9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
There are multiple vulnerabilities in GSKit that affect IBM Tivoli Directory Server and IBM Security Directory Server for AIX.
CVEID: CVE-2018-1388 DESCRIPTION: GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding.
CVSS Base Score: 9.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-1427 DESCRIPTION: IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-1426 DESCRIPTION: IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2016-0702 DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys.
CVSS Base Score: 2.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-1447 DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
AIX 5.3, 6.1, 7.1, 7.2
The following fileset levels (VRMF) are vulnerable, if the respective IBM Tivoli Directory Server (ITDS) or IBM Security Directory Server (ISDS) version is installed:
Affected IBM Security Directory Server | Affected Versions |
---|---|
IBM Tivoli Directory Server on AIX | 6.2 - 6.2.0.55, 6.3 - 6.3.0.48 |
IBM Security Directory Server on AIX | 6.3.1 - 6.3.1.23, 6.4 - 6.4.0.15 |
Note: To find out whether the affected ITDS or ISDS filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.
Example: lslpp -L | grep -i itds
Note: Recommended remediation is to always install the most recent package available for the respective IBM Tivoli Directory Server or IBM Security Directory Server version.
Affected IBM Security Directory Server | VRMF | Remediation |
---|---|---|
IBM Tivoli Directory Server | 6.2 - 6.2.0.55 | 6.2.0.56-ISS-ITDS-IF0056 |
IBM Tivoli Directory Server | 6.3 - 6.3.0.48 | 6.3.0.49-ISS-ITDS-IF0049 |
IBM Security Directory Server | 6.3.1 - 6.3.1.23 | 6.3.1.24-ISS-ISDS-IF0024 |
IBM Security Directory Server | 6.4 - 6.4.0.15 | 6.4.0.16-ISS-ISDS-IF0016 |
None.
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N