Lucene search

IBM47AF03D5B875DF997A0E07D4AEDC4A80509D8693F5D0D2798C6428A6AB895C98

HistoryJun 17, 2018 - 2:58 p.m.

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-0209, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289)

2018-06-1714:58:21

www.ibm.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Summary

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors has addressed the applicable CVEs.

Vulnerability Details

CVE-ID:CVE-2015-0209

DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the d2i_ECPrivateKey or EVP_PKCS82PKEY function. An attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system and cause a denial of service.

CVSS Base Score: 7.50
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-ID:CVE-2015-0287

DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and execute arbitrary code on the system.

CVSS Base Score: 7.50
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-ID:CVE-2015-0288

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the X509_to_X509_REQ function. An attacker could exploit this vulnerability to trigger a NULL pointer dereference.

CVSS Base Score: 5.00
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101675 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID:CVE-2015-0289

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle missing outer ContentInfo by the PKCS#7 parsing code. An attacker could exploit this vulnerability using a malformed ASN.1-encoded PKCS#7 blob to trigger a NULL pointer dereference.

CVSS Base Score: 5.00
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101669 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

SSM 4.0.0 FP1 - FP14 and Interim Fix 14-01 – Interim Fix 14-04
SSM 4.0.1 FP1 – FP2

Remediation/Fixes

Product

Workarounds and Mitigations

None

CPENameOperatorVersion
netcool/system service monitoreq4.0

CPE	Name	Operator	Version
	netcool/system service monitor	eq	4.0

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Related for 47AF03D5B875DF997A0E07D4AEDC4A80509D8693F5D0D2798C6428A6AB895C98