Security Bulletin: Multiple Vulnerabilities in IBM Cognos Analytics

2018-11-05T14:30:02

Description

## Summary This bulletin addresses several security vulnerabilities that are fixed in IBM Cognos Analytics 11.0.13.0. Multiple Open Source OpenSSL vulnerabilities affect IBM Cognos Analytics. IBM Cognos Analytics consumes IBM GSKit. Multiple vulnerabilities have been addressed in IBM GSKit. IBM Cognos Business Intelligence uses the IBM WAS Liberty Profile (WLP). There is a potential denial of service in Apache CXF that is used by WebSphere Application Server . IBM Cognos Analytics has upgraded WLP to a version that addresses the vulnerability. Deserialization flaws were discovered in the jackson-databind library which is used by IBM Cognos Analytics. The IBM Cognos Analytics Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. ## Vulnerability Details **CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) **DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) **CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) **DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.9 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2017-3737](<https://vulners.com/cve/CVE-2017-3737>) **DESCRIPTION:** An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) **CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) **DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. CVSS Base Score: 3.7 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) **DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) **DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.9 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2018-0739](<https://vulners.com/cve/CVE-2018-0739>) **DESCRIPTION:** OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140847> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) **DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. CVSS Base Score: 5.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) **DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base Score: 6.2 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) **DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. CVSS Base Score: 6.2 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) **DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. CVSS Base Score: 7.4 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) **CVEID:** [CVE-2017-12624](<https://vulners.com/cve/CVE-2017-12624>) **DESCRIPTION:** Apache CXF is vulnerable to a denial of service. By using a specially crafted message attachment header, a remote attacker could exploit this vulnerability to cause the AX-WS and JAX-RS services stop responding. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135095> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2017-15095](<https://vulners.com/cve/CVE-2017-15095>) **DESCRIPTION:** Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135123> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\ **CVEID:** [CVE-2017-7525](<https://vulners.com/cve/CVE-2017-7525>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134639> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2018-1842](<https://vulners.com/cve/CVE-2018-1842>) **DESCRIPTION:** IBM Cognos Analytics Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. CVSS Base Score: 3.6 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150902> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) ## Affected Products and Versions IBM Cognos Analytics Versions 11.0.0.0 to 11.0.12.0 ## Remediation/Fixes The recommended solution is to apply IBM Cognos Analytics 11.0.13.0 as soon as practical. [Downloading IBM Cognos Analytics 11.0.13.0](<https://www-01.ibm.com/support/docview.wss?uid=ibm10718809>) ## Workarounds and Mitigations None ##

Affected Software

CPE Name	Name	Version
	ibm cognos analytics	11.0

{"id": "765EE754DDB2AFC25A4F81B453619E8DE782835F4B2ACED4DF8CE43B5D4C10B8", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Multiple Vulnerabilities in IBM Cognos Analytics", "description": "## Summary\n\nThis bulletin addresses several security vulnerabilities that are fixed in IBM Cognos Analytics 11.0.13.0. \n \nMultiple Open Source OpenSSL vulnerabilities affect IBM Cognos Analytics. \n \nIBM Cognos Analytics consumes IBM GSKit. Multiple vulnerabilities have been addressed in IBM GSKit. \n \nIBM Cognos Business Intelligence uses the IBM WAS Liberty Profile (WLP). There is a potential denial of service in Apache CXF that is used by WebSphere Application Server . IBM Cognos Analytics has upgraded WLP to a version that addresses the vulnerability. \n \nDeserialization flaws were discovered in the jackson-databind library which is used by IBM Cognos Analytics. \n \nThe IBM Cognos Analytics Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. \n \n \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3737](<https://vulners.com/cve/CVE-2017-3737>) \n**DESCRIPTION:** An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-0739](<https://vulners.com/cve/CVE-2018-0739>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140847> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2017-12624](<https://vulners.com/cve/CVE-2017-12624>) \n**DESCRIPTION:** Apache CXF is vulnerable to a denial of service. By using a specially crafted message attachment header, a remote attacker could exploit this vulnerability to cause the AX-WS and JAX-RS services stop responding. