-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1020
              Vulnerability in IBM SDK Java JSSE affects AIX
                               16 April 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM SDK Java JSSE
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0138  

Reference:         ESB-2015.1019
                   ESB-2015.1013
                   ESB-2015.0970
                   ESB-2015.0958
                   ESB-2015.0950.2
                   ESB-2015.0915
                   ESB-2015.0914
                   ESB-2015.0913
                   ESB-2015.0912
                   ESB-2015.0911
                   ESB-2015.0910
                   ESB-2015.0908
                   ESB-2015.0907
                   ESB-2015.0906
                   ESB-2015.0905
                   ESB-2015.0903
                   ESB-2015.0897
                   ESB-2015.0896
                   ESB-2015.0895
                   ESB-2015.0889
                   ESB-2015.0888
                   ESB-2015.0886
                   ESB-2015.0885
                   ESB-2015.0883
                   ESB-2015.0882
                   ESB-2015.0881
                   ESB-2015.0880
                   ESB-2015.0876
                   ESB-2015.0874
                   ESB-2015.0859
                   ESB-2015.0857
                   ESB-2015.0855.2
                   ESB-2015.0846
                   ESB-2015.0845
                   ESB-2015.0844
                   ESB-2015.0843
                   ESB-2015.0840
                   ESB-2015.0822
                   ESB-2015.0815
                   ESB-2015.0813
                   ESB-2015.0812
                   ESB-2015.0810
                   ESB-2015.0806
                   ESB-2015.0805
                   ESB-2015.0791
                   ESB-2015.0784
                   ESB-2015.0783
                   ESB-2015.0782
                   ESB-2015.0781
                   ESB-2015.0780
                   ESB-2015.0779
                   ESB-2015.0778
                   ESB-2015.0777
                   ESB-2015.0776
                   ESB-2015.0763
                   ESB-2015.0762
                   ESB-2015.0760
                   ESB-2015.0748
                   ESB-2015.0747
                   ESB-2015.0746
                   ESB-2015.0740
                   ESB-2015.0735
                   ESB-2015.0728
                   ESB-2015.0724
                   ESB-2015.0723
                   ESB-2015.0720
                   ESB-2015.0719
                   ESB-2015.0714
                   ESB-2015.0647
                   ESB-2015.0646
                   ESB-2015.0644
                   ESB-2015.0632
                   ESB-2015.0589
                   ESB-2015.0542

Original Bulletin: 
   http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM SECURITY ADVISORY

First Issued: Mon Apr 13 12:11:24 CDT 2015

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc
https://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc
ftp://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc
===============================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:   Vulnerability in IBM SDK Java JSSE affects AIX

PLATFORMS:       AIX 5.3, 6.1 and 7.1.
                 VIOS 2.2.x

SOLUTION:        Apply the fix as described below.

THREAT:          A remote attacker can decrypt SSL/TLS traffic

CVE Numbers:     CVE-2015-0138
                 

Reboot required?  NO
Workarounds?      NO
                 
===============================================================================
                           DETAILED INFORMATION

I. DESCRIPTION

     A vulnerability in various IBM SSL/TLS implementations could
     allow a remote attacker to downgrade the security of certain
     SSL/TLS connections.  An IBM SSL/TLS client implementation
     could accept the use of an RSA temporary key in a non-export
     RSA key exchange ciphersuite.  This could allow a remote
     attacker using man-in-the-middle techniques to facilitate
     bruteforce decryption of TLS/SSL traffic between vulnerable
     clients and servers.  This vulnerability is know as the FREAK
     attack.

II. CVSS

    CVEID: CVE-2015-0138
    CVSS Base Score: 4.3
    CVSS Temporal Score: See
        http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691
        for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) 

III. PLATFORM VULNERABILITY ASSESSMENT

    The following fileset levels (VRMF) are vulnerable, if
    the respective Java version is installed:
    For Java5: Less than or equal to 5.0.0.590
    For Java6: Less than or equal to 6.0.0.470
    For Java7: Less than or equal to 7.0.0.195
    For Java7 Release 1: Less than or equal to 7.1.0.75

    Note: To find out whether the affected filesets are installed on your
    systems, refer to the lslpp command found in AIX user's guide.

