Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1F3EA80CCD050DBAE7E4BA521AB02C255B2885F91D48CF3DA49A63192E1BAD70
HistoryApr 14, 2023 - 2:32 p.m.

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) (CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799)

2023-04-1414:32:25
www.ibm.com
16

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.952 High

EPSS

Percentile

99.3%

JSON

Summary

OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by IBM Integrated Management Module (IMM) which has addressed the applicable CVEs.

Vulnerability Details

Summary

OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by IBM Integrated Management Module (IMM) which has addressed the applicable CVEs.

IBM Integrated Management Module (IMM) is not vulnerable to CVE-2016-0800, also known as the DROWN attack.

Vulnerability Details

CVE-ID: CVE-2016-0705

Description: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.

CVSS Base Score: 3.7
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/111140&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2016-0797

Description: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the BN_hex2bn/BN_dec2bn() function. An attacker could exploit this vulnerability using specially crafted data to cause a denial of service.

CVSS Base Score: 3.7
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/111142&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2016-0798

Description: OpenSSL is vulnerable to a denial of service, caused by a memory leak in SRP servers. An attacker could exploit this vulnerability using a specially crafted username value to cause a denial of service.

CVSS Base Score: 3.7
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/111141&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2016-0799

Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory error in the BIO_*printf() functions. An attacker could exploit this vulnerability using specially crafted data to trigger an out-of-bounds read.

CVSS Base Score: 3.7
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/111143&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected products and versions

Product Affected Version
IBM Integrated Management Module (IMM) YUOO

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

Product Fix Version
IBM Integrated Management Module (IMM)
ibm_fw_imm_yuooh2b-1.51_windows_32-64
ibm_fw_imm_yuooh2b-1.51_linux_32-64 YUOOH2B-1.5.1

You should verify applying this fix does not cause any compatibility issues.

Workarounds and Mitigations

None.

References

Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None.

