Security Bulletin: Vulnerability in IBM Java Runtime affects the Enterprise Common Collector component of the IBM Tivoli zEnterprise Monitoring Agent (CVE-2015-0138)

Summary

The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM® Runtime Environment Java™ Technology Edition, Version 6 that is used by the Enterprise Common Collector (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring).

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Enterprise Common Collector 1.1.0 (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring v6.2.3 and v6.3.0)

Remediation/Fixes

Product

|

VRMF

|

Operating System

|

Remediation/First Fix

—|—|—|—

IBM Tivoli zEnterprise Monitoring Agent (Enterprise Common Collector v1.1.0 component)

|

v6.2.3

| AIX®|

Fix Central link

Linux® on System z®|

Fix Central link

Linux® on Intel® 32-bit|

Fix Central link

Linux® on Intel® 64-bit|

Fix Central link

32-bit Windows®|

Fix Central link

64-bit Windows®|

Fix Central link

You should verify applying this fix does not cause any compatibility issues.