IBM Support

Security Bulletin: Vulnerability in IBM Java SDK Runtime affects DS8000 (CVE-2015-0138)

Created by Mark Hack on
Published URL:
https://www.ibm.com/support/pages/node/690333
690333

Security Bulletin


Summary

The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects some versions of DS8000.

Vulnerability Details


CVEID: CVE-2015-0138

DESCRIPTION: A vulnerability in SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. A client implementation could accept the use of an RSA temporary key in a non-export RSA key uexchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.


CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

DS8870 prior to R7.2

DS8800/DS8700 prior to SP9 ( 86.31.142.0 / 76.31.121.0 respectively) which have not applied ISO CD patch named RemoveWeakCertificatesv1.0 or RemoveWeakCertificatesV1.1

DS8100/DS8300 even if they have applied the above patch.

Remediation/Fixes

As noted DS8870 at R7.2 and above ( 87.21.5.0 or above) and above and DS8800/DS8700 at SP9 ( 86.31.142.0 / 76.31.121.0 or above) are not impacted.

DS8700/DS8800/DS8870 customers should upgrade to a version which is not impacted or apply the patch noted below.


DS8100/DS8300 customers should apply the patch noted below.

Patch Release



ProductVRMFAPARRemediation/First Fix
DS8870 prior to R7.2N/ACVE_WEAK_CIPHER_PATCH_v1.003/23/2015
DS8800 prior to 6.3 SP 9N/ACVE_WEAK_CIPHER_PATCH_v1.003/23/2015
DS8700 prior to 6.3 SP 9N/ACVE_WEAK_CIPHER_PATCH_v1.003/23/2015
DS8100/DS8300N/ACVE_WEAK_CIPHER_PATCH_v1.003/23/2015

Get Notified about Future Security Bulletins

References

Off

Change History

Added CVE score and links

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"ST8NCA","label":"Disk systems->DS8870"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"","label":"N\/A"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STXN8P","label":"IBM DS8800"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STUVMB","label":"Disk systems->DS8700"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
24 May 2022

UID

ssg1S1005145