The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM Intelligent Operations Center.
CVE ID:CVE-2015-2808
**DESCRIPTION:**The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as Bar Mitzvah Attack.
CVSS Base Score: 5.00
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Product and Version(s)
| Product shipped as a component
—|—
IBM Intelligent Operations Center version 1.6.0.3| IBM HTTP Server
Interim fix PO04697 fixes this issue. Either apply the interim fix, or follow the manual instructions that are provided in the “Workarounds and Mitigations” section.
1. For a standard topology, on the web server, edit the following file:
/opt/IBM/HTTPServer/conf/httpd.conf
For a high availability topology, modify the file on both of the web servers.
2. Modify the following lines:
SSLCipherSpec ALL SSL_RSA_WITH_RC4_128_MD5 SSLCipherSpec ALL SSL_RSA_WITH_RC4_128_SHA
to:
##SSLCipherSpec ALL SSL_RSA_WITH_RC4_128_MD5 ##SSLCipherSpec ALL SSL_RSA_WITH_RC4_128_SHA
3. In a standard environment, restart the web server. For more information, see “Starting the components in a standard environment” in the IBM Intelligent Operation Center product documentation.
In a high availability environment, restart both web servers. For more information, see “Starting the components in a high availability environment” in the IBM Intelligent Operation Center product documentation.