5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Three security vulnerabilities exist in the version of OpenSSL shipped with IBM Initiate Master Data Service and IBM InfoSphere Master Data Management Standard Edition. See the individual descriptions for the details.
VULNERABILITY DETAILS:
CVE ID:CVE-2013-0166
DESCRIPTION:
A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81904> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID:CVE-2013-0169
DESCRIPTION:
A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could lead to plaintext recovery by exploiting timing differences arising during MAC processing.
CVSS****:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE ID:CVE-2012-2686
DESCRIPTION:
A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81903> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS:
· IBM Initiate Master Data Service versions 9.5, and 9.7
· IBM InfoSphere Master Data Management Standard Edition versions 10.0 and 10.1
REMEDIATION:
Fixes:
Important Limitation:
Resolution of the vulnerabilities in this security bulletin is accomplished by installing and using a later version of OpenSSL. On AIX, and on AIX only, the current version of OpenSSL has known breaking issues in TLS when FIPS mode is enabled. Based on this, FIPS mode is disabled when the version of OpenSSL included in the fixes below is installed for use by brokers on AIX. No change is made to the current configuration of FIPS mode for OpenSSL when installing the fixes below on any other operating system.
An attempt to enable FIPS mode for OpenSSL on AIX after installing the fixes below will result in a FIPS fingerprint error in the broker logs.
· For IBM Initiate Master Data Service version 9.5.
o Install “September 2013 Fix Pack for v9.5 MDS”
· For IBM Initiate Master Data Service version 9.7.
o Install “September 2013 Fix Pack for v9.7 MDS”
· For IBM InfoSphere Master Data Management Standard Edition version10.0
o Install “September 2013 Fix Pack for v10.0 MDS”
· For IBM InfoSphere Master Data Management Standard Edition version 10.1
o Install “September 2013 Fix Pack for v10.1 MDS”
Workaround(s) & Mitigation(s): None known.
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog
**ACKNOWLEDGEMENT:**None
CHANGE HISTORY:
dd-mmm-yyyy Original version published
_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _
_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Product”:{“code”:“SSLVY3”,“label”:“Initiate Master Data Service”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF033”,“label”:“Windows”},{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF016”,“label”:“Linux”}],“Version”:“9.5.0;9.7.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}},{“Product”:{“code”:“SSWSR9”,“label”:“IBM InfoSphere Master Data Management”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF010”,“label”:“HP-UX”}],“Version”:“10.1;10.0”,“Edition”:“Standard”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]