Allele Security Alert
ASA-2019-00254
Identifier(s)
ASA-2019-00254, CVE-2018-3180
Title
OpenJDK did not ensure that the same endpoint identification algorithm was used during TLS session resumption
Vendor(s)
IBM
Product(s)
IBM Planning Analytics
Affected version(s)
IBM Planning Analytics versions 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5 and 2.0.6
Fixed version(s)
IBM Planning Analytics version 2.0.7
Proof of concept
Unknown
Description
A vulnerability related to the Java SE Embedded JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
Java Secure Socket Extension (JSSE) implementation in OpenJDK did not ensure that the same endpoint identification algorithm was used during TLS session resumption as during initial session setup. An attacker could use this to expose sensitive information.
Technical details
Unknown
Credits
Felix Dörre
Reference(s)
Security Bulletin: Multiple vulnerabilities affect IBM Planning Analytics
https://www-01.ibm.com/support/docview.wss?uid=ibm10879407
Oracle Java SE, Java SE Embedded, JRockit JSSE unspecified
https://exchange.xforce.ibmcloud.com/vulnerabilities/151497
[cvenvc cve=”CVE-2018-3180″]
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: May 3, 2019