4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
76.0%
IBM SECURITY ADVISORY
First Issued: Mon Apr 13 12:11:24 CDT 2015
The most recent version of this document is available here:
VULNERABILITY SUMMARY
VULNERABILITY: Vulnerability in IBM SDK Java JSSE affects AIX
PLATFORMS: AIX 5.3, 6.1 and 7.1.
VIOS 2.2.x
SOLUTION: Apply the fix as described below.
THREAT: A remote attacker can decrypt SSL/TLS traffic
CVE Numbers: CVE-2015-0138
Reboot required? NO
Workarounds? NO
===============================================================================
DETAILED INFORMATION
I. DESCRIPTION
A vulnerability in various IBM SSL/TLS implementations could
allow a remote attacker to downgrade the security of certain
SSL/TLS connections. An IBM SSL/TLS client implementation
could accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. This could allow a remote
attacker using man-in-the-middle techniques to facilitate
bruteforce decryption of TLS/SSL traffic between vulnerable
clients and servers. This vulnerability is know as the FREAK
attack.
II. CVSS
CVEID: CVE-2015-0138
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
III. PLATFORM VULNERABILITY ASSESSMENT
The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:
For Java5: Less than or equal to 5.0.0.590
For Java6: Less than or equal to 6.0.0.470
For Java7: Less than or equal to 7.0.0.195
For Java7 Release 1: Less than or equal to 7.1.0.75
Note: To find out whether the affected filesets are installed on your
systems, refer to the lslpp command found in AIX user's guide.
Example: lslpp -L | grep -i java
IV. FIXES
AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3
AIX 6.1
AIX 7.1
VIOS 2.2.x
REMEDIATION:
IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and later
32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32-bit,+pSeries&function=all
64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64-bit,+pSeries&function=all
IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and later
32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all
64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all
IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 Fix Pack 10 and later
32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all
64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all
IBM SDK, Java Technology Edition, Version 7 Release 1 Service Refresh 2 Fix Pack 10 and later
32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all
64-bit: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all
To learn more about AIX support levels and Java service releases, see the following:
http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig
https://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
V. WORKAROUNDS
None
VI. CONTACT US
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
Comments regarding the content of this announcement can be
directed to:
[email protected]
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
VII. REFERENCES:
Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2015-0138: https://vulners.com/cve/CVE-2015-0138
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.
VIII. ACKNOWLEDGEMENTS:
The vulnerability was reported to IBM by Karthikeyan Bhargavan
of the PROSECCO team at INRIA.