OpenSSL vulnerabilities were disclosed on May 03, 2016 by the OpenSSL Project. OpenSSL is used by Rational Software Architect and Rational Software Architect for WebSphere Software. The applicable CVEs have been addressed.
CVEID: CVE-2016-2107**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server support AES-NI. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt traffic.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-2105**
DESCRIPTION:** OpenSSL is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the EVP_EncodeUpdate() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112855 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Rational Software Architect and Rational Software Architect for WebSphere Software: Ver 9.1 through 9.5x
Update the IBM SDK for Node.js using by the Cordova platform in the product to address this vulnerability:
Product | VRMF | ![]() |
Remediation/First Fix |
---|---|---|---|
Rational Software Architect and Rational Software Architect for WebSphere Software | 9.1, 9.1.x, and 9.5x | ![]() |
* Apply [_IBM SDK for Node.js Version 1.1 release updated equivalent to the Joyent Node.js API version 0.10.44_](<https://developer.ibm.com/node/sdk/#v11>) to the Cordova platform in the product.
Installation instructions for applying the update to the Cordova platform in the product can be found here:_
__
_Upgrading the IBM SDK for Node.js used by Cordova