“FREAK: Factoring Attack on RSA-EXPORT keys” TLS/SSL client and server vulnerability.
CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
This vulnerability affects IBM WebSphere Real Time Version 3 Service Refresh 8 Fix Pack 10 and earlier releases
The fixes for these vulnerabilities are included in IBM WebSphere Real Time Version 3 Service Refresh 9.
In addition, an iFix release based on Service Refresh 8 Fix Pack 10 is available.
IBM customers should download WebSphere Real Time updates from Fix Central.
The APAR for this fix is IV70681.