Security Bulletin: CVE-2015-4000 Diffie-Hellman Export Cipher Suite Vulnerabilities in Multiple N series Products

Summary

A vulnerability known as Logjam may affect multiple N series products and the impact is under investigation. Versions 1.2 and earlier of the Transport Layer Security (TLS) protocol can allow man-in-the-middle (MITM) attackers to conduct downgrade attacks. Multiple N series Products has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Snap Creator Framework: 3.6.0, 4.1.0, 4.1.2, 4.3;
SnapDrive for Windows: 7.0.3, 7.1.1, 7.1.2, 7.1.3;
SnapManager for SAP: 3.2, 3.3, 3.3.1, 3.4;
Virtual Storage Console for VMware vSphere: 6.0, 6.1;

Remediation/Fixes

For_ Snap Creator Framework: the fix exists from microcode version 4.3P1;
For SnapDrive for Windows: the fix exists from microcode version 7.1.4;
For _SnapManager for SAP: the fix exists from microcode version 3.4.1;
For Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2;

Please contact IBM support or go to this link to download a supported release.

Workarounds and Mitigations

None.