IBM Support

Security Bulletin: Vulnerabilities in IBM Tivoli Directory Server affect IBM Security Access Manager for Web and Tivoli Access Manager for e-business (CVE-2015-0138)

Created by Ann-Louise Bolger on
Published URL:
https://www.ibm.com/support/pages/node/258959
258959

Security Bulletin


Summary

GSKit, an IBM component, contains multiple vulnerabilities including “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. GSKit is used by IBM Tivoli Directory Server. IBM Tivoli Directory Server is used by IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business.

OpenSSL is also affected by these vulnerabilities. IBM Security Access Manager for Web appliances use OpenSSL for secure connections to the embedded Tivoli Directory Server.

IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0138

DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Tivoli Access Manager for e-business 6.0, 6.1 and 6.1.1.
IBM Security Access Manager for Web 7.0 (software installations)
IBM Security Access Manager for Web 7.0 (appliances)
IBM Security Access Manager for Web 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, and 8.0.1.0.

Remediation/Fixes

Product

VRMFAPARRemediation
IBM Tivoli Access Manager for e-business6.0
6.1
6.1.1
N/AIBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions.

Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)

IBM Security Access Manager for Web
(software-based installation)
7.0.0.0 -
7.0.0.12
N/AIBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions.

Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)

IBM Security Access Manager for Web (appliance-based)7.0.0.0 -
7.0.0.12

8.0.0.0 -
8.0.1.0
N/AIBM Security Access Manager for Web appliances use OpenSSL to connect to the embedded LDAP. Ensure that you have followed the instructions in the associated security bulletin:

OpenSSL: http://www.ibm.com/support/docview.wss?uid=swg21696550

If you have any stand-alone installations of IBM LDAP, please ensure that you upgrade to the latest version of LDAP. Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159)

For Tivoli Access Manager for e-business 5.1, IBM recommends upgrading to a fixed, supported release of the product.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

Change History

April 29, 2015: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0;6.1;6.1.1;7.0;8.0;8.0.0.2;8.0.0.4;8.0.0.5;8.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21700228