Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2015-2808, CVE-2015-0488 and CVE-2015-0478)

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 that is used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in April 2015.

Vulnerability Details

CVEID:CVE-2015-2808 **
DESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2015-0488 **
DESCRIPTION:**An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-0478 **
DESCRIPTION:**An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102339 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Security SiteProtector System 3.0 and 3.1.1

Remediation/Fixes

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

For SiteProtector 3.0:

SiteProtector Core Component: ServicePack3_0_0_8a.xpu
Event Collector Component: RSEvntCol_WINNT_ST_3_0_0_7.xpu
Agent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_48.xpu

For SiteProtector 3.1.1:

SiteProtector Core Component: ServicePack3_1_1_3a.xpu
Event Collector Component: RSEvntCol_WINNT_ST_3_1_1_3.xpu
Agent Manager Component: AgentManager_WINNT_XXX_ST_3_1_1_18.xpu
Update Server Component: UpdateServer_3_1_1_3.pkg
Event Archiver Component: EventArchiver_3_1_1_3.pkg
Event Archiver Importer Component: EventArchiverImporter_3_1_1_3.zip
Manual Upgrader Component: MU_3_1_1_4.xpu

These updates are also available to be manualy downloaded from the IBM Security License Key and Download Center at https://ibmss.flexnetoperations.com/service/ibms/login

Workarounds and Mitigations

None