3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%
OpenSSL is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.
CVEID:CVE-2015-4000
DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103294> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Power HMC V7.7.3.0
Power HMC V7.7.8.0
Power HMC V7.7.9.0
Power HMC V8.1.0.0
Power HMC V8.2.0.0
Power HMC V8.3.0.0
The following fixes are available on IBM Fix Central at: http://www-933.ibm.com/support/fixcentral/
Product|
VRMF|
APAR|
Remediation/First Fix
—|—|—|—
Power HMC|
V7.7.3.0 SP7|
MB03923| Apply eFix MH01535
Power HMC|
V7.7.8.0 SP2|
MB03924|
Apply eFix MH01536
Power HMC|
V7.7.9.0 SP2|
MB03925|
Apply eFix MH01537
Power HMC|
V8.8.1.0 SP2|
MB03920|
Apply eFix MH01532
Power HMC|
V8.8.2.0 SP1|
MB03926|
Apply eFix MH01538
Power HMC|
V8.8.3.0|
MB03927|
Apply eFix MH01539
Note:
1. For unsupported releases IBM recommends upgrading to a fixed, supported release of the product.
2. After applying the PTF, you should restart the HMC.
3. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called “PERCS” and “IH”. End Of Service date for managing all other server models was 2013.05.31.
None
CPE | Name | Operator | Version |
---|---|---|---|
power system hardware management console physical appliance | eq | any |
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%