Security Bulletin: Security vulnerabilities have been identified in OpenSSL, IBM Java Runtime and the microcode shipped with the DS8000 Hardware Management Console (HMC)

Summary

The updates indicated below have been released to address the following vulnerabilities:
CVE-2016-2107 MITM attack in OpenSSL,
CVE-2016-5547 Denial of service in IBM Runtime Environment Java™
CVE-2017-1123 Escalation of privilege in the DS8000 HMC

Vulnerability Details

CVEID: CVE-2016-2107**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server supports AES-NI. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt traffic.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2016-5547

CVEID: CVE-2016-5547**
DESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120871 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-1123**
DESCRIPTION:** A vulnerability in the IBM DS8000 Hardware Management Console (HMC), could allow a user logged into the HMC Service Interface, to gain elevated privilege.
CVSS Base Score: 9.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121249 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)** **

Affected Products and Versions

DS8800 R8.2 up to 88.22.33.00

DS8800 R8.1 up to 88.11.45.00

DS8800 R8.0 all versions 88.0x.xx.xx

DS8870 R7.x all versions 87.xx.xx.xx

DS8800 R6.x all versions 86.xx.xx.xx

Remediation/Fixes

Patches contained in CVE_1Q2018_v1.0

All the above vulnerabilities are remediated by requesting the application of CVE_1Q2018_v1.0 through the normal hardware support channels. Please read the notes below carefully before applying this set of patches.

This patch release is cumulative and supersedes all prior security patches.

The remediation fixes are supported in the levels noted below. Note that R8.3 is not impacted. Customers who have levels below the supported levels should update to at least the current recommended level before applying the patches.

For the current recommended code levels, please consult:
<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456&gt;

Levels supported for the application of CVE_1Q2018_v1.0

DS8800| R6.3| 86.31.195.0 and above|

IMPORTANT NOTES - PLEASE READ

• After applying CVE_1Q2018_v1.0 customers, following code updates MUSTbe to at least the recommended code level. Updating to lower levels is not supported.
• Application of CVE_1Q2018_v1.0 will disable prior patches which re-enabled SSLv3. Enablement of SSLv3 is no longer supported and all instances of TPC , DSLCI and other utilities** MUST** be updated to levels which support TLS1.2 before applying the corrective patch
• See the table below for supported DSLCI levels. Before installing these levels, please ensure that the client Java has been updated to the current supported levels and at least to Java 7.
• A side effect of this patch is to strengthen cipher configurations and to remove the use of triple DES (3DES) as a cipher .
• IBM strongly recommends disabling the use of the legacy DSCLI (port 1750) either by following the instructions at <http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005735&gt; or by enabling NIST-800-131a mode following the instructions given in <http://www.redbooks.ibm.com/redpapers/pdfs/redp5069.pdf&gt;.
• This patch release also contains updates to configurations related to general hardening of the system for supported ciphers, firewall rules, NTP restrictions, SSH, and call home CA certificates.

DSCLI Client Levels

CVE-2017-1123

Since this vulnerability has a very high CVSS score, a separate patch is being made available, which is installable on any level of impacted microcode at, or above the minimum supported level.

Customers who elect to patch ONLYthis vulnerability should request that CVE_2017-1123_V1.0 be applied to their system(s). IBM does however, recommend that the complete set of patches be applied.

The following levels of code (and higher levels) are**NOT **exposed to CVE-2017-1123. All levels of code below these levels ( eg DS8880 R8.0 88.0x.xx.xx) are exposed.

DS888x| R8.2| 88.22.33.0| R8.0 and R8.1 are affected
DS888x| R8.1| 88.11.45.0 |

DS8870| R7.5| 87.51.77.0|

DS8800| R6.3| 86.31.215.0|

Workarounds and Mitigations

NA