Security Bulletin
Summary
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects some versions of DS8000.
Vulnerability Details
CVEID: CVE-2015-0138
DESCRIPTION: A vulnerability in SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. A client implementation could accept the use of an RSA temporary key in a non-export RSA key uexchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
DS8870 prior to R7.2
DS8800/DS8700 prior to SP9 ( 86.31.142.0 / 76.31.121.0 respectively) which have not applied ISO CD patch named RemoveWeakCertificatesv1.0 or RemoveWeakCertificatesV1.1
DS8100/DS8300 even if they have applied the above patch.
Remediation/Fixes
As noted DS8870 at R7.2 and above ( 87.21.5.0 or above) and above and DS8800/DS8700 at SP9 ( 86.31.142.0 / 76.31.121.0 or above) are not impacted.
DS8700/DS8800/DS8870 customers should upgrade to a version which is not impacted or apply the patch noted below.
DS8100/DS8300 customers should apply the patch noted below.
Patch Release
| Product | VRMF | APAR | Remediation/First Fix |
| DS8870 prior to R7.2 | N/A | CVE_WEAK_CIPHER_PATCH_v1.0 | 03/23/2015 |
| DS8800 prior to 6.3 SP 9 | N/A | CVE_WEAK_CIPHER_PATCH_v1.0 | 03/23/2015 |
| DS8700 prior to 6.3 SP 9 | N/A | CVE_WEAK_CIPHER_PATCH_v1.0 | 03/23/2015 |
| DS8100/DS8300 | N/A | CVE_WEAK_CIPHER_PATCH_v1.0 | 03/23/2015 |
Get Notified about Future Security Bulletins
References
Change History
Added CVE score and links
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
24 May 2022
UID
ssg1S1005145