Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMBB86AF26EFAC5E774B73ED4F6EA3CC2D4D70AAAEFF1EFE8255D4FF66723F6504
HistoryJun 15, 2018 - 7:03 a.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-2808, CVE-2015-0204, CVE-2015-1916, CVE-2015-0138)

2018-06-1507:03:30
www.ibm.com
8

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7, that is used by IBM OS Images for Red Hat Linux Systems, AIX, and Windows. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses FREAK: “Factoring Attack on RSA-EXPORT keys" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.

Vulnerability Details

CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1916 DESCRIPTION: Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101995 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0204 DESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0138_
DESCRIPTION:A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100691 _for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM OS Image for Red Hat Linux Systems 3.0.0.0 and earlier.
IBM OS Image for AIX Systems 2.1.1.0 and earlier.

Remediation/Fixes

Virtual machines deployed from IBM PureApplication Systems are affected. This includes RedHat Linux and AIX-based deployments. The solution is to apply the following IBM PureApplication System fix to the deployed virtual machines.

Java Update for Linux
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=+Java_Update_Linux_2++&includeSupersedes=0

Java Update for AIX
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=+Java_Update_AIX_2++&includeSupersedes=0__ __

1. Import the fix into the Emergency Fix catalogue.
2. For deployed instances, apply this emergency fix on the VM.
3. Restart the deployed instance after the fix is applied.

Workarounds and Mitigations

None

Related

ibm 159
prion 3
cve 3
nessus 13
cisa 1
cisco 1
aix 1
hackerone 1
f5 3
debiancve 1
openvas 4
fortinet 1
openssl 1
thn 1
veracode 2
ubuntucve 1
huawei 1
checkpoint_security 1
cert 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool (CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-0138)
2018-06-15 07:03:26
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System. (CVE-2015-2808, CVE-2015-0204, CVE-2015-1916, and CVE-2015-0138)
2018-06-15 07:03:30
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, and CVE-2015-0138)
2018-06-15 07:03:26
prion
prion
Design/Logic Flaw
2015-03-25 01:59:00
Code injection
2015-07-02 21:59:00
Code injection
2015-01-09 02:59:00
cve
cve
CVE-2015-0138
2015-03-25 01:59:00
CVE-2015-1916
2015-07-02 21:59:00
CVE-2015-0204
2015-01-09 02:59:00
nessus
nessus
IBM HTTP Server 8.5.0.0 <= 8.5.5.5 / 8.0.0.0 <= 8.0.0.10 / 7.0.0.0 <= 7.0.0.37 / 6.1.0.0 <= 6.1.0.47 / 6.0.0.0 <= 6.0.2.43 (257477)
2020-12-15 00:00:00
AIX Java Advisory : Multiple Vulnerabilities (Bar Mitzvah)
2015-04-30 00:00:00
IBM DB2 10.5 < Fix Pack 6 Multiple Vulnerabilities (Bar Mitzvah)
2016-04-15 00:00:00
cisa
cisa
FREAK
2015-03-06 00:00:00
cisco
cisco
OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
2015-01-13 19:57:19
aix
aix
AIX IBM SDK Java JSSE vulnerability
2015-04-13 12:11:24
hackerone
hackerone
Internet Bug Bounty: FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
2015-03-05 16:18:06
f5
f5
K16139 : OpenSSL vulnerability CVE-2015-0204
2015-10-02 00:00:00
SOL16139 - OpenSSL vulnerability CVE-2015-0204
2015-02-12 00:00:00
K16864 : SSL/TLS RC4 vulnerability CVE-2015-2808
2015-08-17 00:00:00
debiancve
debiancve
CVE-2015-0204
2015-01-09 02:59:00
openvas
openvas
SSL/TLS: RSA Temporary Key Handling 'RSA_EXPORT' Downgrade Issue (FREAK)
2015-03-06 00:00:00
DTLS: Deprecated DTLSv1.0 Detection
2024-01-09 00:00:00
OpenSSL Information Disclosure Vulnerability (20150319 - 4) - Linux
2021-07-29 00:00:00
fortinet
fortinet
TLS FREAK Attack
2015-03-04 00:00:00
openssl
openssl
Vulnerability in OpenSSL CVE-2015-0204
2015-01-06 00:00:00
thn
thn
'FREAK' — New SSL/TLS Vulnerability Explained
2015-03-03 20:30:00
veracode
veracode
Brute Force Decryption
2017-02-10 01:27:34
Information Disclosure
2019-05-02 05:39:15
ubuntucve
ubuntucve
CVE-2015-0204
2015-01-08 00:00:00
huawei
huawei
Security Advisory - Bar Mitzvah Attack Vulnerability in Huawei Products
2015-09-19 00:00:00
checkpoint_security
checkpoint_security
Check Point response to TLS FREAK Attack (CVE-2015-0204)
2015-03-03 22:00:00
cert
cert
SSL/TLS implementations accept export-grade RSA keys (FREAK attack)
2015-03-06 00:00:00

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON
Related for BB86AF26EFAC5E774B73ED4F6EA3CC2D4D70AAAEFF1EFE8255D4FF66723F6504
ibm159prion3cve3nessus13cisa1cisco1aix1hackerone1f53debiancve1openvas4fortinet1openssl1thn1veracode2ubuntucve1huawei1checkpoint_security1cert1