Access Manager for e-business| 6.0
6.1
6.1.1| N/A| IBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions.

Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)

IBM Security Access Manager for Web
(software-based installation)| _7.0.0.0 -
7.0.0.12
_| N/A| IBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions.

Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)

IBM Security Access Manager for Web (appliance-based)| 7.0.0.0 -
7.0.0.12

_8.0.0.0 - _
_8.0.1.0
_| N/A| IBM Security Access Manager for Web appliances use OpenSSL to connect to the embedded LDAP. Ensure that you have followed the instructions in the associated security bulletin:

OpenSSL: <http://www.ibm.com/support/docview.wss?uid=swg21696550&gt;

If you have any stand-alone installations of IBM LDAP, please ensure that you upgrade to the latest version of LDAP. Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)

For Tivoli Access Manager for e-business 5.1, IBM recommends upgrading to a fixed, supported release of the product.

Workarounds and Mitigations

None.