Security Bulletin: Vulnerability in RC4 stream cipher affects server products in WebSphere Dynamic Process Edition (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” attack for SSL/TLS affects IBM WebSphere Application Server that is used by server products in WebSphere Dynamic Process Edition.

Vulnerability Details

CVEID: CVE-2015-2808**
DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

WebSphere Dynamic Process Edition 6.1, 6.2, 7.0

If you are using an unsupported version, IBM strongly recommends to upgrade.

Remediation/Fixes

Please consult the security bulletin Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808) for vulnerability details and information about fixes. WebSphere Application Server is used by WebSphere Process Server, WebSphere Business Services Fabric, and WebSphere Business Monitor.

Workarounds and Mitigations

None