The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability (CVE-2015-0138) may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition.
CVE-ID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
|
Principal Product and Version(s)
| Affected Supporting Product and Version |
Maximo Asset Management 7.6, 7.5, 7.1
Maximo Asset Management Essentials 7.5, 7.1
Maximo for Government 7.5, 7.1
Maximo for Nuclear Power 7.5, 7.1
Maximo for Transportation 7.5, 7.1
Maximo for Life Sciences 7.5, 7.1
Maximo for Oil and Gas 7.5, 7.1
Maximo for Primavera 7.5, 7.1
Maximo for Utilities 7.5, 7.1
SmartCloud Control Desk 7.5
Tivoli Asset Management for IT 7.2, 7.1
Tivoli Service Request Manager 7.2, 7.1
Change and Configuration Management Database 7.2, 7.1
Intelligent Building Management 1.1
|
IBM WebSphere Application Server 8.5.5
IBM WebSphere Application Server 8.5
IBM WebSphere Application Server 8.0
IBM WebSphere Application Server 7.0
IBM WebSphere Application Server 6.1
|
Please refer to Workarounds and Mitigations below.
By default, the WebSphere Application Server SSL configuration is set to use the "STRONG" or "HIGH" secure cipher list which does not use RSA Export ciphers, so you would not be affected if you have not changed your ciphers.
If you have overridden the default configuration to use the "MEDIUM" secure cipher list then it will contain the RSA Export Ciphers. You should change this configuration to use "STRONG" or "HIGH".
If you have configured to use "CUSTOM" list of ciphers that includes an RSA Export cipher, then you should remove those RSA Export ciphers from the Application Server configuration.
For any outbound connections, IBM recommends that any servers that WebSphere Application Server is connecting to needs to insure that RSA Export Ciphers are also disabled.
References
Off
24 Mar 2015: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
[{"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1;7.5;7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSWK4A","label":"Maximo Asset Management Essentials"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.5;7.1.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSMQTP","label":"Maximo for Government"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.1;7.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.1;7.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.5;7.1.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.5;7.1.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.5;7.1.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLKRU","label":"Maximo Adapter for Primavera"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.1;7.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.5;7.1.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSWT9A","label":"IBM Control Desk"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLKTY","label":"Maximo Asset Management for IT"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SS6HJK","label":"Tivoli Service Request Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSKTXT","label":"Tivoli Change and Configuration Management Database"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSWDVU","label":"IBM TRIRIGA Energy Optimization"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]