Lucene search

K
ibmIBM51A25EC520455269A79F9DDA6AEB73FB003F12BAA0B35BFB5A6A50A403534F59
HistorySep 26, 2022 - 3:31 a.m.

Security Bulletin: Multiple vulnerabilities exist in the OpenSSL component of IBM Initiate Master Data Service and IBM InfoSphere Master Data Management Standard Edition (CVE-2013-0166, CVE-2013-0166, CVE-2012-2686)

2022-09-2603:31:32
www.ibm.com
12

0.651 Medium

EPSS

Percentile

97.9%

Abstract

Three security vulnerabilities exist in the version of OpenSSL shipped with IBM Initiate Master Data Service and IBM InfoSphere Master Data Management Standard Edition. See the individual descriptions for the details.

Content

VULNERABILITY DETAILS:

CVE ID:CVE-2013-0166

DESCRIPTION:
A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81904&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID:CVE-2013-0169

DESCRIPTION:
A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could lead to plaintext recovery by exploiting timing differences arising during MAC processing.

CVSS****:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE ID:CVE-2012-2686

DESCRIPTION:
A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81903&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS:

· IBM Initiate Master Data Service versions 9.5, and 9.7
· IBM InfoSphere Master Data Management Standard Edition versions 10.0 and 10.1

REMEDIATION:

Fixes:

Important Limitation:

Resolution of the vulnerabilities in this security bulletin is accomplished by installing and using a later version of OpenSSL. On AIX, and on AIX only, the current version of OpenSSL has known breaking issues in TLS when FIPS mode is enabled. Based on this, FIPS mode is disabled when the version of OpenSSL included in the fixes below is installed for use by brokers on AIX. No change is made to the current configuration of FIPS mode for OpenSSL when installing the fixes below on any other operating system.

An attempt to enable FIPS mode for OpenSSL on AIX after installing the fixes below will result in a FIPS fingerprint error in the broker logs.

· For IBM Initiate Master Data Service version 9.5.

o Install “September 2013 Fix Pack for v9.5 MDS

· For IBM Initiate Master Data Service version 9.7.
o Install “September 2013 Fix Pack for v9.7 MDS

· For IBM InfoSphere Master Data Management Standard Edition version10.0
o Install “September 2013 Fix Pack for v10.0 MDS

· For IBM InfoSphere Master Data Management Standard Edition version 10.1
o Install “September 2013 Fix Pack for v10.1 MDS

Workaround(s) & Mitigation(s): None known.

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2

RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog

**ACKNOWLEDGEMENT:**None

CHANGE HISTORY:
dd-mmm-yyyy Original version published

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSLVY3”,“label”:“Initiate Master Data Service”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF033”,“label”:“Windows”},{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF016”,“label”:“Linux”}],“Version”:“9.5.0;9.7.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}},{“Product”:{“code”:“SSWSR9”,“label”:“IBM InfoSphere Master Data Management”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF010”,“label”:“HP-UX”}],“Version”:“10.1;10.0”,“Edition”:“Standard”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]