Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects Rational Tau (CVE-2015-4000)

2018-06-1705:03:31

www.ibm.com

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Summary

The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects Rational Tau

Vulnerability Details

CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

4.3, 4.3.0.1, 4.3.0.2, 4.3.0.3, 4.3.0.4, 4.3.0.5, 4.3.0.6, 4.3.0.6 Interim Fix 1, 4.3.0.6 Interim Fix 2, 4.3.0.6 Interim Fix 3

Remediation/Fixes

Upgrade to Rational Tau Interim Fix 4 for 4.3.0.6

Workarounds and Mitigations

No workarounds

CPENameOperatorVersion
rational taueq4.3
rational taueq4.3.0.1
rational taueq4.3.0.2
rational taueq4.3.0.3
rational taueq4.3.0.4
rational taueq4.3.0.5
rational taueq4.3.0.6