Security Bulletin: Vulnerability in NSS affects Power Hardware Management Console (CVE-2017-7805)

Summary

NSS is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2017-7805**
DESCRIPTION:** Potential use-after-free in TLS 1.2 server when verifying client authentication
A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application.
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products and Versions

Power HMC V8.8.4.0
Power HMC V8.8.5.0
Power HMC V8.8.6.0
Power HMC V8.8.7.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/&gt;

Product

|

VRMF

|

APAR

|

Remediation/Fix

—|—|—|—

Power HMC

|

V8.8.4.0 SP3

|

MB04104

|

MH01720

Power HMC

|

V8.8.5.0 SP3

|

MB04105

|

MH01721

Power HMC

|

V8.8.6.0 SP2

|

MB04118

|

MH01731

Power HMC

|

V8.8.7.1 ppc

|

MB04114

|

MH01726

Power HMC

|

V8.8.7.1 x86

|

MB04113

|

MH01725

Workarounds and Mitigations

None