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135095> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-15095](<https://vulners.com/cve/CVE-2017-15095>) \n**DESCRIPTION:** Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135123> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\\\n\n**CVEID:** [CVE-2017-7525](<https://vulners.com/cve/CVE-2017-7525>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134639> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2018-1842](<https://vulners.com/cve/CVE-2018-1842>) \n**DESCRIPTION:** IBM Cognos Analytics Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. \nCVSS Base Score: 3.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150902> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Analytics Versions 11.0.0.0 to 11.0.12.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply IBM Cognos Analytics 11.0.13.0 as soon as practical. \n \n[Downloading IBM Cognos Analytics 11.0.13.0](<https://www-01.ibm.com/support/docview.wss?uid=ibm10718809>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2018-11-05T14:30:02", "modified": "2018-11-05T14:30:02", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.ibm.com/support/pages/node/738249", "reporter": "IBM", "references": [], "cvelist": ["CVE-2016-0705", "CVE-2017-12624", "CVE-2017-15095", "CVE-2017-3732", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-7525", "CVE-2018-0739", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447", "CVE-2018-1842"], "immutableFields": [], "lastseen": "2023-02-21T21:46:05", "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "aix", "idList": ["ITDS_ADVISORY2.ASC", "OPENSSL_ADVISORY18.ASC", "OPENSSL_ADVISORY24.ASC", "OPENSSL_ADVISORY25.ASC", "OPENSSL_ADVISORY26.ASC"]}, {"type": "altlinux", "idList": ["B7D1FE39355177AD5293458DFFC43DC1"]}, {"type": "amazon", "idList": ["ALAS-2016-661", "ALAS-2016-701", "ALAS-2018-1016", "ALAS-2018-1065", "ALAS-2018-1069", "ALAS-2018-1070", "ALAS-2018-1102", "ALAS2-2018-1004", "ALAS2-2018-1102"]}, {"type": "androidsecurity", "idList": ["ANDROID:2016-05-01"]}, {"type": "apple", "idList": ["APPLE:B767E2D26FA517686D44D7106CA489EB", "APPLE:B7AA5B9368DE4BD135A602B017EB0259", "APPLE:HT207268", "APPLE:HT208331"]}, {"type": "archlinux", "idList": ["ASA-201603-2", "ASA-201603-3", "ASA-201701-36", "ASA-201701-37", "ASA-201711-14", "ASA-201711-15", "ASA-201712-11", "ASA-201712-9", "ASA-201804-2"]}, {"type": "centos", "idList": ["CESA-2016:0301", "CESA-2018:0998", "CESA-2018:3090", "CESA-2018:3221"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0740", "CPAI-2018-2159"]}, {"type": "cisco", "idList": ["CISCO-SA-20160302-OPENSSL", "CISCO-SA-20170130-OPENSSL"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:0BAC6640342E1B3D4E55BA7644915045", "CFOUNDRY:387B2BBB51760E1FFD4562D4008446F7", "CFOUNDRY:78350CC978808A6C42CDCB2451BF30F4", "CFOUNDRY:9243E8457D02CBA7A3505CB1E0E03739"]}, {"type": "cloudlinux", "idList": ["CLSA-2021:1632262317"]}, {"type": "cve", "idList": ["CVE-2016-0705", "CVE-2017-12624", "CVE-2017-15095", "CVE-2017-15896", "CVE-2017-17485", "CVE-2017-3732", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738", "CVE-2017-7525", "CVE-2018-0739", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447", "CVE-2018-1842", "CVE-2018-5968", "CVE-2018-7489", "CVE-2019-10202"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1157-1:16CF2", "DEBIAN:DLA-1157-1:FA549", "DEBIAN:DLA-1330-1:A6756", "DEBIAN:DLA-2091-1:A9C2E", "DEBIAN:DLA-2342-1:7AEB4", "DEBIAN:DSA-3500-1:1A27F", "DEBIAN:DSA-4004-1:17FA8", "DEBIAN:DSA-4004-1:F9730", "DEBIAN:DSA-4017-1:88D36", "DEBIAN:DSA-4017-1:AEF53", "DEBIAN:DSA-4018-1:01441", "DEBIAN:DSA-4018-1:DD3DF", "DEBIAN:DSA-4037-1:25D25", "DEBIAN:DSA-4037-1:C6592", "DEBIAN:DSA-4065-1:A75E5", "DEBIAN:DSA-4157-1:5A16B", "DEBIAN:DSA-4157-1:D7BEA", "DEBIAN:DSA-4158-1:43C61", "DEBIAN:DSA-4158-1:561AF", "DEBIAN:DSA-4190-1:21588", "DEBIAN:DSA-4190-1:7ADD0"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-0705", "DEBIANCVE:CVE-2017-15095", "DEBIANCVE:CVE-2017-15896", "DEBIANCVE:CVE-2017-17485", "DEBIANCVE:CVE-2017-3732", "DEBIANCVE:CVE-2017-3735", "DEBIANCVE:CVE-2017-3736", "DEBIANCVE:CVE-2017-3737", "DEBIANCVE:CVE-2017-3738", "DEBIANCVE:CVE-2017-7525", "DEBIANCVE:CVE-2018-0739", "DEBIANCVE:CVE-2018-5968", "DEBIANCVE:CVE-2018-7489"]}, {"type": "f5", "idList": ["F5:K08044291", "F5:K14363514", "F5:K18364001", "F5:K21462542", "F5:K34681653", "F5:K43452233", "F5:K44512851", "F5:K65417229", "F5:K93122894", "SOL93122894"]}, {"type": "fedora", "idList": ["FEDORA:0240B604B381", "FEDORA:3ED26601CEE3", "FEDORA:5279262222BE", "FEDORA:56D376268FDB", "FEDORA:58BAF60A0C7C", "FEDORA:613766079706", "FEDORA:68D44601BD0C", "FEDORA:6D641613A08A", "FEDORA:7B564604AACC", "FEDORA:821736164C16", "FEDORA:98315602F10D", "FEDORA:9B33E60E86E5", "FEDORA:AB2DD6067A04", "FEDORA:ACC466324C7C", "FEDORA:AEECE6075DBF", "FEDORA:B123D6237604", "FEDORA:B4E3C6062CB4", "FEDORA:B5C736087A8D", "FEDORA:B803860875BB", "FEDORA:B98866076020", "FEDORA:BC771622EB72", "FEDORA:BFACF60A35B3", "FEDORA:D17F86077DFD", "FEDORA:D5B9761C9D69", "FEDORA:D74C160C9AD0", "FEDORA:D7E1E60C4225", "FEDORA:D8DAB61DD062", "FEDORA:DEA206060997"]}, {"type": "fortinet", "idList": ["FG-IR-17-019"]}, {"type": "freebsd", "idList": ["3BB451FC-DB64-11E7-AC58-B499BAEBFEAF", "6D33B3E5-EA03-11E5-85BE-14DAE9D210B8", "7B1A4A27-600A-11E6-A6C3-14DAE9D210B8", "8C2B2F11-0EBE-11E6-B55E-B499BAEBFEAF", "909BE51B-9B3B-11E8-ADD2-B499BAEBFEAF", "93F8E0FF-F33D-11E8-BE46-0019DBB15B3F", "9442A811-DAB3-11E7-B5AF-A4BADB2F4699", "9F7A0F39-DDC0-11E7-B5AF-A4BADB2F4699", "B7CFF5A9-31CC-11E8-8F07-B499BAEBFEAF", "BEA84A7A-E0C9-11E7-B4F3-11BAA0C2DF21", "D455708A-E3D3-11E6-9940-B499BAEBFEAF", "F40F07AA-C00F-11E7-AC58-B499BAEBFEAF"]}, {"type": "freebsd_advisory", "idList": ["FREEBSD_ADVISORY:FREEBSD-SA-16:12.OPENSSL", "FREEBSD_ADVISORY:FREEBSD-SA-17:02.OPENSSL", "FREEBSD_ADVISORY:FREEBSD-SA-17:11.OPENSSL", "FREEBSD_ADVISORY:FREEBSD-SA-17:12.OPENSSL"]}, {"type": "gentoo", "idList": ["GLSA-201603-15", "GLSA-201702-07", "GLSA-201712-03", "GLSA-201802-04", "GLSA-201811-21", "GLSA-202007-53"]}, {"type": "github", "idList": ["GHSA-7VGJ-8MW4-HG8R", "GHSA-C27H-MCMW-48HV", "GHSA-CGGJ-FVV3-CQWV", "GHSA-H592-38CM-4GGP", "GHSA-QXXX-2PP7-5HMX", "GHSA-RFX6-VP9G-RH7V", "GHSA-W3F4-3Q6J-RH82"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170503-01-OPENSSL", "HUAWEI-SA-20180228-01-STRUTS", "HUAWEI-SA-20180613-01-OPENSSL"]}, {"type": "ibm", "idList": ["00420FAFAA8875EA075916FF1CAC2CE1CD7DEB3C678E654BFE5E525386DC980C", "015CED4DD111438880FFDB361B30E09A12892E262FEEA8F7178F7A49BBE7D4D2", "025E2CD6F9F010517E9E17E8AC66A53012D7F2D3765B567272ACF4ED02426647", "041FCD681925D7AAE0B6F795A004EE207D6FA92A6E376D5597CA24D0D178AF44", "048AA308C625A32EC6DB549874FC81F6B800BA0EA59A9091A547DCEA6B0243B0", "04BDE105BC07DA303E0942A7116D2831ECC8B7F85541F074A291D4A4155564F6", "04E8F874FD2B3E7E06416F4123259BE61E960F9372B9998C73BBB2EA851A36B3", "050C4CD191E772BBB89D37433656A4CF140CE5C30F03D9CE4A5D8081AA772A03", "06377A242FC5EAF78C030C2B2AB65DB244FDC1CEF86B79077725A62A212AE300", "06852EEA8CD7CA7F8840D2FC93096A4DD156B248C6D17CEEEBA4095B19D215B6", "068E4774F9835C8E080EE324144DDF1D362B4CFF31E92E6F3B859DDEBD2C9E8C", "06FAF3AD79C8BAC8455C602C3F4C354C0CD9450DE060FB4D831ED000993782B4", "072EBEFE4EF574F4A87AC95BEA1237C43CF6D39DDD94C6BD9B965A322BB8CD15", "09C0C603EECE682CFFD6D5C27B3EAA66D128B79E9D89A33E4AF2314E9BF9995F", "0A018131C7D1A39C9D2717C5F314BB8222C3AEF81C435194A7607FC0D35BC538", "0A251B57941452CDFD64C031582A8D13D6719AEDB99EBF965740CC5E04A717D6", "0A3CB536625237AF6E1A39B78799B41B9AF062894DA038E4F769071D72640FDB", "0ACDC7CDDEE06F34F2256DD048A556D53156ACF793ADBE3C9ED53FEEE712EF49", "0AEC3ABCCFB562437ED4141670F5C7C6E096FEFB11D3045A28046C82B784AD9E", "0C0756C600D4B428F9DDC7547681FF909EA01654FA2BE7931EB24F307960FE26", "0D7A334726D7F8214BDF965C6B0ED351221CB7A9A083042878EB2C3CB193A50A", "0DCB9190AD49CA4A44EED134393F472D4D903648111D70599B707F22E81A5F5B", "0DF9253AF727D8388F8FCD3B325345C60991967B703210EE89018A164DCFC156", "0E703A42B01F9DF3E0FEC04EEA4F7733F5A313C86865501C0F8A79378E425C34", "0F03B5C9C2D06211B67D6937AD3D6F685DB8B1759561725DCC766A603D57FE2E", "0F4490A26A7A5960275AF6437143D350A19CD931C617E64E2575EA3E557FDA61", "0F76E12B5BAAB0162DAE617C343507D017DAEA0A7546017A6DA4F13518778837", "11452E38010E945A0FE01EFC4554F3798D8F99A1582985B386C674085821DFEE", "11AC7F14B60A5C486180C6662F02676A29D51924B42EC510A55CFB87D09F8654", "120FC7D8C2D6504C05B7406BAA4280E35A324B682513765C374D6393B0000A38", "133D2E1F625AACE103F22B7B5E3C3339B9F2C53C60EAFEE5F0248F495246C85B", "151931D850B252E77677784DE5EA9681C180EAEFFE0A70AEF636E76D7202A804", "15B7946476C14969EFBB158D48A2E631603F1323E17E2D4BDC13FB3B86B3B63B", "16B3DAA9311F18385C330EF6EE8F7F81F1E9F017180F2D1039DA4A521BCFE83E", "17334E2B2E377127A3DB9D8D2B3D751E05E47C0A957D29E8C9C6DB01E922B894", "1807EADF7EBF2384517F3DB77ADDC9D63E9DD27A36B822C92526AF1341782404", "185CA7A92837C359609A198BF638BED42D46EC58A2CC11C01C5142B98CF7B593", "18CF8F0579774C83A0D6E6D4B5456431AD2CF024AF0BD0A465437DE7A74A73F9", "19836CFD4B17D54261C87EA5080CE00A6A0B8431CD9312140526446DBADCF9AE", "1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "1AA4689F61391429998123661409491C7FFF90C591FBB12E8BE2CA2BE514C7C6", "1AE1A5453DE71F54F721615E0361AC5AFC9F69B537244D4EE71AADDF1666ED92", "1AE3C39E2B04171FD23F21949F6202B367042F6DC07FB81BDC1E886F25C20936", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "1C3B18793ACB5388E3C647E0D111B2CBA7FB3EDD55E25DF15A8B98FC47CA05B3", "1E5AE139B10CF500092EA776D2FBEC36F6F4E6FA4F54A5E7D26647544F0BCEDC", "1E645674D777924BC329B3C0A175ED89181CFB788B28FF3FF2391773A332B20F", "1EBC77DA43FD0C2AC1B3FBFCD06096623AB926F98B7AC6367589E5222F2115BC", "1F0E769E02EDA03664C1D0694AF70B26BFB7E4DBC4D96E353B0F8FCBDA767545", "20CF2AD2EFF7DE6AD8F93586D48E59262F447700FFF48E5E610099B41CEE05B7", "21FB4E6484CD2C557315381AFCF80B167506D975B8CF95E078BEB82443AF7256", "235A36D9CC1BA1B9BEC5F6CAD35060A5EF1602254ADE78302EA78955288ACDFE", "23BA9E1A95485FDA5113C5A985FFBA48AD2E78665BA734F9E465CCC361105BD6", "23E0854DA6601EECDAEE0594F591A86488CF01BE66C9986367D644B338C9D2A6", "2512D59FF30B751C4C9148B35DCDB77335582506FED2848198426D89D81F573B", "2571018C4333BB3F6C19EC9F2B6BB5326A2BDD39E6D8AFC796E89DE41BBABC6B", "2614071BF8D5B0482694D82BE1651280FCE95089D3BF507FE1CD1ED3591D2446", "298D694E8B6EFBF03FA97A7FCDBF327EA4FEEDD97CA520790177E2DF3923F9E1", "2B3C9C8FEB87062CB2249D828A603478C6CE6A6307CF7103B8825D9FE81CAD3A", "2BB93AE1C7A3B73A6491F3A66D7F39AEF96849CFFB0026B650053C816A375F8C", "2BEBB38964CEA4B62F9F2515093252761533127501B62DEFAAC8D801CC37ED8F", "2C50142AFAF98D1A6DAAE0DCF60AF9902BA861EACEB35AD2405F8E31A1B54456", "2DBF1F351E212B797DD777A77C1B888CB40B32F410166C989AF3EB5CA0DED36F", "2E9BC1AFBA9F34E20E313BA5B8B5B6C1AEEC0E8F6EC0B353125AA17460789A62", "2EB8A3A34F13FAA08E22E3997DB0F3D1575349656D6F141EC72ED1BF89C93546", "2F4353DF684AD6726CB9491220A703D4AD06D4406D7B35BEBCB2D4EE11863E10", "2FE62C1E3A24A2A73592656FDD830196398708E9C059617692732BA9EA6EE79C", "2FE97BC0DB8A3B1BCF85FF8F69828770D4396C7CC3ABD37202D8089D2CADF87B", "308A05F5B1028A741D58EC30AC13C7A0A2B660380B87E8811177772F0014DA1B", "3165A2AA157F1B9BD1D78DE6275BFF661B98BF29C82399