IBM2ED145A3D0DAD8C68DF27E1A2AC44E5C0F6FCB3E61B424CEE475A6F6ABFEFE3BSecurity Bulletin: Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2015-0209, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293)
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
OpenSSL vulnerabilities were disclosed in March 2015 by the OpenSSL Project. OpenSSL is used by IBM MessageSight. IBM MessageSight has addressed the applicable CVEs.
Vulnerability Details
CVE-ID: CVE-2015-0209
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the d2i_ECPrivateKey or EVP_PKCS82PKEY function. An attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101674 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2015-0288
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the X509_to_X509_REQ function. An attacker could exploit this vulnerability to trigger a NULL pointer dereference.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101675 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2015-0289****
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle missing outer ContentInfo by the PKCS#7 parsing code. An attacker could exploit this vulnerability using a malformed ASN.1-encoded PKCS#7 blob to trigger a NULL pointer dereference.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101669 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2015-0292****
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error when processing base64 encoded data. An attacker could exploit this vulnerability using specially-crafted base 64 data to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101670 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2015-0293
DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending a specially-crafted SSLv2 CLIENT-MASTER-KEY message, a remote attacker could exploit this vulnerability to trigger an assertion.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101671 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM MessageSight 1.2 and earlier.
Remediation/Fixes
Product
|
VRMF|
APAR|
Remediation/First Fix
—|—|—|—
IBM MessageSight|
1.1|
IT09152| 1.1.0.1-IBM-IMA-IFIT09152
IBM MessageSight|
1.2|
IT09152| 1.2.0-IBM-IMA-Physical-FP0001
1.2.0-IBM-IMA-BareMetal-FP0001
1.2.0-IBM-IMA-SoftLayerVirtual-FP0001
1.2.0-IBM-IMA-VirtualEdition-FP0001
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm messagesight | eq | 1.1 | |
| ibm messagesight | eq | 1.2 |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P