    Example: lslpp -L | grep -i java

IV. FIXES

    AFFECTED PRODUCTS AND VERSIONS:
    AIX 5.3
    AIX 6.1
    AIX 7.1
    VIOS 2.2.x

    REMEDIATION:
    IBM SDK, Java Technology Edition, Version 5.0 Service
    Refresh 16 Fix Pack 9 and later
    32-bit: https://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32-
bit,+pSeries&function=all
    64-bit: https://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64-
bit,+pSeries&function=all

    IBM SDK, Java Technology Edition, Version 6 Service
    Refresh 16 Fix Pack 3 and later
    32-bit: https://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-
bit,+pSeries&function=all
    64-bit: https://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-
bit,+pSeries&function=all

    IBM SDK, Java Technology Edition, Version 7, Service
    Refresh 8 Fix Pack 10 and later
    32-bit: https://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-
bit,+pSeries&function=all
    64-bit: https://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-
bit,+pSeries&function=all

    IBM SDK, Java Technology Edition, Version 7 Release 1 Service
    Refresh 2 Fix Pack 10 and later
    32-bit: https://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-
bit,+pSeries&function=all
    64-bit: http://www-933.ibm.com/support/fixcentral
/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology
/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-
bit,+pSeries&function=all

    To learn more about AIX support levels and Java service releases,
    see the following:
    http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

    Published advisory OpenSSL signature file location:
 
    http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig
    https://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig
    ftp://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig

    openssl dgst -sha1 -verify  -signature .sig


V. WORKAROUNDS

    None

VI. CONTACT US

    If you would like to receive AIX Security Advisories via email,
    please visit "My Notifications":

        http://www.ibm.com/support/mynotifications

    To view previously issued advisories, please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com

    To obtain the OpenSSL public key that can be used to verify the
    signed advisories and ifixes:

        Download the key from our web page:

    http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team via security-alert@austin.ibm.com you
    can either:

        A. Download the key from our web page:

    http://www.ibm.com/systems/resource/systems_p_os_aix_security_pgppubkey.txt

        B. Download the key from a PGP Public Key Server. The key ID is:

            0x28BFAA12

    Please contact your local IBM AIX support center for any
    assistance.

VII. REFERENCES:

    Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
    On-line Calculator V2:
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
    CVE-2015-0138: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0138

    *The CVSS Environment Score is customer environment specific and will
    ultimately impact the Overall CVSS Score. Customers can evaluate the
    impact of this vulnerability in their environments by accessing the links
    in the Reference section of this Flash.

    Note: According to the Forum of Incident Response and Security Teams
    (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
    open standard designed to convey vulnerability severity and help to
    determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
    "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
    RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
    VULNERABILITY.

VIII. ACKNOWLEDGEMENTS:

    The vulnerability was reported to IBM by Karthikeyan Bhargavan
    of the PROSECCO team at INRIA.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVS8ndRLndAQH1ShLAQIoCQ//aM8vvQdq2k8XbpaAIsEa304+2UIsbHHV
cO4+JZ3rIE0VEfsKLZcYaZQQtnfPevl6ucorbHl3NFyRX0p6ziQIZ8VlG+sgn6A1
4lpnrjFhlOoAJJ+MZ8L4hhsybPB0ghRMNmfRXYTMsJXbZBfuwR0IGOBNaSqmJ59l
FbiXgDaxT//XXtbCtBktar21eZA1mAfT96+IyEBZJe3LUuJuJ8FSDMtJ/DEJHCo5
lCDMujEdjPc8XDgjNEt+16s0Ex/yAygurxZ6l6wCLixWC5Ev8armQLVOIkMCWDaY
F+p6Wu9srFp5VrLD9ntpkzihw9AJiBigzuDlPvm7RDuRjHkBsy00XxwLSqD2tqeL
0J0St5ZrgWUQaJTCCf8L8OXTLOzIjx3I6XvusJglmYMylaXZcmpBSEMQahdX+r7y
aew13T1nwd5hIE46zsU1MErxSRRiD63E0cEdRQF0TxRFJpNfgCeqjupN+itH4rlJ
GCJZffCTQWKOjpCTmD0JDn923UBcRCTZTpEcBktXSGQVfa0NU8Pn6GplE16x2YDs
reD/yp06QuBZEUhwoKdzwaY/kZV+kVwBAYg1j4GAgKOh5DohsxyUBqxuRAiCVlfV
3Ccn7u11k0ftcTbWKbxBHbVgoMKZjYFP8BHWuWMOXZ0t/VMc10z+6FkPeNm4giV7
S/Preq3fI+0=
=VTsQ
-----END PGP SIGNATURE-----