B7216463D7581B8060", "329954F801ACFEDDDB7B41015C6222E792A3D6CA56B25E2074EEFEC3AF0BEBE0", "32C5F3A427C23B34350EBCA676883F18871AA834AA2E92920588454B1810F4E9", "340A46633C57BC64A513C7574F7A78D6AB2EB22FC581AFEB2E64A95AF1A94932", "345F51EBDC4B614107E623B2D5435B6EE46DAFBE316CB6F79143A9BB38DCD9B2", "3495F9B812339D5B1BD78637C1F420145AAD93AFB44B6E35782DE0160CF7211B", "362CA001FD00553BE7174C03BCCCBF89F5AB1348C42B438F71C6E4CFB81D7E56", "366CE799D9AEE4234CE4D38A22D774A769300127F0319D9238DAEC27C48436E1", "374411ADB66A6B6C60B3EE4DE9977ADF2AE7482BB4DDC9927957858BCCD39B02", "38CCAB39CAFB6C2CE3724A92B67DF0EB31883A90C9A3CCC11561802DAE51A944", "3950A1BC0426AE4D016159E4D2CAF54A8DB5C777E8AD57B2F2EABA89B5BA76DB", "399718E68B1AC921F1F63310793CB30CE98BCB15C409BBB99985FB5BE97A027F", "3B89A4A548FBB52BBFB9DB182C4EE146D4A3117872EA7C10FB010AAD3109C9D8", "3C34CA137D675C01FA30FF52E4840DE4F8835BDD73CFE7BE14C18869DE46A7B2", "3D737E91C4B3785D05EA6B518DF81A98A3D897F7446C9E2969F3A9E22A7F3BF4", "3DF4EFFCBD4398CD9D2C6995C59DEC9020B7665B1A75D2B23F0CFA94C34BBB8A", "3E3AF8AC7BA63076BEE8FFB670B3A3F27E0903C83526E54496E50EB2DF74B875", "3E4520A9DDDBF10F6B94F393C5ACDA44738184D5CB46AB64AABDC963283BECFE", "3F517C6EB3F580D15A8688927C2FEDE369F340156A939E9A19A6F6469765380E", "3F69F1D0D10816FD8495E0C83E350D2B9E6780C77327A103789FDAA73BA20599", "3F709EA726EB2BD99A9BF0A52B5FBF758B042727BAB188CBB7DC446E3FE28E4C", "3F87B04299510DB46305863338E9A0F1914960F422CD52BBCEFC7A8547CEF17D", "3FF8FCFFF09A565008FEE8326F4D0C6F26E88F2E412A67694FA1AB9A832529EC", "4045CCD240F2B35A8601219CE94DB09C4D73D63425EC22F9B94DF9CFAD2D1890", "40E849000289F14BA4EAA8A0BFBD0324AC59A18BA17D9C7411EF7F2C82E2F403", "40E960C4B69B3BC0992DCA14B0685310C0D6431B403E0338B65A7084D0D82E69", "411DE209066A00259E38D292C22264C2EDA3B961B523920D589433F42FB534BC", "42B553A5257DBCE0553E09359217D9B58850595C4F83DD12BEB3762A7D09FF2D", "4337F9AE4A5A2285A37D88E12A5DAC941D106D987FD93F7005C756BEB07720F5", "437063148C0599A3C3F1CECB075FB83EAFC46606410F01E39088624674767E08", "43F04716E6B0E2BF698B22EF7A50C437F4D7B8FF87A1F35A7A342FA2BFEC87F6", "440F021094DE35C6A13F9FADEA7C56D6B4093B16EFDEAEC496EC398C5AC7A327", "444F37A66B1439774408C55A7653314698A2FD83CFE39018661304845BACFC46", "456C529F31DA6640A3957D0434060FC5A0B534D5248ACDC94996B73B3F544122", "45EE862A886525741A09CA53CB36F782AC0F17020C63C71E3DF1B5FD95DE8F34", "46D4B9F92B3C18E29E5C7BBEC13D92B5ECA31B1A6E3BE57749375938FC2B3CBC", "470FB53E20DCF01D3FF4FB7251C5868A5D215FF7480131C88B1F5C06E159D01A", "4829928E4C7715561CB19AF103394931A0114E34E269A614FDFFC77D2F61D9C7", "488FCEF71EF7DA59C44B85E01B61C9E6F64222BB3CB2279E3106224EAB4D58C5", "4B7EBAB09AB01A6A2993819DB2589A79B0751770B2E5A63287320AA02BEF3420", "4BFE30BDDE08FFC06253F80E424B5B9EC1414B2AB557CDFC42C49CE34AE44C33", "4C98F5463E3FBB67682E7F864F699DD4A99514832D6E44999F6672401F35C8B0", "4E95B5EB959CBE5490B90287812FD445A690A3158E83D37882EADCE4A7BCD44F", "506E8C92E0B76D834A33E4AE02E5206A0ABF28570630F6E4A780D13A5238D647", "50838072C1DE2B9FE71DBCE3B389D91E4815E93AE13CCC531030A517E47C3BF6", "50C63CAB6CE7C82879629075DBEC583B457D2B0B2841FC0D9A8D67A25B64EB25", "50D29823D1F18CC1FB9A002BD0994315DDFA79FE8E446748A193B22689C93A82", "5276D07236F09D5D4E1A38B4E304BC335E677F2639AAB1A09809E9794F9A17E1", "52A5398094130E1B0A40291225AFDAF806D3B8B80AD7F16F186739DA6E836335", "52CCE9C9DF1CABCE9FBD611F2F7371FCD808107B0670CF19453AF816601CCFDF", "5641564DE1A4B9249AC0EED2F265EE204961C428F093EC99321D93DA0AA23C3E", "56CC78C35775BE01C4C9BADAFDF799B350E98CF75CB5957993A02F3027111383", "5711509DD871227FC9F7CD530DA0E06F21DDA1D522E7B1C76AC95D3AD5F6BC07", "57250C8399F5C4AC218847F1045931278E68593D09677651364F0897ED5E2346", "57A11B587849D0E11C412236D22F7BCF16F25A1EFBAC8A9A8B6F2723A64C8C41", "57D2B44B0BDBE18665618368148AA52E4651641C5FADC62DDCBB1A51F9CF8997", "58C9C23A20C5D55610ECFF1953DA7C91CDE42118EE0F8DBDBF1D696C4A948D37", "58E33C1549EB4DBC850E6823A153E89AA2B58543688B7109103E107A7E7D2EBE", "591E98996DBAEC8DA2E30D3261AADF9BF750C358714362A5B9B9F30A1AC23AB8", "599A8A2E36D1292ACD394C3442B78D3D323EE6686B7160B972508B995FF5C90E", "5A23BE34322F36780B2821378B1628B3331997E99E3A9C4B3B0067399EEBC3F5", "5A5125564C5E6100B8631DC69D64BB29F15CFE14C3E6A31A6DF6AD6E3808314A", "5B0D973A3FED1AF2D6DC61C906D27DFB052F1D42B4263EA8695D5ECC3E5F9F09", "5B26FD90EB9E8DE2F0D408077305F80DFAAE07C63D10D4B5F66A6C16421AE7DF", "5B4C19B2CA9D2714AEF1546FC810D709406148AD04288568A5EFCF5FDEF9B2D5", "5B61A8C776F5DB5A9AF0C13607CB60BA8EAB34C3208154E6FCEAAD0857CCDCEA", "5B64BCE3EE0E68F7C1E61B0134954FDB115D5AD76AD549C8F967018D7BA777A6", "5BA72E3DF4F52C4F4CAA4F86F92A38166E8CAFDAD00AD77270A13ABC5FC4541F", "5C2AA669FC4216D735AA72EC2C962FA6293CCE722B37D72F1BC2F78867DC8F7F", "5DB2E519AF6A44986FAE300E5FDDBCEF984C505505D899E05EED5F1A41CC440A", "5E1A81920E6A1A1EE7EBA39E8D98B9A3EBC541A4AA719610D4E288278B7C2CC7", "5EE17E6FA7B2E867293769D2B457CC1C902CEA1D9C6F97B78C2166BEB5DBD8E2", "5F0A459E7C55630FE8B65EAE2894E2115CDC425C3D1639EDACE33CFA2D3E5E1F", "5F372B6F223ABF2FD142C3E3D01925FD31F6969DB13DA5F9B4220059E5854A64", "61FF6F10F0D76277F85A8A525D2C9989283AB04F3D830BEC0894CE78DF0624A3", "621A492536FD0DFBA370A0EA8352863C92C02102E2A7C979D3E6F2DB59F56A53", "62B157899AFDFE3350565CDE520C60FAE6A0521AAFEE76BE82BBF76A02C1B3E6", "62E7A719C331FCAB47075BA0B9A2AFE666ABEF25DA19EDB1572CD3B9D2B9095E", "6303DBADEE057709C654DF5F5232AAB673061979F73C5434D17C7C2EE4FC8C78", "63FB87BD963C802AE05248A5B91A820121637B32C6439BE3685C2E1E04098097", "64718A406CCFAE5D2AF591487FDFB0A189E939DF11D8C72E30AAF07C12098478", "654F3603785F612FCB89C4655C367EC60F72994A083FCDAAF1A7F63C68137