IBM SECURITY ADVISORY First Issued: Mon Apr 13 12:11:24 CDT 2015 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc https://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Vulnerability in IBM SDK Java JSSE affects AIX PLATFORMS: AIX 5.3, 6.1 and 7.1. VIOS 2.2.x SOLUTION: Apply the fix as described below. THREAT: A remote attacker can decrypt SSL/TLS traffic CVE Numbers: CVE-2015-0138 Reboot required? NO Workarounds? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate bruteforce decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is know as the FREAK attack. II. CVSS CVEID: CVE-2015-0138 CVSS Base Score: 4.3 CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) III. PLATFORM VULNERABILITY ASSESSMENT The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed: For Java5: Less than or equal to 5.0.0.590 For Java6: Less than or equal to 6.0.0.470 For Java7: Less than or equal to 7.0.0.195 For Java7 Release 1: Less than or equal to 7.1.0.75 Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i java IV. FIXES AFFECTED PRODUCTS AND VERSIONS: AIX 5.3 AIX 6.1 AIX 7.1 VIOS 2.2.x REMEDIATION: IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and later 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32-bit,+pSeries&function=all 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64-bit,+pSeries&function=all IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and later 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 Fix Pack 10 and later 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all IBM SDK, Java Technology Edition, Version 7 Release 1 Service Refresh 2 Fix Pack 10 and later 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all 64-bit: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all To learn more about AIX support levels and Java service releases, see the following: http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig https://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/javajsse_advisory.asc.sig openssl dgst -sha1 -verify -signature .sig V. WORKAROUNDS None VI. CONTACT US If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt To obtain the PGP public key that can be used to communicate securely with the AIX Security Team via security-alert@austin.ibm.com you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. VII. REFERENCES: Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE-2015-0138: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0138 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. VIII. ACKNOWLEDGEMENTS: The vulnerability was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA.