Operating System:

[WIN][RedHat][AIX]

Published:

24 August 2015

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2015.2207 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2207
 Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect IBM
                 Security Directory Server (CVE-2015-4000)
                              24 August 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Directory Server
Publisher:         IBM
Operating System:  AIX
                   Red Hat
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-4000  

Reference:         ESB-2015.1463
                   ESB-2015.1455.2
                   ESB-2015.1454.2
                   ESB-2015.1453.2
                   ESB-2015.1452
                   ESB-2015.1445
                   ESB-2015.1443
                   ESB-2015.1432
                   ESB-2015.1425

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21964929

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect IBM 
Security Directory Server (CVE-2015-4000)

Security Bulletin

Document information

More support for:

IBM Security Directory Server

Software version:

6.1, 6.2, 6.3, 6.3.1, 6.4

Operating system(s):

Platform Independent

Reference #:

1964929

Modified date:

2015-08-21


Summary

OpenSSL vulnerabilities were disclosed on June 11, 2015 by the OpenSSL Project. 
This includes Logjam Attack on TLS connections using the Diffie-Hellman (DH) 
key exchange protocol (CVE-2015-4000). OpenSSL is used by IBM Security 
Directory Server. IBM Security Directory Server has addressed the applicable 
CVEs.

Vulnerability Details

CVEID: CVE-2015-4000

DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive 
information, caused by the failure to properly convey a DHE_EXPORT ciphersuite 
choice. An attacker could exploit this vulnerability using man-in-the-middle 
techniques to force a downgrade to 512-bit export-grade cipher. Successful 
exploitation could allow an attacker to recover the session key as well as 
modify the contents of the traffic. This vulnerability is commonly referred to 
as "Logjam".

CVSS Base Score: 4.3

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 
for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Tivoli Directory Server 6.1, 6.2, 6.3

IBM Security Directory Server 6.3.1, 6.4

Remediation/Fixes

Product 			VRMF 	Remediation/Fix

IBM Tivoli Directory Server 	6.1 	IBM Tivoli Directory Server 6.1 iFix 69

IBM Tivoli Directory Server 	6.2 	IBM Tivoli Directory Server 6.2 iFix 45

IBM Tivoli Directory Server 	6.3 	IBM Tivoli Directory Server 6.3 iFix 38

IBM Security Directory Server 	6.3.1 	IBM Security Directory Server 6.3.1 iFix 12

IBM Security Directory Server 	6.4 	IBM Security Directory Server 6.4.0 iFix 3

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

References

Complete CVSS v2 Guide

On-line Calculator v2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately 
impact the Overall CVSS Score. Customers can evaluate the impact of this 
vulnerability in their environments by accessing the links in the Reference 
section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common 
Vulnerability Scoring System (CVSS) is an "industry open standard designed to 
convey vulnerability severity and help to determine urgency and priority of 
response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, 
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR 
POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVdpvd36ZAP0PgtI9AQJuKw/9EtV566QbKIzYCDZWESOwaz8V51a1gQNX
wh8YbewrFZynUEGc9uy24T0k/hp//JdLyfK0eiPv016oFjvIEjT4nV4uBxXjI6jZ
8InV5KOysofCL5DWQKkbg0BUi/WRUS9Np5srxe1w/y35qwxqq+xlGGBsgWmn36kX
2XTkjQKDY+vvhz3yc6BwJ7Jhcz+lsqC4/EzyH4s7SWu+mwuR1Ehrc0nBrtqi4kJM
Daq1DWEDrnjmRdWdQ6wiIeC6Ek2buXmQkk8jRjCiSwEkhq587CvCqCTyOi1RY+fa
efPVpp+/cEXfWEO+VxpTxZgiMTgbihUU1I2NYSH+gzavEsiiwBw2EooP0yFpA5hi
bRHwEm53kwqQZ3hReuQe5ukBR7GIFavWzZC4EQTJWzaQCgYMPNvpVOhbc1uDmYNw
yBe5t3yypt3bYNW0zS7K8TBPPRst1HZv7oFPGkzN7zMwg5J5AK7UeZyiBmLhlA8b
cEPQm4913HMEpl5ypHXL+OzeDbIx6IQ23OwwgHC6hqAbaOSVMq+De8e6K0mBQTLQ
7QTTE/EOjD5bIgliaI6n4eljdO8jTjM0t0N6crFhv8q10YYEO2iVWtEcCkOjf3F9
jr5wph60uFhNQ2sUp6w9Tm8A/5qkNoFmFNq+9x1zHMd9bMdYViTA80EviHr2+G2S
EeYiaG7J+dg=
=sdxv
-----END PGP SIGNATURE-----