7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%
Security vulnerability has been discovered in OpenSSL
**DESCRIPTION:**FlashSystem 840 uses OpenSSL to protect connection from external management applications which use SMI-S to its CIM client.
Affected versions of OpenSSL do not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, a.k.a. the “CCS Injection” vulnerability.
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client and a vulnerable server. However, as of when this CVE was posted, all OpenSSL clients were vulnerable (i.e. in all versions of OpenSSL). And in code levels before 1.1.2.0, the FlashSystem 840 has a vulnerable OpenSSL server.
CVSS v2 Base Score: 6.8
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/93586>
CVSS Vector: (AV:N/AC:M/AU:N/C:P/I:P/A:P)
_FlashSystem 840 including machine type models (all available code levels) _
9840-AE1 & 9843-AE1
Products
| VRMF| APAR| Remediation/First Fix
—|—|—|—
9840-AE1,
9843-AE1,| A code fix is now available, the VRMF of this code level is 1.1.2.2| N/A| _The recommended remediation is to apply this code fix for this OpenSSL vulnerability. _
A user could potentially restrict his network so that there is no opportunity for an attacker to insert himself as man-in-the-middle.
CPE | Name | Operator | Version |
---|---|---|---|
ibm flashsystem 900 | eq | any |
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%