Download
Abstract
This document lists the fixes contained in IBM PureApplication System 2.0.0.1 Interim Fix 5.
Download Description
To download the interim fix, go to the PureApplication System product page on Fix Central.
Version 2.0.0.1 Interim Fix 5 includes fixes for these security vulnerabilities:
CVE-2015-0138
- DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVE-2015-0204
- DESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVE-2015-1916
- DESCRIPTION: Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVE-2015-1920
- DESCRIPTION: WebSphere Application Server could allow a remote attacker to execute arbitrary code by connecting to a management port and executing a specific sequence of instructions.
CVE-2015-2808
- DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVE-2015-4000
- DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam".
The following table contains the Authorized Program Analysis Reports (APARs) included in this release.
If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version.
System APARs
APAR | Abstract |
| "CWZAG2022X - Failed to create snapshot" error on Power system | |
| The Elastic Load Balancing plug-in binaries need to include the LOGJAM and POODLE fixes | |
| Virtual system patterns instances fail to upgrade to new pattern type | |
| Virtual system pattern component versions are incorrect | |
| Migration jobs ob the PureSystems Manager hang during virtual machine migrations |
Off
[{"Product":{"code":"SSM8NY","label":"PureApplication System"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"}],"Version":"2.0.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24040701