Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1020 Vulnerability in IBM SDK Java JSSE affects AIX 16 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM SDK Java JSSE Publisher: IBM Operating System: AIX Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-0138 Reference: ESB-2015.1019 ESB-2015.1013 ESB-2015.0970 ESB-2015.0958 ESB-2015.0950.2 ESB-2015.0915 ESB-2015.0914 ESB-2015.0913 ESB-2015.0912 ESB-2015.0911 ESB-2015.0910 ESB-2015.0908 ESB-2015.0907 ESB-2015.0906 ESB-2015.0905 ESB-2015.0903 ESB-2015.0897 ESB-2015.0896 ESB-2015.0895 ESB-2015.0889 ESB-2015.0888 ESB-2015.0886 ESB-2015.0885 ESB-2015.0883 ESB-2015.0882 ESB-2015.0881 ESB-2015.0880 ESB-2015.0876 ESB-2015.0874 ESB-2015.0859 ESB-2015.0857 ESB-2015.0855.2 ESB-2015.0846 ESB-2015.0845 ESB-2015.0844 ESB-2015.0843 ESB-2015.0840 ESB-2015.0822 ESB-2015.0815 ESB-2015.0813 ESB-2015.0812 ESB-2015.0810 ESB-2015.0806 ESB-2015.0805 ESB-2015.0791 ESB-2015.0784 ESB-2015.0783 ESB-2015.0782 ESB-2015.0781 ESB-2015.0780 ESB-2015.0779 ESB-2015.0778 ESB-2015.0777 ESB-2015.0776 ESB-2015.0763 ESB-2015.0762 ESB-2015.0760 ESB-2015.0748 ESB-2015.0747 ESB-2015.0746 ESB-2015.0740 ESB-2015.0735 ESB-2015.0728 ESB-2015.0724 ESB-2015.0723 ESB-2015.0720 ESB-2015.0719 ESB-2015.0714 ESB-2015.0647 ESB-2015.0646 ESB-2015.0644 ESB-2015.0632 ESB-2015.0589 ESB-2015.0542 Original Bulletin: http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc - --------------------------BEGIN INCLUDED TEXT-------------------- IBM SECURITY ADVISORY First Issued: Mon Apr 13 12:11:24 CDT 2015 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc https://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Vulnerability in IBM SDK Java JSSE affects AIX PLATFORMS: AIX 5.3, 6.1 and 7.1. VIOS 2.2.x SOLUTION: Apply the fix as described below. THREAT: A remote attacker can decrypt SSL/TLS traffic CVE Numbers: CVE-2015-0138 Reboot required? NO Workarounds? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate bruteforce decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is know as the FREAK attack. II. CVSS CVEID: CVE-2015-0138 CVSS Base Score: 4.3 CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) III. PLATFORM VULNERABILITY ASSESSMENT The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed: For Java5: Less than or equal to 5.0.0.590 For Java6: Less than or equal to 6.0.0.470 For Java7: Less than or equal to 7.0.0.195 For Java7 Release 1: Less than or equal to 7.1.0.75 Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i java IV. FIXES AFFECTED PRODUCTS AND VERSIONS: AIX 5.3 AIX 6.1 AIX 7.1 VIOS 2.2.x REMEDIATION: IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and later 32-bit: https://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32- bit,+pSeries&function=all 64-bit: https://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64- bit,+pSeries&function=all IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and later 32-bit: https://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32- bit,+pSeries&function=all 64-bit: https://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64- bit,+pSeries&function=all IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 Fix Pack 10 and later 32-bit: https://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32- bit,+pSeries&function=all 64-bit: https://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64- bit,+pSeries&function=all IBM SDK, Java Technology Edition, Version 7 Release 1 Service Refresh 2 Fix Pack 10 and later 32-bit: https://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32- bit,+pSeries&function=all 64-bit: http://www-933.ibm.com/support/fixcentral /swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology /Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64- bit,+pSeries&function=all To learn more about AIX support levels and Java service releases, see the following: http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig https://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig openssl dgst -sha1 -verify -signature .sig V. WORKAROUNDS None VI. CONTACT US If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt To obtain the PGP public key that can be used to communicate securely with the AIX Security Team via security-alert@austin.ibm.com you can either: A. Download the key from our web page: http://www.ibm.com/systems/resource/systems_p_os_aix_security_pgppubkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. VII. REFERENCES: Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE-2015-0138: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0138 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. VIII. ACKNOWLEDGEMENTS: The vulnerability was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVS8ndRLndAQH1ShLAQIoCQ//aM8vvQdq2k8XbpaAIsEa304+2UIsbHHV cO4+JZ3rIE0VEfsKLZcYaZQQtnfPevl6ucorbHl3NFyRX0p6ziQIZ8VlG+sgn6A1 4lpnrjFhlOoAJJ+MZ8L4hhsybPB0ghRMNmfRXYTMsJXbZBfuwR0IGOBNaSqmJ59l FbiXgDaxT//XXtbCtBktar21eZA1mAfT96+IyEBZJe3LUuJuJ8FSDMtJ/DEJHCo5 lCDMujEdjPc8XDgjNEt+16s0Ex/yAygurxZ6l6wCLixWC5Ev8armQLVOIkMCWDaY F+p6Wu9srFp5VrLD9ntpkzihw9AJiBigzuDlPvm7RDuRjHkBsy00XxwLSqD2tqeL 0J0St5ZrgWUQaJTCCf8L8OXTLOzIjx3I6XvusJglmYMylaXZcmpBSEMQahdX+r7y aew13T1nwd5hIE46zsU1MErxSRRiD63E0cEdRQF0TxRFJpNfgCeqjupN+itH4rlJ GCJZffCTQWKOjpCTmD0JDn923UBcRCTZTpEcBktXSGQVfa0NU8Pn6GplE16x2YDs reD/yp06QuBZEUhwoKdzwaY/kZV+kVwBAYg1j4GAgKOh5DohsxyUBqxuRAiCVlfV 3Ccn7u11k0ftcTbWKbxBHbVgoMKZjYFP8BHWuWMOXZ0t/VMc10z+6FkPeNm4giV7 S/Preq3fI+0= =VTsQ -----END PGP SIGNATURE-----