Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus

Summary

The DataDirect ODBC Drivers used by WebSphere Message Broker and IBM Integration Bus have addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2017-3731**
DESCRIPTION: *OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121312 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
**
CVEID: CVE-2017-3732
DESCRIPTION: *OpenSSL could allow a remote attacker to obtain sensitive information, caused by a propagation error in the BN_mod_exp() function. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
**
CVEID: CVE-2016-7055
DESCRIPTION: *OpenSSL is vulnerable to a denial of service, caused by an error in a Broadwell-specific Montgomery multiplication procedure. By sending specially crafted data, a remote attacker could exploit this vulnerability to trigger errors in public-key operations in configurations where multiple remote clients select an affected EC algorithm and cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118748 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Integration Bus V10.0.0.0- 10.0.0.8

IBM Integration Bus V9.0.0.0- 9.0.0.7

WebSphere Message Broker V8.0.0.0 - 8.0.0.8

Remediation/Fixes

For users of ODBC SSL using the DataDirect drivers:

<http://www-01.ibm.com/support/docview.wss?uid=swg24043686&gt;

IBM Integration Bus| V9.0.0.0- 9.0.0.7| IT19662 IT19741 | The APAR is available in fix pack 9.0.0.8

<http://www-01.ibm.com/support/docview.wss?uid=swg24043751&gt;

WebSphere Message Broker| V8.0.0.0 - 8.0.0.8| IT19662 IT19741| The APAR is available in fix pack 8.0.0.9

https://www.ibm.com/support/docview.wss?uid=swg24043806

For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308

Workarounds and Mitigations

None