F21", "65D1ECC08FD39D88FB4523EE69BA16CC5E59614513C98F70FC4306624777C11C", "6630F4CF8B10B4B1897C49B39E94913B1AB4B8271F7B40E06CDEA3243856D366", "67AFADBAEB2E411CA50084190A35F4DAB8E622125BE85851D741B447BE13A2CF", "67EAB74129C18C510D45A8BE4796FB10CA7307ED79A3F5B643D86F3CC71C8995", "69B7C0620CADC704D7AD182503FC0F94251EA42B617ABA4F86BB06A1DFE4EEF7", "6A3D77C5871370931B8EF09D751C43CB7D88D1F4949B0388D3B5C4A8EB90C83D", "6A663A681263595D2882F213BE03BB05AA8F62FFCCF602AF57E6778E2E499DB8", "6BE8692D3822CA78B4646C336839C76002B91C314A2131C842F23F12148509D9", "6CDA9CBBD4E668C70A53BD4F7D7CDE00CF73C49E1D8C5300C858682BFBB02BCB", "6D1266D7512253D04698EC2DEB85B8BF906B1F2E64F7EABD217D462B19E8EBEC", "6DB274E6F7EB4D6F538135EC07CF4443980A5C2FC8C1652E16833E39D5F430D2", "70D8566E5246B3550B562DC69BD9E44914B7C5D0DCD3C21264DA9CD5683C56E6", "722BCCDF36201CB07B5671659BDC24F79862CABED605E7A2C997FDC08A6180BB", "723138763EC8FDB605AE81558EC2B606174F792237A8462C7A4A4D40B82A3A29", "72EF226C4D54E3C5DF61DAC3CC307821E7DA0DFA159C969EAB0769B064E77E9D", "73288A84B49A641505C576DEDC995F44E69001C227078E86112664767072BDA2", "7334315670DD2CB11A3544BF6ADDF33C038F5FDC7174D76FDA618631B3F74B69", "73613052C113EE53CC4E1916471E2FCF495F0A7CAD286D9F9DD528B4EA3EB491", "73A4E74D4C42B6050D535B368ACF1258DE6B4062962BECFDF4315D89AF7480F7", "73AC0A21A1C1C6C3987AD6559B838B31C02E7FC2112C00D32E18ABA3B130AC8F", "74157F70C55D5699B45F201DD61EDF5C806443EF31D766424E8A6EA6B97CD461", "750AF6432F6476D75E53148C1320B292C1009046C8733595D70EB7AB5F389E6D", "7545FC6960BC08536BD63AD777890D26CE8FBACF18C55DCC74C636085DAC612B", "757B616252D9C5ECF905DFAC8032FBD7AB4A8DAEFD48C0BADFE2734A2E87D1AE", "76415522829E96D2199B1D5D63817545B42CAE7C008B9902D48D11CAEE020C66", "78B5CDD949B0594AC0F181656CB6536E0B075D4B064576C915C9BFAF10028314", "796F2C51B8319B8F5B27C4E255E73CC0426625F1153FF80E70B99CD9664E6699", "79C9308A38227EABEE316B0407CBC46021561F829AEBF9659F93085D4FC63547", "7A811732B34C1BAA3F2209EA69EE01FCACF762E53C22EAE8A8FB7A45B4E7164D", "7AEFC9814578EA5DC2EFFAE9F289D2307A840D9868EE8B6CED3F1E668F7010FC", "7B815188E16C52B322DD4246EBAB0FC7BA3EDE14D3D566E6B024A1EA3CA43349", "7B8C76B8D2D645866DC08E9ED4A4377644A8E1F718784F805D3357BDB03B1F92", "7BB3B13ED998CBA6BA07BEEC944B8CFF6DAC92CCEF1D7F6E64E9E8CF3D77AA15", "7BD03C97D3450FEAE4EB4F8F33140691B9F85B4915C83AFD5212FE881A12ADDA", "7C371350C79C6F7596054D8B19A4BAAD069A8ADE699FB847B44E70E03F3D6988", "7C630DEEF9C025461097DE30AF143B45E948D8E848AEF027D365F38629529B0E", "7CD76102AB6BC7575AE0FC31DF4EFC5F5C1D5540091DFEFF03725F29385E3537", "7CF53FE09C7D25161BFAD59060E2F4269BC90C0B892337805721A0FE0A9BDA22", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E4E851053AF5C2BFADF66AC8494971BF986538EB9E1BEE4C5D8B83D2DB1BBB0", "7EDF6D557043C701E1232AF1A99A36E05034D53B929336869F5B94154E2854B1", "7F33F41CEA8DCE7CCCF615D587E59AA0744E45F2001ABCD457C81A360E9A4806", "7F44D090B7C137A705C12DD507CD53C8CAE52790B3F08204F5CA5335559C5F8E", "7FE72ED4C858FD4F010CC95764D03AAC86CD4C73FE6C4B388FE981C9E76DD0F6", "80552BF7C2306BAADE213DD9BB061300AB37A69D1C5F3B5D7A4398299B8AE6FF", "820B1DD869225ABFDEEE5645C1D3A0F396BA3FC9E77C88E3D91F1C4FC0D9B8E3", "8215E02FB88590F4B93468E9B3C6A2785DF30F06545A788005F8AA267BB66470", "8325E2E8632F22E10CD653162D8EFC2BD56BD809EC2298B08EF585D287E1CFA8", "839F371B87C6C1B7E2DCD5C3A8BD19F178D93671B15DBD8A4ECC452EA553DF43", "83B53506562CBF4BC038C2AD61252657D2E636B6245E599AFEFEB3EB3FCFBF2B", "8451DCEAC7362310C8EAA923574AFEAD09CA58D139A870AE0ED1E3D11764573B", "853CEBE4F06FD3A5C0463E8330A070AE32FCC86552F66DF27BFA39F37FB08C35", "85C244F40F078C64D61F63F2C6CB1A6851B539CC7B4530BE8884CFAD733EEA2C", "86FDA29703FF35A4305664C83850C30892B9B61C669F608409B4DD6B42852AE2", "872675AF82ACDAC1F7258F099A712A59592C093E05C6D677D20EDEF5FDEFCC7A", "8759A08F8DCE05EB5B0136A785BCAFCDBFE613A7D435C0FA20FDB4424A7CAC70", "87B26C2B63AF8A971A79B4CB2207EC51AF74A57FD839002466AFD594F7918F65", "880C8CCFEF3637D915CD2A945EAB6F29F1CFADA9041654A93101F51058EC852E", "88D4396F5AFD082566BDD5FF95312101BB6F94623E716D993F113380B02DC7D4", "8A242C548ADF3E615FE6BA32C7E6F5B2DB8B1FA250ABF2329DC20A0FB32D3700", "8A273EC5B4E0D267BF1325C598530568659C444C274158543E88B980E7356184", "8A3C4FBF20635DD01A5B58269ABD76FF6451A13FCBB437C76C92D2484A5C9ECA", "8A4B8F016E20BE062D275D1D7DA531E398846FA5F653F9077E943F8758AD58E1", "8C13A93038AC136772B2598C633467116BF44538BBB507D836B65485D5AA47D7", "8E0AAF010EBF37D1F163FC08D65BD399EDDBF518CA20FD163ECA87BBC1970535", "8EB2C9E7DB5013AD05B30490E2989C17EE64FBE9B0024B1E76805B1F1B95B816", "8ECA6222D3C238F29A31FEE8DEAFD26C737F2975DCA8D95684CFF7F79AA0F358", "9214CE38F1DD3B6CCA3C0A0D3903A565EF865C916F6409B27D0CB5862470E985", "9219C124B39E6D8D77D8BF65C94BCC257D2F8565063C09CF1BBCC841B2DED0FC", "93E6CE7CDF725BED97B1AAC0994B1F9EFD356E5E2E4CC74453BD85130A91F506", "942E8FACD0350ED3215EB9DD3629B360E18E87D3ABD165831163EDE9AAB16C21", "94B3EC63956148268E5D16E07FE76E71DA01EB7625BA7498384CCAD5794DE007", "96172B0289A3157617DE620C9610D6DE694BCA12DD20D67BEB2C4BE5720F1E6F", "9689CC781FFB77A68D0808F73F4652707DF84089948BC46748A94D94E9B86E90", "96E4D95F15652DD6FBDFAE305505663BA2700F82CB47BFE477129F5E3D0B258D", "972701C7DC1452FBCF01B7BFE4A7289076C9DC38C28E80665321248205EAAF12", "9765CC2CD4E8CF43C86EE7859F7012EB2A38E6A4A80E55865CD6E4E883D3188A", "9872D764206750F6FD9C7F555D6B4C23926B755B4AE368CDD8485546CDEBC462", "989BF293C7092FFD11AA33DF268D74DDF2FE740CEF8C6C7B0A84E8A14F4D2E5F", "98C2299E82C81E1CC3EFB8629E8262393014376C64F3F09018090397A1EA00AE", "9B29E95933D7FC3EBCF270BA84DE60106B20376EEAFD5D4DF4DCD949178CB0AB", "9C1D1FE90E2F187821C270