5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Older versions of OpenSSH, used by several System x and Flex Systems products, contain multiple vulnerabilities.
Older versions of OpenSSH, used by several System x and Flex Systems products, contain multiple vulnerabilities.
Vulnerability Details:
Component | Affected Version | Included CVEs |
---|---|---|
IBM Flex System Integrated Management Module v2 (IMM2) | 1.00 to 2.60 | |
CVE-2010-5107 | ||
1.00 to 2.06 | CVE-2012-0814 | |
CVE-2008-5161 | ||
IBM System x Integrated Management Module v2 (IMM2) | 1.00 to 2.50 | CVE-2010-5107 |
CVE-2012-0814 | ||
CVE-2008-5161 | ||
IBM Flex System Chassis Management Module (CMM) | 1.00 to 1.40.2Q (2PET10A to 2PET10Q) | CVE-2012-0814 |
CVE-2008-5161 | ||
IBM Flex System Manager (FSM) | 1.0.0 to 1.2.1 | CVE-2012-0814 |
CVE-2008-5161 | ||
IBM BladeCenter Advanced Management Module (AMM) | 1.00 to 3.64L (BPET64L) | CVE-2010-5107 |
CVE-2012-0814 | ||
CVE-2008-5161 | ||
IBM System x Integrated Management Module v1 (IMM1) | 1.00 to 1.40 | CVE-2008-5161 |
1.00 to 1.35 | CVE-2012-0814 |
CVE ID: CVE-2010-5107
Description:
The default configuration of OpenSSH versions through 6.1 allows for a possible denial of service attack.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/82781> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CVE ID: CVE-2012-0814
Description:
A function in OpenSSH versions prior to 5.7 provide debug messages containing command options which allow remote authenticated users to obtain potentially sensitive information.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/72756> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE ID: CVE-2008-5161
Description:
Error handling in the SSH protocol in several SSH servers/clients, including OpenSSH 4.7p1 and possibly other versions, when using Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/46620> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
List the affected versions/releases/platforms, as best possible.
For Flex System Manager, see also this security bulletin.
None
Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
10 September 2013: Original copy published
10 January 2014: Added information regarding additional affected products, CVE-2010-5107
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an โindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.โ IBM PROVIDES THE CVSS SCORES โAS ISโ WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.