5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Addresses multiple vulnerabilities disclosed as part of the IBM Java SDK updates in April 2015.
There are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6 that is used by Tivoli Composite Application Manager for SOA. These issues were disclosed as part of the IBM Java SDK updates in April 2015.
This bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability. These fixes were also previously included in 7.2.0.1-TIV-ITCAMSOA-IF0003.
CVE-2015-0204 was fixed in IBM SDK, Java Technology Edition under CVE-2015-0138. Both CVEs are included in this advisory for completeness.
CVEID:CVE-2015-0488**
DESCRIPTION:*An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/102336for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:CVE-2015-0478**
DESCRIPTION:*An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/102339for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID:CVE-2015-0204**
DESCRIPTION:A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99707for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
** ****CVEID:CVE-2015-2808*
DESCRIPTION:The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/101851for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
**
CVEID:CVE-2015-1916*
DESCRIPTION:*Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/101995for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM Tivoli Composite Application Manager for SOA 7.2
Product
|
VRMF |
APAR |
Remediation/First Fix
—|—|—|—
IBM Tivoli Composite Application Manager for SOA |
7.2.0.1 |
IV73049 |
This fix also resolves the LogJam vulnerability in Diffie-Hellman ciphers. For details see here: <http://www-01.ibm.com/support/docview.wss?uid=swg21902710>
For earlier releases IBM recommends upgrading to a fixed, supported version of the product.
None
CPE | Name | Operator | Version |
---|---|---|---|
tivoli composite application manager for soa | eq | 7.2 |