Security Bulletin: Vulnerability in OpenSSL affects IBM FlashSystem models FS900 and V9000

Summary

A vulnerability in OpenSSL may cause a denial of service when IBM FlashSystem models FS900 and V9000 are acting as a TLS client when connecting to LDAP servers or key servers.

Vulnerability Details

CVEID:CVE-2022-0778
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221911 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Storage Node machine type and models (MTMs) affected:

• 9840-AE1 and 9843-AE1
• 9840-AE2 and 9843-AE2
• 9840-AE3, 9843-AE3, and 9843-UF3

Supported storage node code versions which are affected:

• VRMFs prior to 1.5.2.12
• VRMFs prior to 1.6.1.5

**Note:**For information on IBM FlashSystem V9000 SVC code levels affected and remediated, search for the equivalent security bulletin here: IBM Support

Remediation/Fixes

9840-AE1 and 9843-AE1

FlashSystem 900 MTMs:

9840-AE2, 9843-AE2, 9840-AE3, 9843-AE3, and 9843-UF3

Note: AE1 systems are no longer supported.

|

Code fixes are now available, the minimum VRMF containing the fix depending on the code stream:

Fixed Code VRMF:

1.6 stream: 1.6.1.5

1.5 stream: 1.5.2.12

| N/A | FlashSystem 900 fixes are available at IBM’s Fix Central website. FlashSystem 840 is no longer supported.

Workarounds and Mitigations

This vulnerability affects IBM FlashSystem models FS900 and V9000 when acting as a TLS client when connecting to LDAP servers or key servers, so can be mitigated by ensuring that those servers are secure and do not have certificates which would trigger this exploit.