Lucene search

IBM52CCE9C9DF1CABCE9FBD611F2F7371FCD808107B0670CF19453AF816601CCFDF

HistoryJun 15, 2018 - 7:09 a.m.

Security Bulletin: Open Source OpenSSL Vulnerabilities which is used by IBM PureApplication Systems/Service (CVE-2017-3736 CVE-2017-3738)

2018-06-1507:09:06

www.ibm.com

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Summary

There are vulnerabilities in the Open Source OpenSSL that is used by the IBM PureApplication Systems/Service

Vulnerability Details

CVEID: CVE-2017-3738**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136078 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-3736**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM PureApplication System V2.1.0.0
IBM PureApplication System V2.1.0.1
IBM PureApplication System V2.1.0.2
IBM PureApplication System V2.1.0.0
IBM PureApplication System V2.1.1.0
IBM PureApplication System V2.1.2.0
IBM PureApplication System V2.1.2.1
IBM PureApplication System V2.1.2.2
IBM PureApplication System V2.1.2.3
IBM PureApplication System V2.1.2.4
IBM PureApplication System V2.2.0.0
IBM PureApplication System V2.2.1.0
IBM PureApplication System V2.2.2.0
IBM PureApplication System V2.2.2.1
IBM PureApplication System V2.2.2.2
IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2
IBM PureApplication System V2.2.4.0

Remediation/Fixes

The solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2, V2.2.4.0

Upgrade to IBM PureApplication V2.2.5.0. Contact IBM for assistance.

IBM PureApplication System V2.1.0.0, V2.1.0.1, V2.1.0.2, V2.1.0.0, V2.1.1.0, V2.1.2.0, V2.1.2.1, V2.1.2.2, V2.1.2.3, V2.1.2.4:

Upgrade to IBM PureApplication System V2.2.5.0. Contact IBM for assistance

** For 2.1 and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

PureApplication Software:
Linux:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=pureappsw_content_2250&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

PureApplication System:
AIX
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=Group_Content_PureApplicationSystem_2.2.5.0_Power&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

Linux
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=Group_Content_PureApplicationSystem_2.2.5.0_Intel&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

Intel
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=Group_Base_RedHat_PureApplicationSystem_2.2.5.0_Intel&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>

Workarounds and Mitigations

None

CPENameOperatorVersion
pureapplication systemeq2.2.4.0
pureapplication systemeq2.2.3.2
pureapplication systemeq2.2.3.1
pureapplication systemeq2.2.3.0
pureapplication systemeq2.2.2.2
pureapplication systemeq2.2.2.1
pureapplication systemeq2.2.2.0
pureapplication systemeq2.2.1.0
pureapplication systemeq2.2.0.0
pureapplication systemeq2.1.2.4

Name	Operator	Version
pureapplication system	eq	2.2.4.0
pureapplication system	eq	2.2.3.2
pureapplication system	eq	2.2.3.1
pureapplication system	eq	2.2.3.0
pureapplication system	eq	2.2.2.2
pureapplication system	eq	2.2.2.1
pureapplication system	eq	2.2.2.0
pureapplication system	eq	2.2.1.0
pureapplication system	eq	2.2.0.0
pureapplication system	eq	2.1.2.4