Lucene search

K
ibmIBM74883CCC877A00E64646F1A01AC3B85889471753497E3ACCE0292F7CF617291F
HistoryDec 15, 2021 - 6:04 p.m.

Security Bulletin: January 2015 OpenSSL security vulnerabilities in Multiple IBM N Series Products

2021-12-1518:04:22
www.ibm.com
15

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.969 High

EPSS

Percentile

99.5%

Summary

OpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. OpenSSL is used by Multiple IBM N Series Products. Below IBM N Series Products have addressed the applicable CVEs.

Vulnerability Details

OpenSSL is used in IBM N series Products for providing communication security by encrypting data being transmitted.

CVEID: CVE-2014-3569

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.

CVSS Base Score: 5

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99706 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3570

DESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.

CVSS Base Score: 2.6

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99710 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-3571

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.

CVSS Base Score: 5

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99703 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3572

DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.

CVSS Base Score: 1.2

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99705 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-8275

DESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.

CVSS Base Score: 1.2

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99709 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0205

DESCRIPTION: OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.

CVSS Base Score: 2.1

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99708 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-0206

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources

CVSS Base Score: 5

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99704 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0204

DESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99707 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Clustered Data ONTAP: 8.2.1, 8.2.2, 8.2.3, 8.2.4;
Clustered Data ONTAP Antivirus Connector: 1.0, 1.0.1, 1.0.2;
Data ONTAP operating in 7-Mode: 7.3.7, 8.1.4, 8.2.1, 8.2.2, 8.2.3;
Data ONTAP SMI-S Agent: 5.1.2, 5.2;
NS OnCommand Core Package: 5.1.2, 5.2.1, 5.2;
Open Systems SnapVault: 3.0.1;
SnapDrive for Unix: 5.2.2;
SnapDrive for Windows: 7.1.1;

Remediation/Fixes

For_ Data ONTAP SMI-S Agent: the fix exists from microcode version 5.2.1;
For
Data ONTAP operating in 7-Mode: the fix exists from microcode version 8.2.4;
For
NS OnCommand Core Package: the fix exists from microcode version 5.2.1P1;
For
Open Systems SnapVault: the fix exists from microcode version 3.0.1P7;
For
SnapDrive for Unix: the fix exists from microcode version 5.3;
For
_SnapDrive for Windows: the fix exists from microcode version 7.1.2;

Please contact IBM support or go to this link to download a supported release. For customers on Data ONTAP operating in 7-Mode 7.3.7, 8.1.4, please contact IBM support to upgrade your product version to a fixed release. For customers who are using Clustered Data ONTAP or Clustered Data ONTAP Antivirus Connector, please contact IBM support.

Workarounds and Mitigations

None.

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.969 High

EPSS

Percentile

99.5%

Related for 74883CCC877A00E64646F1A01AC3B85889471753497E3ACCE0292F7CF617291F