Change History
23 May 2016: Original Version Published

Related

slackware 1
ibm 58
nessus 41
aix 1
openvas 34
suse 17
nodejsblog 1
mageia 1
archlinux 2
altlinux 4
cloudfoundry 1
ubuntu 1
debian 1
gentoo 1
osv 1
freebsd_advisory 1
freebsd 2
cisco 1
openwrt 1
arista 1
centos 2
oraclelinux 1
redhat 3
amazon 1
symantec 1
fedora 2
prion 2
veracode 3
debiancve 2
openssl 2
f5 4
ubuntucve 3
cve 2
slackware
slackware
[slackware-security] openssl
2016-03-03 06:56:40
ibm
ibm
Security Bulletin: Multiple vulnerabilities in OpenSSL affect  IBM Tivoli Provisioning Manager for OS Deployment shipped with IBM Systems Director Editions
2018-06-18 01:31:31
Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Netezza Host Management
2019-10-18 03:10:29
Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling B2B Integrator (CVE-2016-0702, CVE-2016-0705, CVE-2016-0798, CVE-2016-0799,  CVE-2016-0797).
2020-02-05 00:53:36
nessus
nessus
Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssl (SSA:2016-062-02) (DROWN)
2016-03-03 00:00:00
OpenSSL 1.0.1 < 1.0.1s Multiple Vulnerabilities (DROWN)
2016-03-02 00:00:00
OpenSSL 1.0.2 < 1.0.2g Multiple Vulnerabilities (DROWN)
2016-03-02 00:00:00
aix
aix
Multiple vulnerabilities in OpenSSL affect AIX
2016-04-04 11:04:25
openvas
openvas
openSUSE: Security Advisory for openssl (openSUSE-SU-2016:0627-1)
2016-03-08 00:00:00
Mageia: Security Advisory (MGASA-2016-0093)
2016-03-03 00:00:00
Slackware: Security Advisory (SSA:2016-062-02)
2022-04-21 00:00:00
suse
suse
Security update for openssl (important)
2016-03-02 12:11:42
Security update for openssl (important)
2016-03-01 18:19:06
Security update for openssl (important)
2016-03-01 18:12:06
nodejsblog
nodejsblog
OpenSSL updates, 1.0.2g and 1.0.1s
2016-02-29 00:00:00
mageia
mageia
Updated openssl packages fix security vulnerabilities
2016-03-02 21:28:46
archlinux
archlinux
lib32-openssl: multiple issues
2016-03-07 00:00:00
openssl: multiple issues
2016-03-07 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl1.1 version 1.0.2g-alt1
2016-03-01 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 1.0.2g-alt1
2016-03-01 00:00:00
Security fix for the ALT Linux 7 package openssl10 version 1.0.1s-alt0.M70P.1
2016-03-02 00:00:00
cloudfoundry
cloudfoundry
USN-2914-1 OpenSSL vulnerabilities | Cloud Foundry
2016-03-24 00:00:00
ubuntu
ubuntu
OpenSSL vulnerabilities
2016-03-01 00:00:00
debian
debian
[SECURITY] [DSA 3500-1] openssl security update
2016-03-01 14:34:35
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2016-03-20 00:00:00
osv
osv
openssl - security update
2016-03-01 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:12.openssl
2016-03-10 00:00:00
freebsd
freebsd
FreeBSD -- Multiple OpenSSL vulnerabilities
2016-03-10 00:00:00
node -- multiple vulnerabilities
2016-03-02 00:00:00
cisco
cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016
2016-03-02 12:30:00
openwrt
openwrt
openssl: Security update (9 CVEs)
2016-03-01 16:52:09
arista
arista
Security Advisory 0018
2016-03-01 00:00:00
centos
centos
openssl security update
2016-03-01 16:09:29
openssl security update
2016-03-01 16:57:33
oraclelinux
oraclelinux
openssl security update
2016-03-01 00:00:00
redhat
redhat
(RHSA-2016:0379) Important: rhev-hypervisor security, bug fix and enhancement update
2016-03-09 00:00:00
(RHSA-2016:0301) Important: openssl security update
2016-03-01 00:00:00
(RHSA-2016:0302) Important: openssl security update
2016-03-01 00:00:00
amazon
amazon
Important: openssl
2016-03-10 16:30:00
symantec
symantec
SA117 : OpenSSL Vulnerabilities 1-Mar-2016
2016-03-07 08:00:00
fedora
fedora
[SECURITY] Fedora 22 Update: openssl-1.0.1k-14.fc22
2016-03-13 09:57:52
[SECURITY] Fedora 23 Update: openssl-1.0.2g-2.fc23
2016-03-03 20:27:06
prion
prion
Double free
2016-03-03 20:59:00
Memory corruption
2016-03-03 20:59:00
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:25:17
Denial Of Service (DoS)
2017-02-03 08:16:26
Denial Of Service (DoS)
2017-02-03 09:14:56
debiancve
debiancve
CVE-2016-0705
2016-03-03 20:59:00
CVE-2016-0798
2016-03-03 20:59:00
openssl
openssl
Vulnerability in OpenSSL CVE-2016-0705
2016-03-01 00:00:00
Vulnerability in OpenSSL CVE-2016-0798
2016-03-01 00:00:00
f5
f5
SOL17232507 - OpenSSL vulnerability CVE-2016-0798
2016-03-23 00:00:00
K17232507 : OpenSSL vulnerability CVE-2016-0798
2016-03-23 00:00:00
SOL93122894 - OpenSSL vulnerability CVE-2016-0705
2016-03-24 00:00:00
ubuntucve
ubuntucve
CVE-2016-0798
2016-03-01 00:00:00
CVE-2016-0705
2016-02-22 00:00:00
CVE-2016-0797
2016-03-01 00:00:00
cve
cve
CVE-2016-0798
2016-03-03 20:59:00
CVE-2016-0705
2016-03-03 20:59:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.952 High

EPSS

Percentile

99.3%

JSON
Related for 1F3EA80CCD050DBAE7E4BA521AB02C255B2885F91D48CF3DA49A63192E1BAD70
slackware1ibm58nessus41aix1openvas34suse17nodejsblog1mageia1archlinux2altlinux4cloudfoundry1ubuntu1debian1gentoo1osv1freebsd_advisory1freebsd2cisco1openwrt1arista1centos2oraclelinux1redhat3amazon1symantec1fedora2prion2veracode3debiancve2openssl2f54ubuntucve3cve2