IBMCD85593A91490D356153237E93D8272C35184E2BC68DD848E9A02EDD3BDE6E67Security Bulletin: OpenSSL vulnerabilities for Rational Automation Framework Security Advisory (CVE-2015-0204)
EPSS
Percentile
99.3%
Summary
A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
Vulnerability Details
| Subscribe to My Notifications to be notified of important product support alerts like this.
- Follow this link for more information (requires login with your IBM ID)
—|—
CVEID: CVE-2015-0204 **
DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>_ for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
Rational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2, 3.0.1.2.1 and 3.0.1.3 on all supported platforms.
Remediation/Fixes
Upgrade to RAF 3.0.1.3 ifix1 or later.
Workarounds and Mitigations
None
Related
EPSS
Percentile
99.3%