Security Bulletin: Vulnerabilities disclosed by OpenSSL project on August 6, 2014 that impact DataPower (CVE-2014-3508 and CVE-2014-3511)

Summary

There were multiple vulnerabilities disclosed on August 6, 2014 by the OpenSSL Project. Two of them impact DataPower appliances.

Vulnerability Details

CVE-ID: CVE-2014-3508

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in OBJ_obj2txt. If applications echo pretty printing output, an attacker could exploit this vulnerability to read information from the stack.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95165 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-3511

DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95162 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Note that the following vulnerabilities disclosed on the same day do not impact DataPower appliances:

CVE-ID: CVE-2014-3512
CVE-ID: CVE-2014-3509
CVE-ID: CVE-2014-3506
CVE-ID: CVE-2014-3507
CVE-ID: CVE-2014-3505
CVE-ID: CVE-2014-3510
CVE-ID: CVE-2014-5139

Affected Products and Versions

WebSphere DataPower SOA Appliances all versions through 5.0.0.16, 6.0.0.8, 6.0.1.4 and 7.0.0.1.

Remediation/Fixes

Fix is available in versions 5.0.0.17, 6.0.0.9, 6.0.1.5, and 7.0.0.2. Refer to APAR IT03874 and APAR IT03868 URLs to download the fix.

Workarounds and Mitigations

None known