4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect some configurations of IBM WebSphere Application Server Full Profile shipped with IBM Tivoli Network Performance Manager
CVEID: CVE-2015-0138**
DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Product and Version(s)
| Product and Version shipped as component
—|—
Tivoli Network Performance Manager 1.4| Bundled the Jazz for Service Management version 1.1.0.2, IBM WebSphere version 8.5.0.1 and the JRE from IBM SDK Java 2 Technology Edition Version 7.
Tivoli Network Performance Manager 1.3.3| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
Tivoli Network Performance Manager 1.3.2| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
Tivoli Network Performance Manager 1.3.1| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
Apply workaround and mitigation in Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)
CPE | Name | Operator | Version |
---|---|---|---|
ibm netcool performance manager | eq | 1.3 | |
ibm netcool performance manager | eq | 1.4 |