Security Bulletin: December 2015 OpenSSL Vulnerabilities in Multiple N series Products

Summary

Multiple N series products incorporate the OpenSSL software libraries to provide cryptographic capabilities. OpenSSL versions below 1.0.2e, 1.0.1q, 1.0.0t, and 0.9.8zh are susceptible to vulnerabilities that could lead to a denial of service attack or information disclosure. Multiple N series Products have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-3193**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the x86_64 Montgomery squaring procedure. An attacker with online access to an unpatched system could exploit this vulnerability to obtain private key information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108502 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-3194**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when verifying certificates via a malformed routine. An attacker could exploit this vulnerability using signature verification routines with an absent PSS parameter to cause any certificate verification operation to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108503 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-3195**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory leak in a malformed X509_ATTRIBUTE structure. An attacker could exploit this vulnerability to obtain CMS data and other sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108504 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-3196**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a race condition when PSK identity hints are received by a multi-threaded client and the SSL_CTX structure is updated with the incorrect value. An attacker could exploit this vulnerability to possibly corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108505 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-1794**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error when a client receives a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0. An attacker could exploit this vulnerability to trigger a segfault and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108539 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

SnapDrive for Unix: 5.2, 5.2.2, 5.3;

SnapDrive for Windows: 7.1.1, 7.1.2, 7.1.3;

Remediation/Fixes

For_ _SnapDrive for Unix: the fix exists from microcode version 5.3.1;

For_ _SnapDrive for Windows: the fix exists from microcode version 7.1.4;

Please contact IBM support or go to this link to download a supported release.

Workarounds and Mitigations

For customers who are using SnapDrive for Unix: 5.2, 5.2.2, an upgrade to version 5.3.1 is required to resolve this issue.