Security Bulletin: Vulnerability in Python affects IBM OS Images for Red Hat Linux Systems

Summary

Security vulnerabilities are reported when using IBM OS Image for Red Hat Linux Systems RHEL 7.2 (V3.0.6.0).

Vulnerability Details

CVEID: CVE-2016-2183 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2
IBM PureApplication System V2.2.4.0
IBM PureApplication System V2.2.5.0
IBM PureApplication System V2.2.5.1
IBM PureApplication System V2.2.5.2

Remediation/Fixes

Python is affected in RHEL7 base OS image for CVE-2016-2183.

For more information, see: <https://access.redhat.com/security/cve/cve-2016-2183&gt;

A new base OS image (V3.0.10) is released with the fix (python-2.7.5-69.el7_5.x86_64).

Redeploy the patterns with new base OS images.

The solution is to upgrade the IBM PureApplication System to the following fix pack release:

- V2.2.5.3

Contact IBM for assistance.

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159&gt;

Workarounds and Mitigations

None