Lucene search

K
ibmIBM4C62280F93124FD0C7C5C20CA30CD4D137F1D0A9E1E35780DCDE98EDBCFD8B1B
HistoryJun 14, 2021 - 9:22 p.m.

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841)

2021-06-1421:22:33
www.ibm.com
20
openssl
ibm spectrum protect
netapp services
denial of service
vulnerabilities
null pointer
integer overflow
cve-2020-1971
cve-2021-23840
cve-2021-23841
ibm support pages
fixes
linux
windows

EPSS

0.008

Percentile

82.3%

Summary

OpenSSL vulnerabilities were disclosed on December 8, 2020 and February 16, 2021 by the OpenSSL Project. OpenSSL, used by the IBM Spectrum Protect Backup-Archive Client for network connections with NetApp services, has addressed the applicable CVEs. UPDATED: 14 June 2021 - Added 7.1 fix

Vulnerability Details

CVEID:CVE-2020-1971
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192748 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23840
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23841
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the X509_issuer_and_serial_hash() function. By parsing the issuer field, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196847 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Protect Backup-Archive Client 8.1.0.0-8.1.11.0
7.1.0.0-7.1.8.10

Remediation/Fixes

IBM Spectrum Protect
Client Release

|

First Fixing
VRM Level

| Platform| Link to Fix
—|—|—|—
8.1| 8.1.12
| Linux
Windows|

<https://www.ibm.com/support/pages/node/6443671&gt;

7.1
| 7.1.8.11
| Linux
Windows
|

<https://www.ibm.com/support/pages/node/316619&gt;

Workarounds and Mitigations

None