Security Bulletin:Vulnerabilities in IBM WebSphere Application Server and GSKit affects Cognos Business Intelligence (CVE-2015-0138, CVE-2015-0159)

Summary

The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Liberty Profile Version 8.5 that is used by IBM Cognos Business Intelligence Server 10.2.2

A security vulnerability has been discovered in GSKit 8.0 used by IBM Cognos Business Intelligence Server 10.2.2

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0159 DESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function
related to the production of incorrect results on some platforms by Bignum squaring BN_sqr) has an unknown attack vector and impact in some ECC operations.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100835&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Cognos Business Intelligence Server 10.2.2

Remediation/Fixes

IBM Cognos Business Intelligence 10.2, 10.2.1x and 10.2.2 Fixes

Workarounds and Mitigations

None