Security Bulletin: A vulnerability in the GSKit component of Tivoli Network Manager IP Edition (CVE-2016-0201)

Summary

A vulnerability has been addressed in the GSKit component of Tivoli Network Manager IP Edition.

Vulnerability Details

CVEID: CVE-2016-0201**
DESCRIPTION:** IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a MD5 collision. An attacker could exploit this vulnerability to obtain authentication credentials.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109310 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

• IBM Tivoli Network Manager 3.8 is not affected by GSKit advisory.
• IBM Tivoli Network Manager 3.9 bundles Informix Ultimate Edition 11.5 or 11.7, depending on fixpack level.

Please consult the security bulletin for Informix Dynamic Server for vulnerability details and information about fixes.

• IBM HTTP Server shipped in IBM Tivoli Network Manager has been affected by this GSKit advisory.

Please use below chart to upgrade appropriate IBM HTTP Server.
Information about a GSkit security vulnerability affecting IBM HTTP server has been published in a security bulletin.
Vulnerabilities in the GSKit component of IBM HTTP Server (CVE-2016-0201 and CVE-2015-7420)

Remediation/Fixes

Tivoli Network Manager IP Edition Interim Fixes for GSKit:**
Note: **The SSL connection between Tivoli Network Manager IP Edition and Tivoli Netcool/OMNIbus is affected.
Single server SSL users, who have OMNIbus and the Network Manager core component on the same server, should upgrade to an appropriate OMNIbus fixpack to obtain the GSKit fix. Users with a remote OMNIbus SSL connection should upgrade to IBM GSKit 8.0.50.57 by applying the Interim Fix below on the Network Manager core server.