Security Bulletin
Summary
A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using a man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also know as the FREAK attack.
Vulnerability Details
CVE ID: CVE-2015-0204
Description : IBM CICS Transaction Gateway could allow a remote attacker to obtain sensitive information, caused by a design error when using the TLS or SSLv3 protocol
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CICS TG V9.0 and later Gateway daemons use Java 7 or later and so are not affected by the FREAK vulnerability. The vulnerability in CICS TG V7.2 (out of support) and CICS TG V8.0 and V8.1 can be closed by configuring CICS TG to use updated releases of Java. Updated JREs containing the Java fix for CVE-2015-0204, for use with CICS TG can be found at:
http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other software&query.product=ibm~WebSphere~CICS Transaction Gateway for Multiplatforms&query.release=All&query.platform=All
Affected Products and Versions
CICS Transaction Gateway for Multiplatforms V7.2 and CICS Transaction Gateway and Desktop Edition V8.0 and V8.1
Workarounds and Mitigations
The use of RSA Export Ciphers by CICS Transaction Gateway can be prevented by configuring CICS TG to only accept more secure cipher suites, This can be done by listing the acceptable cipher suites using the ciphersuites parameter in the ctg.ini file, or by adding the acceptable cipher suites to the "Use only these ciphers" suites in the "SSL settings" section of the CICS TG configuration tool
See the CICS TG for Multiplatforms Knowledge Center for more details.
.
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21698668