Lucene search

K
ibmIBM0B76A81DE69CAC6767D2938D705308874BB553EF048B376078282D21495C376D
HistoryJun 17, 2018 - 2:41 p.m.

Security Bulletin: IBM Tivoli Composite Application Manager for Transactions is affected by vulnerabilities in OpenSSL (CVE-2013-4353, CVE-2013-6450 and CVE-2013-6449)

2018-06-1714:41:34
www.ibm.com
14

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

Summary

Security vulnerabilities have been discovered in OpenSSL.

Vulnerability Details

CVE-ID:CVE-2013-4353

**DESCRIPTION:**A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client. This issue only affected OpenSSL 1.0.1 versions.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90201&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID:CVE-2013-6450

**DESCRIPTION:**A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. This is not a vulnerability for OpenSSL prior to 1.0.0. OpenSSL is vulnerable to a denial of service, caused by the failure to properly maintain data structures for digest and encryption contexts by the DTLS retransmission implementation. A remote attacker could exploit this vulnerability to cause the daemon to crash.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90069&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-ID:CVE-2013-6449

**DESCRIPTION:**A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. This issue only affected OpenSSL 1.0.1 versions.

A remote attacker could exploit this vulnerability using specially-crafted traffic from a TLS 1.2 client to cause the daemon to crash.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90068&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM Tivoli Composite Application Manager (ITCAM) for Transactions is affected. ITCAM for Transactions contains multiple sub components (Agents). Only the Internet Service Monitor (ISM – Agent code ‘IS’) is affected.

Versions:
· 7.4 – Affected by all CVE’s (CVE-2013-4353, CVE-2013-6450 and CVE-2013-6449)
· 7.3 – Affected by all CVE’s (CVE-2013-4353, CVE-2013-6450 and CVE-2013-6449)
· 7.2 – Affected by all CVE’s (CVE-2013-4353, CVE-2013-6450 and CVE-2013-6449)
· 7.1 – Is NOT Affected

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
7.4.0.0-TIV-CAMIS-IF0003| 7.4.0.0| None| http://www.ibm.com/support/docview.wss?uid=isg400001744
7.3.0.1-TIV-CAMIS-IF0028| 7.3.0.1| None| http://www.ibm.com/support/docview.wss?uid=isg400001771
7.2.0.3-TIV-CAMIS-IF0026| 7.2.0.3| None| http://www.ibm.com/support/docview.wss?uid=isg400001816

Workarounds and Mitigations

None known

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P