EFC3B5F3A57AF88428D8DB76F072CD050048739C9F", "9C6F1EFD064B98941F8B42A32A91BAB15206AC55CF09BF3BAAA5925A1B9B55C9", "9CCEB90B89301ED91DF7A501EF3103FD54D3AD611D342CF6E4B19E5105E84E35", "9D892AD714895E9B8DA3E59547784D03B32EADD3AC421AB0003E3191C1AE27AD", "A04FE2EEFC21C3A9305B1CF7463C731D28C17EB5521A8E54F5F564939C5E91E2", "A117FD05762925D936B7D3C2CDFC14E84E601A00B488EED04331F22B9C452C5F", "A2BAC82E395F9C0C2BED37EEE45890A06C1C799AB1B521E972E4D70A5F31ECA7", "A3EF30F3955AAED701BF16ABF8B0431F9C71951ABDCCC4904BB0F9587583D895", "A4167E89DAF98623836F64826EDC7413C8B06B29A2E76A886419750438EAEA04", "A4829964562D4DA75AC835389538AF91BE820F503BFE614BB74E402BC80BACA1", "A5496C63C833B5DE95C43A9053218E885F73B6103DBA053987F78B3AC96491F1", "A71AFA4E20A54B2503C4A5DE40ED960DD9AFC34A35D94A0AF40474FE8CB4047A", "A78040AE5CC586449162ADC8068F3B4D767037DFE1D376F0562F9B1D726E247B", "A7B2D28F1E3492E411A234E996E861936D426FE8647F79D09D85E4989FFB0C19", "A940972EE8C6FDFEAA789156E684C0D5729686CEDFD51FCF6C875BE8FF25FBF6", "A965468AD7FD6E0FC84AAD8198928B8ABF25FC38D0638161A79D59279C9E678D", "AB6317658BB61B88CBF0BD8E3C85FF773A1AC7618F42E1194BD4B2750BB8BCFE", "AB7C7549C766E512A04307E28B24810554C55468A51111EA59F757952A32143E", "AB9BF82645A26195B7E3A2A88C35E5D4BA1E45784589233A145CB109453CED5E", "ABF8825C48969D423E885B7CCB57BDB86E27F87DD082837A7884ABA77320FDB1", "ACB1BEB9F23F8E2951B24CB2F49DBE6E43DA9F3C9311028237E3DCFF917143EE", "ACF676405BBB5AE27485D9F48AD72AC6E8FE2D60EE0D4B0D45374459BCE07DA3", "AD4ECEAE4A1A859F7973542989D756EF157892493578480BA674AEFB27995763", "AFFD92BCC12500CEBD2822FB64DCF1EF589EA350A991DE5C09421D24BFAFD713", "B05329785ED4441E67419C72F4E8D5EFB095312F0129B7DAC17DB1F2F0780EEC", "B244A2BC0A7BD8241EA857E58CB786A72E25AF80B5B87BE5B86DB2539034F07D", "B34195110077034574536A55FA352B5BF90728605D4A2BB88F8E3C60A9F0BAC4", "B36A668C28C4D760F6B565A18CA1708BA647B0486720FF7FEE833AC59F8D4800", "B5FF3A0A4BEBE5C4947ADA43EB1B39C0645EF9ABEBE4A315AFFAEB9638C6CB41", "B61307CAECBB5590BF8837472BAB9C85B9153B31B334257C484DD1ADD641B9ED", "B776730BEF8B1AFBA479AE066C7AA9E78D065164B1F25B7C0DA6D8B9B59FC44F", "B7FF1129A02D2738AED73A8C157F3D6D872B530527C875906B3678301D70ECBB", "B8E199CFC7A9C8DCF033928312B9AE0E344AB91916C93723350723B89FCB619A", "B9AF888A07E3EBAF9C8015FD69209D1220F715162C5A28325CECFF5EDD360FBE", "BA224C929D509ADDCB0F46007C0E0FACD292F79987D47E9F02DEFD7F67D0990C", "BAB69DBF00D3A38F561B0408FE26F2F58B2AAC9F542B48F9C76DA2B3D45EF7E4", "BC2283C42C5754BA56D4B137D9299A766BC1E54917CDB4BD5C57BE600AAD1E60", "BC7F561FAB80D5D0A48021AB45201595C02030C9CECEBEB548DFB50B6376384A", "BD707B9A2C920399BE57A503E0CC1633CB723C90A936D7A2E92891D912259987", "BFFC97D9B867396253756A09ED28B13F581A2B14A0637B4684951D9BD6071488", "C0501217B805DB60B66BE6BAE92316B764C51679EEA5027CB07C6E657F8181A2", "C0FDB3F4B7A171D3937E45DFD9D337DEA2512F2ECDE945CC40691DDEB5689DA3", "C138C333E90DCA6AA63BD629BDB1BDDA88BA738775F97FDCB002A66BEFF89FDD", "C18E4772030D674D152D69B21575B31602E8081D2A7D63F34DF5712FA898D8EA", "C1DE62607E696F3135AA44A9ED964385998509307175EDF6F47BDAEC9E4F6C06", "C2E8B6DDE464206AEDDA1C71AA033CD48E5CBB40D6C71D0239B45AA056C35190", "C31436DA6C1FDD78E2ECB68688AFD20C432119CDF718A53729D0F429AE0174AA", "C33C75D536D0395D907267D197964636B4CA8C5DFB52755A5682CF70BF8C7FB6", "C362DA3FCC19527A119FED83D0B6DA4D945A28BE02C6CEB71702ED777D4D16EF", "C48B8A24BEA3D79BEA32D69CB925440D9078E9C37A37DBDEB8805808860199D3", "C493462547813E2D896F759039078514A13F0934C26044CBC7F658187CF3E4C0", "C6BBE3C7D8F1A4114CC3A6D26A802803EE96825BC127B999958A9E91356B1633", "C7752951E8085C186BF5D89E852FCD41F36C211BD9364B8CA87F6E4FF8AFF924", "C7AE65EB0D706F20B5B2D3D4E72252697ECA6AA7917A58A2DD40B4293B199DC0", "C88FD4D469A35327F18A441E0F6F16137E5E2FA23925AE0EC11E2F76B3D0967E", "C8B10EBB1C04E885A0F46598D7359140F659737A3C1249FEE363B6A29D7355AA", "C976F3FB2440651533AB7414A4F76FC3C66CAF49895BE704575E993E6B5F6D48", "C9F19ED2C7A03593AC283C0067CD2FD24938ADA7B16D8ADE6C80795C2BDA0405", "CA8D24C78D501345DB856FF9B53F4B1D8B088BAC6269D5682DAE4D83FBA4E3DC", "CBAD9A5D72D7476363185541BD693344F4EEB28C6708F8A48B2849B3FD618351", "CC0FCA510A1D843BA5CC109DEE83E0560BE5D1E3A84C207ECB65CB64AF35BCE7", "CC5089F9744A6B5AF776C8A1234A9BCA32E0798D396B5C631C8D215B02EA08AB", "CC714D6CB93526CA67C3B1AF953783F7648CF4A4936616886992C0290C5D5B18", "CD1271F65919F0A27ABAC5D2FB90AF847030089BEFBA36FA40622E14F85284D4", "CD8271F1E3A620207AA3EAC35F944E1453EFEBC4728A88B9C3D9D0DA7F511F56", "CDE6875133587A5E5E6ED5F01AB9C60FC14D6A03BA892EF38B70353468007DF8", "CEB12B4664C1D9045CE6A2D526284519816A08ABA9E1E6F54060B27C0BB3429D", "CEF20F8B2F76F34D20A1332E089A276B62CD83365A66024B5AB7A6CB1887883E", "CF8080897BA997E374072C563D7B6C6088F56DDA07F407BD98DF25411FE5E09C", "CF99691D618EB1EA9A8A075EF91665712165EA871FA9FCC7A423963F869D124A", "CFEEDA0D2CF8ADE789646A78DF47959CF6BEA6E2E1DA7FD18249EFB7A1BF3CDB", "D0934964E9B56702CBED525517F4EA576FF2F33A8BA6C800C34ECA9B7FE90236", "D0B716391F80030BF988E290540B0ACE770BD27D3F36F2C823E1D371D32CEC50", "D25F96BF8FFC89967E930C42C71D7208B95B880B834BD2A42F60151967CC51D1", "D272B1ACFC08FB00F71DAECEAF120EF8F47B4AA0F575849F81F09FF6E35CBFB5", "D2B2FB96AF0019F5D16504AF39E442889BB4C2D53F4CBF95B8FEF864EC1390C8", "D5006110BB901C8B28332845E7232D26FD36B1609362E9BF8C8B8705EFBF33D5", "D5AA5A836C6CC887766560D5C0DEA7A00ECE08E7210420C4B9BBFF45EA1FF9F6", "D70C0CFD2132EBB5AAF3CF53E301E73B5E5845FB7B0FC143B5DBE6CBAF3A884B", "D711E8839F9CEAF79F79AAE8CD01BDCDBF7DCD4C0649106ABCD18E8CADF832B2", "D9149FF2A022C428AB36BCF4F88460112AF3AF085E6C6FD75CD50D2B242C721F", "D94A48AE9F580A6366D29978F998319ED852