Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server if FIPS 140-2 is enabled (CVE-2016-0306)

Summary

There is a potential security vulnerability in IBM WebSphere Application Server if FIPS 140-2 is enabled.

Vulnerability Details

CVEID: CVE-2016-0306**
DESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111423 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Version 8.5.5 Full Profile
• Version 8.5 Full Profile
• Version 8.0
• Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI56190 for each named product as soon as practical. **

For WebSphere Application Server:**** **For V8.5.0.0 through 8.5.5.9 Full Profile:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI56190
--OR–
· Apply Fix Pack 8.5.5.10 or later.

For V8.0.0.0 through 8.0.0.12:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI56190

--OR–
· Apply Fix Pack 8.0.0.13 or later. **

For V7.0.0.0 through 7.0.0.39:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI56190

--OR–
· Apply Fix Pack 7.0.0.41 or later.

Workarounds and Mitigations

none