5.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:P/A:C
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 5, 6, and 7 that are used by Tivoli Netcool/OMNIbus. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability.
CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6593 DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score
CVSS Environmental Score*: Undefined
CVEID: CVE-2015-0383 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.
CVSS Base Score: 5.4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)
CVEID: CVE-2015-0410 DESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Tivoli Netcool/OMNIbus 7.3.0
Tivoli Netcool/OMNIbus 7.3.1
Tivoli Netcool/OMNIbus 7.4.0
Tivoli Netcool/OMNIbus 8.1.0
Product
| VRMF | APAR | Remediation/First Fix
—|—|—|—
OMNIbus | 7.3.0.15 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24039199>
OMNIbus | 7.3.1.12 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24036687>
OMNIbus | 7.4.0.6 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24036690>
OMNIbus | 8.1.0.3 | IV71122 | <http://www-01.ibm.com/support/docview.wss?uid=swg24039346>
CPE | Name | Operator | Version |
---|---|---|---|
tivoli netcool/omnibus | eq | 7.4.0 | |
tivoli netcool/omnibus | eq | 7.3.1 | |
tivoli netcool/omnibus | eq | 7.3.0 | |
tivoli netcool/omnibus | eq | 8.1.0 |