IBM04538659F2D47E517CB506D258BBD837F111577F7C1EAE6B24A915799A34897DSecurity Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.131 Low
EPSS
Percentile
94.7%
Summary
SSL vulnerabilities were disclosed on December 3rd, 2015. IBM DataPower Gateways has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2015-3193**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the x86_64 Montgomery squaring procedure. An attacker with online access to an unpatched system could exploit this vulnerability to obtain private key information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108502 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2015-3195**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory leak in a malformed X509_ATTRIBUTE structure. An attacker could exploit this vulnerability to obtain CMS data and other sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108504 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2015-1794**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error when a client receives a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0. An attacker could exploit this vulnerability to trigger a segfault and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108539 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM DataPower Gateways appliances all versions through 7.0.0.12, 7.1.0.9, 7.2.0.5
Remediation/Fixes
Fix is available in versions 7.0.0.13, 7.1.0.10, 7.2.0.6. Refer to APAR IT14321 for version 7.2.0.6 and APAR IT14231 for versions 7.0.0.13 and 7.1.0.10 for URLs to download the fix.
You should verify applying this fix does not cause any compatibility issues.
_For DataPower customers using versions 6.x and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product. _
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm datapower gateway | eq | 7.0.0 | |
| ibm datapower gateway | eq | 7.1 | |
| ibm datapower gateway | eq | 7.2 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.131 Low
EPSS
Percentile
94.7%