Lucene search

K
ibmIBMF4E7E3BE19F29D23C9E8BDC15EEAE7B010BF3E4C06C22A6AC29599A6977CB542
HistoryMay 24, 2022 - 5:06 p.m.

Security Bulletin: The LogJam Attack on Diffie-Hellman ciphers (CVE-2015-4000) affects some versions of the DS8000.

2022-05-2417:06:20
www.ibm.com
108

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.975 High

EPSS

Percentile

100.0%

Summary

The LogJam Attack on Diffie-Hellman ciphers (CVE-2015-4000) affects some versions of the DS8000.

Vulnerability Details

CVEID: CVE-2015-4000 **
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

DS8870 prior to R7.2

DS8800/DS8700 prior to R6.3 SP9 ( 86.31.142.0 / 76.31.121.0 respectively) which have not applied ISO CD patch named RemoveWeakCertificatesv1.0 or RemoveWeakCertificatesV1.1

Remediation/Fixes

As noted DS8870 at R7.2 and above (87.21.5.0) and and DS8800/DS8700 at R6.3 SP9 and above (86.31.142.0 / 76.31.121.0) are not impacted.

DS8700/DS8800/DS8870 customers should upgrade to a version which is not impacted or apply the patch noted below.

Patch Release

Product VRMF APAR Remediation/First Fix
DS8870 prior to R7.2 N/A CVE_WEAK_CIPHER_PATCH_v1.0 03/23/2015
DS8800 prior to R6.3 SP9 N/A CVE_WEAK_CIPHER_PATCH_v1.0 03/23/2015
DS8700 prior to R6.3 SP9 N/A CVE_WEAK_CIPHER_PATCH_v1.0 03/23/2015

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.975 High

EPSS

Percentile

100.0%

Related for F4E7E3BE19F29D23C9E8BDC15EEAE7B010BF3E4C06C22A6AC29599A6977CB542