Security Bulletin: IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by the following libcURL vulnerabilities: (CVE-2014-0139, CVE-2014-0138)

Summary

Security vulnerabilities have been discovered in Open Source cURL/libcURL that were reported on March 26, 2014 by the cURL/libcURL Project.

Vulnerability Details

CVE-ID:CVE-2014-0139

**DESCRIPTION:**cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by an error in the hostmatch() function when validating certificates containing an IP address with a wildcard match within the Common Name field. By sending a specially-crafted SSL certificate containing wildcard characters, a remote attacker could exploit this vulnerability to spoof the server and launch further attacks on the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92130&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-ID:CVE-2014-0138

**DESCRIPTION:**cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by the re-use of previously used connections when processing new requests. An attacker could exploit this vulnerability to hijack the privileges of a different user’s session and launch further attacks on the system.

CVSS Base Score: 6.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92131&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)

Affected Products and Versions

SSM 4.0.0 FP1 - FP14 and Interim Fix 14-02
SSM 4.0.1 FP1 and Interim Fix 01-01

Remediation/Fixes

For Version 4.0.0
- Apply SSM 4.0.0.14 Interim Fix 03:
_ http://www.ibm.com/support/docview.wss?uid=isg400001838_
For Version 4.0.1
- Apply SSM 4.0.1.1 Interim Fix 02:
http://www.ibm.com/support/docview.wss?uid=isg400001832

Workarounds and Mitigations

None known