7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.013 Low
EPSS
Percentile
85.9%
A vulnerability in OpenSSL may cause a denial of service when IBM FlashSystem models FS900 and V9000 are acting as a TLS client when connecting to LDAP servers or key servers.
CVEID:CVE-2022-0778
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221911 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Storage Node machine type and models (MTMs) affected:
Supported storage node code versions which are affected:
**Note:**For information on IBM FlashSystem V9000 SVC code levels affected and remediated, search for the equivalent security bulletin here: IBM Support
MTMs | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
FlashSystem 840 MTMs: |
9840-AE1 and 9843-AE1
FlashSystem 900 MTMs:
9840-AE2, 9843-AE2, 9840-AE3, 9843-AE3, and 9843-UF3
Note: AE1 systems are no longer supported.
|
Code fixes are now available, the minimum VRMF containing the fix depending on the code stream:
Fixed Code VRMF:
1.6 stream: 1.6.1.5
1.5 stream: 1.5.2.12
| N/A | FlashSystem 900 fixes are available at IBM’s Fix Central website. FlashSystem 840 is no longer supported.
This vulnerability affects IBM FlashSystem models FS900 and V9000 when acting as a TLS client when connecting to LDAP servers or key servers, so can be mitigated by ensuring that those servers are secure and do not have certificates which would trigger this exploit.
CPE | Name | Operator | Version |
---|---|---|---|
ibm flashsystem v9000 | eq | any | |
ibm flashsystem v840 | eq | any |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.013 Low
EPSS
Percentile
85.9%