OpenSSL vulnerabilities were disclosed on January 28, 2016 by the OpenSSL Project. OpenSSL is used by IBM Rational Application Developer for WebSphere Software. IBM Rational Application Developer for WebSphere Software has addressed the applicable CVEs.
CVEID: CVE-2016-0701
**
DESCRIPTION:** OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of weak Diffie-Hellman parameters based on unsafe primes that are generated and stored in X9.42-style parameter files. By performing multiple handshakes using the same private DH exponent, an attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110234 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID: CVE-2015-3197
**
DESCRIPTION:** OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by an error related to the negotiation of disabled SSLv2 ciphers by malicious SSL/TLS clients. An attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110235 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
IBM Rational Application Developer for WebSphere Software v9.1 and v9.5
Update the IBM SDK for Node.js using by the Cordova platform in the product to address this vulnerability:
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
Rational Application Developer | 9.1, 9.1.x, and 9.5.x | PI57309 |
Installation instructions for applying the update to the Cordova platform in the product can be found here: