Security Bulletin: Vulnerabilities in GSKit affects IBM Sterling Connect:Direct for UNIX

Summary

A vulnerability has been addressed in the GSKit component of IBM Sterling Connect:Direct for UNIX. Further, OpenSSL vulnerabilities disclosed by the OpenSSL Project affect GSKit. IBM Sterling Connect:Direct for UNIX uses GSKit and therefore is also vulnerable.

Vulnerability Details

CVEID:CVE-2018-1427
**DESCRIPTION:*IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/139072for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2017-3732
**DESCRIPTION:*OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/121313for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2017-3736
**DESCRIPTION:*OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/134397for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct for Unix 4.2.0

Remediation/Fixes

Workarounds and Mitigations

None