Security Bulletin
Summary
There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition, Version 7 that is used by IBM Fabric Manager (IFM). These issues were disclosed as part of the IBM Java SDK updates in July 2015 and April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol.
Vulnerability Details
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 that is used by IBM Fabric Manager (IFM). These issues were disclosed as part of the IBM Java SDK updates in July 2015 and April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol.
IBM Fabric Manager (IFM) has addressed the vulnerabilities listed below.
Vulnerability Details
CVE-ID: CVE-2015-4000
Description: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam."
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/103294
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-2638
Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104727
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-4733
Description: An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104726
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-4732
Description: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104725
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-2590
Description: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104724
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-4731
Description: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104723
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-4760
Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104721
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-4736
Description: An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104728
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-4748
Description: An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104729
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-2664
Description: An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104731
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-2632
Description: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104732
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-2637
Description: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104738
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-2619
Description: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104737
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-2621
Description: An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104735
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-2613
Description: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104734
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-2601
Description: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104733
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-4749
Description: An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104740
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2015-4729
Description: An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104741
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVE-ID: CVE-2015-2625
Description: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/104743
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-1931
Description: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102967
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-0491
Description: An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102329
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-0459
Description: An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102328
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-0469
Description: An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102327
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-0458
Description: An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102332
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2015-0480
Description: A directory traversal vulnerability in Oracle Java SE related to the Tools component and the extraction of JAR archive files could allow remote attacker to overwrite files on the system with privileges of another user.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102334
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVE-ID: CVE-2015-0488
Description: An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102336
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2015-0478
Description: An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102339
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-0477
Description: An unspecified vulnerability in Oracle Java SE related to the Beans component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/102337
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2015-2808
Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack."
CVSS Base Score: 5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/101851
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-1914
Description: A vulnerability in the IBM implementation of the Java Virtual Machine may allow untrusted code running under a security manager to bypass permission checks and view sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/101908
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-0192
Description: A vulnerability in the IBM implementation of the Java Virtual Machine may, under limited circumstances, allow untrusted code running under a security manager to elevate its privileges.
CVSS Base Score: 6.8
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/101008
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2015-0204
Description: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/99707
for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected products and versions
| Product | Affected Version |
|---|---|
| IBM Fabric Manager (IFM) | 4.1.02 |
Remediation/Fixes
Firmware fix versions are available on Fix Central: http://www.ibm.com/support/fixcentral/
You should verify applying the fix does not cause any compatibility issues.
| Product | Fixed Version |
|---|---|
| IBM Fabric Manager (IFM) (ibm_sw_ifm-4.1.03.0037_windows_32-64) (ibm_sw_ifm-4.1.03.0037_linux_32-64) |
4.1.03.0037 |
Workarounds and Mitigations
None.
References
Related Information
IBM
Secure Engineering Web Portal
IBM Product Security
Incident Response Blog
Acknowledgement
None
Change History
11 December 2015: Original version published
* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
30 January 2019
UID
ibm1MIGR-5094170