Security Bulletin
Summary
Bouncy Castle could allow a remote attacker to obtain sensitive information, caused by an invalid curve attack. An attacker could exploit this vulnerability to extract private keys used in elliptic curve crytpography and obtain sensitive information.
Vulnerability Details
CVEID: CVE-2015-7940
DESCRIPTION: Bouncy Castle could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using an invalid curve attack to extract private keys used in elliptic curve cryptography and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107739 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
RST versions 8.2.*, 8.3.*, 8.5.*, 8.6.*, 8.7.*.
Remediation/Fixes
It is strongly recommended to upgrade to RPT version 9.0.
For older releases, you can alternatively update the Bouncy Castle library manually:
1) Download the bouncy castle version 1.5.3 ( the jar can be downloaded here https://www.bouncycastle.org/download/jce-jdk13-154.jar ).
2) Locate the previous bouncy castle librarie delivered, this will be typically at the following path:
INSTALLATION_DIRECTORY/IBM_SHARED_PLUGINS/plugins/com.ibm.rational.ttt.common.models.core_plugin_version/lib/approvedbouncy
For example::
C:\Program Files\IBM\IBMIMSharedRPT8702\plugins\com.ibm.rational.ttt.common.models.core_8.5.210.v20150622_1524\lib\approvedbouncy
for RPT v8.7.0.2.
3) Rename the bouncy castle jar version 1.5.3 downloaded to the name of the previous delivered jar ( jce-jdk13-134.jar ).
4) Replace the old jar with the new one.
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21978823