FD8F689952FC78B6758E2D5F53F1", "DA52C8AAC8E49FE83875D8FD83693222E58D6D178EBC1C00B564B8EB59727C9C", "DAB6CB181424781D3CAEADDD031227EAB5B67EECC36B24ACF558ADBC524F2D57", "DABD6B8B6CBB73960C386B67EE3DE8B0C30A20314AB64DAA185068214240C464", "DAD5A8456E75C3E0D61A94AD852443D8D2F457AD466BC30FEDC9E8F6256B0E5E", "DB5D4D065C0F261805DE8CAED872298523533EEBF7999AB216A1D9F951C28DC5", "DB77FA682E1C424D5DC75EF1D7E867B818764A3DCA318FD78F7BB076B3F08B21", "DBEBF5B229C8DE6CB3D8A210AACEF003D3ABB0F69D7078FE103C643B2D8909C5", "DC3F9DC6E60E7791FEC4335A8C7FB9E85C847042EB357C7AEFE055E589B8FF69", "DC6CFA97AFC11ECA8AC903B07B25377D9849F6E270CE2A8494F78E7B651A0389", "DD7E796DC101D56D3818D53295F88146B9FC7EE7058C596477B1B5AFCE363B74", "DDAC6B14B8934B2E6C225A197BD36CA0AC38FD8684F572F5702537FFE8240DAB", "DDBD4BDAEE1412B8C8199BA8BCDE15F2A42D1C2982D2BFF3B062BFCD642CDD23", "DE6FC785FAEA5CDC22FA3DD95C1113BD7CE8E4668A2B0686DFF968822706AA72", "DEAFA2DB54593AA80919E191E6F6089E8FC07DD6414224DF7420DF6F55DF4BC8", "DFBA0A507CBA73A53666A3E5C741F70C7CFC57D7ECE64BB957B938A6262C5882", "E0CAD87D2D58A2FEE5B2191470CEB1BAD189DB6A091A60BC28E6B8904753BA45", "E173DCA0E65F1BC893DFC386A3859828D95897C2E9C3CB8AB66C9F1FCD79D6C7", "E23B2B70071C87B4B30F175BDFB816A59FF7F9127F0905729A27B7EF44524CBC", "E298AFAE6C10545EEFE2EDCB1E58ACEB81769C82FC173BB89206A046496B5501", "E339AD68FEF83E1C654B3EA486C97706F998CD0D324C363879653C8B1DA397AF", "E3D0BB62F3EBBFB0BD048F50837D047A327135C03929630E6A511352E13002E5", "E5F6CA4E9846520FFBE611036320AF23A481268C0C6F8DE632C6CEE7B97E65F5", "E65542FCA90363D7C8577C507B17D1281192264CD6153EAD3B4C7E698CCB802B", "E662216536D352189553CACDED94197C05EB014BBDF76DD13702DFEF9445466A", "E733C17408E04FE220509E0551DBC620A986294A215F7DD00365914286AF7F92", "E79BC6C34DAD829FAB4182BB79212B7400A2BCB673A1FFCDE7E446FA6EFAF11B", "E8785330052719CAFEAAD58D08CA6A5AC216720B2ADB457FB5C017CF4DA084A7", "E8A312ECF86D6A1C6D9722B8D51FDE987A400AF0C6568E0E843C6327878D3511", "E8A460EF6615AD41E91C4533C20B80083D9D6E40A9584892FF55E41DDB9E367B", "E8A9D3E9EB263B8252AC392A110C5699C152EBE388EA85E79DC45D6A3DA9A738", "EC3D8B78929CEE29AEF21A1B489AE5D843D897B3C4D451E9206D6EE31CC77C0D", "EDB34CD93CDAF5921CF795AC72A6405C79962D06DE79535AF74133F2884DA4EB", "EF2B4F4110ACF96FDC34CF6D7B916C577277400859F5F464947088E0CE635995", "EF8F0A9CABE55A98975A5E586449578AFBE0581CC3BBC4848706891FDC02ED1D", "EF9B6C270DCF82283BF13AFE4BD6A359C1D124B7D4895440A36E199964CDEF36", "EFC96C84FC6627E09277E1FB61859CD2CA1859DFD91107C5D299A533D68503BF", "F0864C914EFB62F7C48822F52BDF423B57466738327736DD211AEFBE34B7C109", "F09AD94B48DEE6804F3C9AEE48EB9BA274CE6A40FCE684B18CF3D4B1944D4CCE", "F1D303774ACA9A5AD0E510C3DF5F1397009E7D6FD2FDAFAC4642501D873381FE", "F4BDACE4C2BD969BE014F58FD96BAC012DCB9FD40640A048ED223245FEA36AB5", "F542A12C495D85C0CEB4091F4CA805B6D3F211CCA410B1C97964AA4680E716F4", "F590F9B8CCE606C3A8B1868747618F53738AF0A967C71C872865E6F97E3E2A42", "F779442F0B4B159B647211B27C52485C40EF8D77079FB564145C112408507200", "F7862E3AFF4165C1E96904B0CC478B568FD7C29638F30D7255C5D201546C0450", "F7A4C910A4DF2E02493D2FF5F34AA0A704BD3D1EDF63E2A05589FEA9676846E6", "F862AA8C70B0343452BE1F88AAFBC22FF6D70527EFA74872A5EBBA9DE943691D", "F863337FF22BB38FB6CDAB12AD085E0BFDD2EE103D58AF0071EAF269683A58F3", "F8BE2A1BD7CC2236086BE1E13F72021EA00650A5D0F96ED1829270ED6BC006C1", "F90FD904FE2AD66DEF4FDDFD5D99DDE1F5E9A79893EE2F3ADB1619E2F648B6FC", "F9C3BC218F02B41A1EE998B0C9BACBCBA2A26044AA17D86E90806B1B4853903B", "FB7B0D7D51A5A8ED0E01174710F6992C01D57D42E953D250F0E36E0351D2F30A", "FC0AB5A04DEDCCA9B4FEE010F6A33E94AF0B79A3828E6659C5AB9764C36C13F8", "FD48BA74DC3A1C3984E282E9336A9AAC5D63A6863D7227C72593B2FEC3CC6C79", "FD54ED57D0984C8885C877F9181732A5619A1E525F7855FB4A72EC63053B7375", "FD98647DA723C33CDEC38C52B57AE83B49EBDE217212120E05428E998223B712", "FDE8E9C242ED2D257B3BCF9E013CB6CFC32441C70BF5803FE16A714EDE9E7DFB", "FDF6E8F7CD2218245453540A985C40ED7D9C20F3F61D50E98DA8EC923B1A387A", "FE0CD9D782041746DBFBA9DFD5A169C98E21DF40D5DB566AD15D9898EFE9D6E4", "FEDE4F7915CF8E683DBC7AB56D68872D5740EF9C5D19FED52B140130771052A2", "FF8DB78F22CB24A549324F1BD88656C5EF156F945EC890C85CED4CCF556C4237"]}, {"type": "ics", "idList": ["ICSA-18-226-02", "ICSA-19-024-02"]}, {"type": "kaspersky", "idList": ["KLA11179", "KLA11236"]}, {"type": "lenovo", "idList": ["LENOVO:PS500190-INTEL-PROSETWIRELESS-WIFI-SOFTWARE-VULNERABILITIES-NOSID", "LENOVO:PS500190-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2016-0093", "MGASA-2017-0042", "MGASA-2017-0255", "MGASA-2017-0390", "MGASA-2017-0405", "MGASA-2017-0408", "MGASA-2017-0453", "MGASA-2018-0101", "MGASA-2018-0190", "MGASA-2018-0257", "MGASA-2018-0339"]}, {"type": "nessus", "idList": ["700513.PRM", "700523.PRM", "700620.PRM", "700625.PRM", "700627.PRM", "700629.PRM", "801963.PRM", "9128.PRM", "9933.PRM", "9934.PRM", "AIX_OPENSSL_ADVISORY18.NASL", "AIX_OPENSSL_ADVISORY24.NASL", "AIX_OPENSSL_ADVISORY25.NASL", "AIX_OPENSSL_ADVISORY26.NASL", "AL2_ALAS-2018-1004.NASL", "AL2_ALAS-2018-1102.NASL", "ALA_ALAS-2016-661.NASL", "ALA_ALAS-2016-701.NASL", "ALA_ALAS-2018-1016.NASL", "ALA_ALAS-2018-1065.NASL", "ALA_ALAS-2018-1069.NASL", "ALA_ALAS-2018-1070.NASL", "ALA_ALAS-2018-1102.NASL", "CENTOS_RHSA-2016-0301.NASL", "CENTOS_RHSA-2018-0998.NASL", "CENTOS_RHSA-2018-3090.NASL", "CENTOS_RHSA-2018-3221.NASL", "DEBIAN_DLA-1157.NASL", "DEBIAN_DLA-1330.NASL", "DEBIAN_DLA-2091.NASL", "DEBIAN_DLA-2342.NASL", "DEBIAN_DSA-3500.NASL", "DEBIAN_DSA-4004.NASL", "DEBIAN_DSA-4017.NASL", "DEBIAN_DSA-4018.NASL", "DEBIAN_DSA-4037.NASL", "DEBIAN_DSA-4065.NASL", "DEBIAN_DSA-4157