5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.967 High
EPSS
Percentile
99.7%
The updates indicated below have been released to address the following vulnerabilities:
CVE-2016-2107 MITM attack in OpenSSL,
CVE-2016-5547 Denial of service in IBM Runtime Environment Java™
CVE-2017-1123 Escalation of privilege in the DS8000 HMC
CVEID: CVE-2016-2107**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server supports AES-NI. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt traffic.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2016-5547
CVEID: CVE-2016-5547**
DESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120871 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-1123**
DESCRIPTION:** A vulnerability in the IBM DS8000 Hardware Management Console (HMC), could allow a user logged into the HMC Service Interface, to gain elevated privilege.
CVSS Base Score: 9.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121249 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)** **
DS8800 R8.2 up to 88.22.33.00
DS8800 R8.1 up to 88.11.45.00
DS8800 R8.0 all versions 88.0x.xx.xx
DS8870 R7.x all versions 87.xx.xx.xx
DS8800 R6.x all versions 86.xx.xx.xx
Patches contained in CVE_1Q2018_v1.0
All the above vulnerabilities are remediated by requesting the application of CVE_1Q2018_v1.0 through the normal hardware support channels. Please read the notes below carefully before applying this set of patches.
This patch release is cumulative and supersedes all prior security patches.
The remediation fixes are supported in the levels noted below. Note that R8.3 is not impacted. Customers who have levels below the supported levels should update to at least the current recommended level before applying the patches.
For the current recommended code levels, please consult:
<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456>
Levels supported for the application of CVE_1Q2018_v1.0
Model | Level | VRM supported | Notes |
---|---|---|---|
DS888x | R8.2 | 88.20.0.0-88.23.27.0 | Levels above 88.23.27.0 are not impacted. |
DS888x | R8.1 | 88.11.45.0 Only | Other levels must update to a supported level |
DS8870 | R7.5 | 87.51.63.0 and above |
DS8800| R6.3| 86.31.195.0 and above|
IMPORTANT NOTES - PLEASE READ
DSCLI Client Levels
DS8000 Level | DSCLI level minimum/preferred |
---|---|
R8.x | 7.8.23.87 / 7.8.31.126 |
R6.3 and R7.5 | 7.8.23.87 / 7.8.24.11 |
The latest versions of DSCLI can be located for you system at: | |
https://www.ibm.com/support/fixcentral/options |
CVE-2017-1123
Since this vulnerability has a very high CVSS score, a separate patch is being made available, which is installable on any level of impacted microcode at, or above the minimum supported level.
Customers who elect to patch ONLYthis vulnerability should request that CVE_2017-1123_V1.0 be applied to their system(s). IBM does however, recommend that the complete set of patches be applied.
The following levels of code (and higher levels) are**NOT **exposed to CVE-2017-1123. All levels of code below these levels ( eg DS8880 R8.0 88.0x.xx.xx) are exposed.
Model | Level | VRM | Notes |
---|---|---|---|
DS888x | R8.3 | Not affected |
DS888x| R8.2| 88.22.33.0| R8.0 and R8.1 are affected
DS888x| R8.1| 88.11.45.0 |
DS8870| R7.5| 87.51.77.0|
DS8800| R6.3| 86.31.215.0|
NA
CPE | Name | Operator | Version |
---|---|---|---|
ds8880 | eq | any | |
ds8880 | eq | any | |
disk systems->ds8870 | eq | any | |
ibm ds8800 | eq | any |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.967 High
EPSS
Percentile
99.7%