IBM0D7A334726D7F8214BDF965C6B0ED351221CB7A9A083042878EB2C3CB193A50ASecurity Bulletin: IBM Sterling Connect:Express for UNIX is Affected by the Following OpenSSL Vulnerabilities (CVE-2017-3736, CVE-2017-3737, CVE-2017-3738)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
Summary
Security vulnerabilities were disclosed on Nov 1, 2017 and Dec 6, 2017 by the OpenSSL Project. OpenSSl is used by IBM Sterling Connect:Express for UNIX. IBM Sterling Connect:Express for UNIX has addressed the applicable CVEs.
Vulnerability Details
CVE-ID:CVE-2017-3736
**Description:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-ID:CVE-2017-3737
Description: An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/136077 for more informationCVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-ID:CVE-2017-3738
Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key.
Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.
CVSS Base Score: 3.1
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/136078 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Sterling Connect:Express for UNIX 1.5.0.15
- All versions prior to 1.5.0.15 iFix 150-1507
Remediation/Fixes
The recommended solution is to apply the fix as soon as practical. Please see below for information about the available fixes.
| VRMF | APAR | Remediation/First Fix |
|---|---|---|
| 1.5.0.15 | TBD | Apply 1.5.0.15 iFix 150-1507, available on Fix Central. |
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm sterling connect:express for unix | eq | 1.5 |
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N