IBM082DD4D3D5A2230E0A249956C9D5318C077607F91E27D9FBA96469263417C232Security Bulletin: Vulnerabilities in OpenSSL affect Rational Insight (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205, CVE-2015-0206)
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
OpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by Rational Insight. Rational Insight has addressed the applicable CVEs.
Vulnerability Details
CVE-ID: CVE-2014-3569**
DESCRIPTION:OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash. CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99706> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
CVE-ID:* CVE-2014-3570
DESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.** CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
**
CVE-ID: CVE-2014-3571
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
CVE-ID: CVE-2014-3572
DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.** CVSS Base Score: 1.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
**
CVE-ID:* CVE-2014-8275
DESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.** CVSS Base Score: 1.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
**
CVE-ID:* CVE-2015-0205**
DESCRIPTION:OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key. CVSS Base Score: 2.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)
**
CVE-ID*: CVE-2015-0206**
DESCRIPTION**: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources** *CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99704> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
Rational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5 and 1.1.1.6
Remediation/Fixes
Apply the recommended fixes to all affected versions of Rational Insight.
Rational Insight 1.1
- Download the IBM Cognos Business Intelligence 10.1.1 Interim Fix 10.
Review technote 1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1 for detailed instructions.
Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2
- Download the IBM Cognos Business Intelligence 10.1.1 Interim Fix 10.
Read technote 1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
- Download the IBM Cognos Business Intelligence 10.2.1 Interim Fix 9.
Review technote 1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6
- Download the IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 8.
Review technote 1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
Workarounds and Mitigations
None
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P