Security Bulletin
Summary
GSKit, an IBM component, contains multiple vulnerabilities including “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. GSKit is used by IBM Tivoli Directory Server. IBM Tivoli Directory Server is used by IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business.
OpenSSL is also affected by these vulnerabilities. IBM Security Access Manager for Web appliances use OpenSSL for secure connections to the embedded Tivoli Directory Server.
IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business have addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Tivoli Access Manager for e-business 6.0, 6.1 and 6.1.1.
IBM Security Access Manager for Web 7.0 (software installations)
IBM Security Access Manager for Web 7.0 (appliances)
IBM Security Access Manager for Web 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, and 8.0.1.0.
Remediation/Fixes
|
Product | VRMF | APAR | Remediation |
| IBM Tivoli Access Manager for e-business | 6.0 6.1 6.1.1 | N/A | IBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions.
Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159) |
| IBM Security Access Manager for Web (software-based installation) | 7.0.0.0 - 7.0.0.12 | N/A | IBM recommends that you review your entire environment to identify vulnerable releases of LDAP and take appropriate mitigation and remediation actions.
Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159) |
| IBM Security Access Manager for Web (appliance-based) | 7.0.0.0 - 7.0.0.12 8.0.0.0 - 8.0.1.0 | N/A | IBM Security Access Manager for Web appliances use OpenSSL to connect to the embedded LDAP. Ensure that you have followed the instructions in the associated security bulletin: OpenSSL: http://www.ibm.com/support/docview.wss?uid=swg21696550 If you have any stand-alone installations of IBM LDAP, please ensure that you upgrade to the latest version of LDAP. Follow the instructions in the LDAP security bulletin: Vulnerabilities in GSKit fixed in IBM Security/Tivoli Directory Server (CVE-2015-0138, CVE-2015-0159) |
For Tivoli Access Manager for e-business 5.1, IBM recommends upgrading to a fixed, supported release of the product.
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
References
GSKit: http://www.ibm.com/support/docview.wss?uid=swg21700236
OpenSSL: http://www.ibm.com/support/docview.wss?uid=swg21696550
LDAP: http://www-01.ibm.com/support/docview.wss?uid=swg21698703
Change History
April 29, 2015: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21700228