Security Bulletin
Summary
The LogJam Attack on Diffie-Hellman ciphers (CVE-2015-4000) may affect some configurations of IBM WebSphere Application Server. The vulnerability affects Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization.
Vulnerability Details
CVEID: CVE-2015-4000
DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam".
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
Principal Product and Version(s) | Affected Supporting Product and Version |
Maximo Asset Management 7.6 | IBM WebSphere Application Server 8.5.5 Full Profile IBM WebSphere Application Server 8.5 Full Profile |
Maximo Asset Management 7.5 Maximo Asset Management Essentials 7.5 Maximo for Government 7.5 Maximo for Nuclear Power 7.5 Maximo for Transportation 7.5 Maximo for Life Sciences 7.5 Maximo for Oil and Gas 7.5 Maximo for Utilities 7.5 Maximo Adapter for Primavera 7.5 SmartCloud Control Desk 7.5 TRIRIGA Energy Optimization 1.1 | IBM WebSphere Application Server 8.5.5 Full Profile IBM WebSphere Application Server 8.5 Full Profile IBM WebSphere Application Server 8.0 IBM WebSphere Application Server 7.0 |
Maximo Asset Management 7.1 Maximo Asset Management Essentials 7.1 Maximo Asset Management for Energy Optimization 7.1 Maximo for Government 7.1 Maximo for Nuclear Power 7.1 Maximo for Transportation 7.1 Maximo for Life Sciences 7.1 Maximo for Oil and Gas 7.1 Maximo for Utilities 7.1 Maximo Adapter for Primavera 7.1 | IBM WebSphere Application Server 7.0 IBM WebSphere Application Server 6.1 |
Tivoli Asset Management for IT 7.2 Tivoli Service Request Manager 7.2 Change and Configuration Management Database 7.2 | IBM WebSphere Application Server 8.5.5 Full Profile IBM WebSphere Application Server 7.0 IBM WebSphere Application Server 6.1 |
Tivoli Asset Management for IT 7.1 Tivoli Service Request Manager 7.1 Change and Configuration Management Database 7.1 | IBM WebSphere Application Server 6.1 |
Remediation/Fixes
Please apply the latest WebSphere Application Server Interim Fix or Fix Pack as recommended in the Security Bulletin for IBM WebSphere.
Workarounds and Mitigations
Workarounds and Mitigations for some configurations of WebSphere Application Server are provided in the Security Bulletin for IBM WebSphere.
Get Notified about Future Security Bulletins
References
Acknowledgement
Reported to IBM by The WeakDH team at https://weakdh.org
Change History
None
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
21 September 2022
UID
swg21960877