IBM Support

【セキュリティ情報】IBM WebSphere MQ へのGSKit の脆弱性の影響(CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)

Security Bulletin


IBM WebSphere MQに含まれるGSKitに複数の脆弱性が存在します。FREAK(Factoring Attack on RSA-EXPORT keys)と呼ばれるTLS/SSL通信時の脆弱性を含みます。

Vulnerability Details


CVEID: CVE-2014-6221
Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise.
CVSS Base Score: 8.8
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N)

CVEID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0159
DESCRIPTION: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations.
CVSS Base Score: 2.6
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions



IBM WebSphere MQ V7.0.1

  • AIX, HP-UX, Linux, Solaris & Windows

IBM WebSphere MQ 7.1
  • AIX, HP-UX, Linux, Solaris & Windows

IBM WebSphere MQ 7.5
  • AIX, HP-UX, Linux, Solaris & Windows

IBM WebSphere MQ 8.0
  • AIX, HP-UX, Linux, Solaris & Windows

IBM MQ Appliance M2000





Note : 今後FIPS 140-2に認定されていない、より弱いアルゴリズムの使用するMQ ChiferSpecは将来の製品メンテナンスで廃止される可能性があることに注意してください。現在利用可能なMQのCipherSpecのさらなる詳細を ここから参照できます。


IBM WebSphere MQ

Fix Central から iFix APAR IV70568 をダウンロードし、導入してください。

IBM MQ Appliance M2000

Workarounds and Mitigations


Note : IBM i の(すべてのリリース)用のIBM WebSphere MQはこれらの脆弱性のいずれかに影響されません。、しかし、システム値QSSLCSLにより EXPORT 暗号化アルゴリズムの使用を制限することをお勧めします。



Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.


Complete CVSS v2 Guide
On-line Calculator v2


この文書は、米国 IBM 社の資料を翻訳した参考文書です。翻訳元の文書は、以下のリンクよりご参照ください。
Security Bulletin: Vulnerabilities in GSKit affect IBM WebSphere MQ (CVE-2015-0159, CVE-2015-0138 and CVE-2014-6221)

Recommended fixes for WebSphere MQ

WebSphere MQ planned maintenance release dates

独立行政法人 情報処理推進機構: 共通脆弱性評価システムCVSS概説
JVN iPedia: CVSS計算ソフトウェア日本語版

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
IBM サービス・ライン

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


An US English translation is available

Document information

More support for: WebSphere MQ

Software version: 7.0, 7.0.1, 7.1, 7.5, 8.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris

Software edition: All Editions

Reference #: 1700423

Modified date: 02 April 2015