Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for Microsoft Windows (CVE-2014-3508, CVE-2014-3511)

Summary

There are multiple vulnerabilities in OpenSSL that is used by IBM Sterling Connect:Direct for Microsoft Windows. These issues were disclosed on August 6, 2014 by the OpenSSL Project.

Vulnerability Details

CVE-ID: CVE-2014-3508

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in OBJ_obj2txt. If applications echo pretty printing output, an attacker could exploit this vulnerability to read information from the stack.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95165&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-3511

DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95162&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct for Microsoft Windows 4.5.00, 4.5.01 and 4.6.0

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM Sterling Connect:Direct for Microsoft Windows| 4.5.00| IT04643| Apply 4.5.00 patch 054, available on IWM
IBM Sterling Connect:Direct for Microsoft Windows| 4.5.01| IT04643| Apply 4.5.01 patch 020, available on IWM
IBM Sterling Connect:Direct for Microsoft Windows| 4.6.0| IT04643| Apply 4.6.0.5, available on Fix Central

Workarounds and Mitigations

None known