IBM3445C3BC85AD15661917A9F076E0B20F2C42159E717B1EF5D7326C94AC358E67Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Active Bypass (CVE-2015-5229, CVE-2015-8776)
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
Summary
OpenSSL vulnerabilities were found in IBM Security Network Active Bypass. IBM Security Network Active Bypass has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2015-5229**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a denial of service, caused by the return of memory areas containing non-zero bytes by the calloc implementation. A remote attacker could exploit this vulnerability to cause the application to crash or hang.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110711 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2015-8776**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a denial of service. By passing out-of-range time values to the strftime function, a remote attacker could exploit this vulnerability to cause a segmentation fault or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110675 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Affected Products and Versions
IBM Security 1G Network Active Bypass firmware version 1.X firmware levels 1.0.849 through 3.30.4-12
IBM Security 10G Network Active Bypass firmware versions 1.x firmware levels 1.0.1876 through 3.30.4-12
Remediation/Fixes
Product
| VRMF| Remediation/First Fix
—|—|—
IBM Security Proventia Network Active Bypass| 1.X| Proventia 1G NAB Update 20 (fw 3.30.5-21) IBM Security Proventia Network Active Bypass| 1.X | Proventia 10G NAB Update 17 (fw 3.30.5-21)
For IBM Security Proventia Network Active Bypass products at the following firmware versions:
IBM Security 1G Network Active Bypass firmware version 1.X firmware levels 1.0.849 through 3.30.4-12
IBM Security 10G Network Active Bypass firmware versions 1.x firmware levels 1.0.1876 through 3.30.4-12
IBM recommends upgrading to 3.30.5-21, the supported firmware release of the product.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm security network active bypass | eq | 3.0 |
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P