.NASL", "DEBIAN_DSA-4158.NASL", "DEBIAN_DSA-4190.NASL", "EULEROS_SA-2018-1115.NASL", "EULEROS_SA-2018-1179.NASL", "EULEROS_SA-2018-1339.NASL", "EULEROS_SA-2018-1392.NASL", "EULEROS_SA-2018-1420.NASL", "EULEROS_SA-2019-1009.NASL", "EULEROS_SA-2019-1084.NASL", "EULEROS_SA-2019-1164.NASL", "EULEROS_SA-2019-1185.NASL", "EULEROS_SA-2019-1201.NASL", "EULEROS_SA-2019-1400.NASL", "EULEROS_SA-2019-1546.NASL", "EULEROS_SA-2019-1547.NASL", "EULEROS_SA-2019-2509.NASL", "EULEROS_SA-2021-1221.NASL", "EULEROS_SA-2021-1506.NASL", "EULEROS_SA-2021-2542.NASL", "EULEROS_SA-2021-2566.NASL", "EULEROS_SA-2021-2758.NASL", "EULEROS_SA-2021-2785.NASL", "F5_BIGIP_SOL14363514.NASL", "F5_BIGIP_SOL44512851.NASL", "F5_BIGIP_SOL93122894.NASL", "FEDORA_2016-1AAF308DE4.NASL", "FEDORA_2016-2802690366.NASL", "FEDORA_2016-7C48036D73.NASL", "FEDORA_2016-C558E58B21.NASL", "FEDORA_2016-E1234B65A2.NASL", "FEDORA_2016-E6807B3394.NASL", "FEDORA_2017-3451DBEC48.NASL", "FEDORA_2017-4A071ECBC7.NASL", "FEDORA_2017-4CF72E2C11.NASL", "FEDORA_2017-512A6C5AAE.NASL", "FEDORA_2017-55A3247CFD.NASL", "FEDORA_2017-6A75C816FA.NASL", "FEDORA_2017-7F30914972.NASL", "FEDORA_2017-8DF9EFED5F.NASL", "FEDORA_2017-DBEC196DD8.NASL", "FEDORA_2017-E16ED3F7A1.NASL", "FEDORA_2017-E853B4144F.NASL", "FEDORA_2017-F452765E1E.NASL", "FEDORA_2018-1B4F1158E2.NASL", "FEDORA_2018-2F696A3BE3.NASL", "FEDORA_2018-39E0872379.NASL", "FEDORA_2018-40DC8B8B16.NASL", "FEDORA_2018-49651B2236.NASL", "FEDORA_2018-76AFAF1961.NASL", "FEDORA_2018-9490B422E7.NASL", "FEDORA_2018-9D667BDFF8.NASL", "FREEBSD_PKG_3BB451FCDB6411E7AC58B499BAEBFEAF.NASL", "FREEBSD_PKG_6D33B3E5EA0311E585BE14DAE9D210B8.NASL", "FREEBSD_PKG_7B1A4A27600A11E6A6C314DAE9D210B8.NASL", "FREEBSD_PKG_8C2B2F110EBE11E6B55EB499BAEBFEAF.NASL", "FREEBSD_PKG_909BE51B9B3B11E8ADD2B499BAEBFEAF.NASL", "FREEBSD_PKG_93F8E0FFF33D11E8BE460019DBB15B3F.NASL", "FREEBSD_PKG_9442A811DAB311E7B5AFA4BADB2F4699.NASL", "FREEBSD_PKG_9F7A0F39DDC011E7B5AFA4BADB2F4699.NASL", "FREEBSD_PKG_B7CFF5A931CC11E88F07B499BAEBFEAF.NASL", "FREEBSD_PKG_BEA84A7AE0C911E7B4F311BAA0C2DF21.NASL", "FREEBSD_PKG_D455708AE3D311E69940B499BAEBFEAF.NASL", "FREEBSD_PKG_F40F07AAC00F11E7AC58B499BAEBFEAF.NASL", "GENTOO_GLSA-201603-15.NASL", "GENTOO_GLSA-201702-07.NASL", "GENTOO_GLSA-201712-03.NASL", "GENTOO_GLSA-201802-04.NASL", "GENTOO_GLSA-201811-21.NASL", "GENTOO_GLSA-202007-53.NASL", "HPSMH_7_5_5.NASL", "IBM_HTTP_SERVER_569301.NASL", "IBM_JAVA_2018_08_01.NASL", "IBM_TEM_9_5_10.NASL", "JFROG_ARTIFACTORY_6_1.NASL", "JFROG_ARTIFACTORY_7_8_1.NASL", "JUNIPER_JSA10759.NASL", "JUNIPER_JSA10775.NASL", "JUNIPER_NSM_JSA10851.NASL", "MACOSX_SECUPD2017-005.NASL", "MACOSX_XCODE_81.NASL", "MACOS_10_13_2.NASL", "MYSQL_5_6_30.NASL", "MYSQL_5_6_30_RPM.NASL", "MYSQL_5_6_36.NASL", "MYSQL_5_6_36_RPM.NASL", "MYSQL_5_6_39.NASL", "MYSQL_5_6_39_RPM.NASL", "MYSQL_5_6_41_RPM.NASL", "MYSQL_5_7_12.NASL", "MYSQL_5_7_12_RPM.NASL", "MYSQL_5_7_18.NASL", "MYSQL_5_7_18_RPM.NASL", "MYSQL_5_7_21.NASL", "MYSQL_5_7_21_RPM.NASL", "MYSQL_5_7_23.NASL", "MYSQL_5_7_23_RPM.NASL", "MYSQL_8_0_12.NASL", "MYSQL_8_0_12_RPM.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "MYSQL_ENTERPRISE_MONITOR_3_4_8.NASL", "MYSQL_ENTERPRISE_MONITOR_4_0_2_5168.NASL", "MYSQL_ENTERPRISE_MONITOR_4_0_4_5233.NASL", "NEWSTART_CGSL_NS-SA-2019-0033_OPENSSL.NASL", "NEWSTART_CGSL_NS-SA-2019-0065_OPENSSL.NASL", "NEWSTART_CGSL_NS-SA-2019-0066_OVMF.NASL", "OPENSSL_1_0_1S.NASL", "OPENSSL_1_0_2G.NASL", "OPENSSL_1_0_2K.NASL", "OPENSSL_1_0_2M.NASL", "OPENSSL_1_0_2N.NASL", "OPENSSL_1_0_2O.NASL", "OPENSSL_1_1_0D.NASL", "OPENSSL_1_1_0G.NASL", "OPENSSL_1_1_0H.NASL", "OPENSUSE-2016-288.NASL", "OPENSUSE-2016-289.NASL", "OPENSUSE-2016-292.NASL", "OPENSUSE-2016-607.NASL", "OPENSUSE-2016-715.NASL", "OPENSUSE-2017-1324.NASL", "OPENSUSE-2017-1381.NASL", "OPENSUSE-2017-256.NASL", "OPENSUSE-2017-284.NASL", "OPENSUSE-2017-442.NASL", "OPENSUSE-2017-866.NASL", "OPENSUSE-2018-116.NASL", "OPENSUSE-2018-168.NASL", "OPENSUSE-2018-361.NASL", "OPENSUSE-2018-389.NASL", "OPENSUSE-2018-5.NASL", "OPENSUSE-2018-807.NASL", "OPENSUSE-2018-823.NASL", "OPENSUSE-2018-844.NASL", "OPENSUSE-2018-90.NASL", "OPENSUSE-2018-938.NASL", "OPENSUSE-2018-997.NASL", "OPENSUSE-2019-563.NASL", "ORACLELINUX_ELSA-2016-0301.NASL", "ORACLELINUX_ELSA-2018-0998.NASL", "ORACLELINUX_ELSA-2018-3090.NASL", "ORACLELINUX_ELSA-2018-3221.NASL", "ORACLELINUX_ELSA-2018-4228.NASL", "ORACLEVM_OVMSA-2016-0031.NASL", "ORACLEVM_OVMSA-2016-0049.NASL", "ORACLEVM_OVMSA-2019-0040.NASL", "ORACLE_ACCESS_MANAGER_CPU_JAN_2018.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2018.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OCT_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_JAN_2019_CPU.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_OCT_2018.NASL", "ORACLE_MYSQL_CONNECTORS_CPU_JAN_2018.NASL", "ORACLE_MYSQL_CONNECTORS_CPU_JUL_2018.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2018.NASL", "ORACLE_RDBMS_CPU_JUL_2018.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2017_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2018_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JUL_2018_CPU.NASL", "ORACLE_TUXEDO_CPU_APR_2018.NASL", "ORACLE_TUXEDO_CPU_JUL_2018.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2018.NBIN", "PALO_ALTO_PAN-SA-2018-0015.NASL", "PFSENSE_SA-16_02.NASL", "PFSENSE_SA-17_07.NASL", "PFSENSE_SA-17_11.NASL", "PHOTONOS_PHSA-2017-0042.NASL", "PHOTONOS_PHSA-2017-0042_OPENSSL.NASL", "PHOTONOS_PHSA-2018-1_0-0097-A.NASL", "PHOTONOS_PHSA-2018-1_0-0097-A_OPENSSL.NASL", "PHOTONOS_PHSA-2018-2_0-0010-A.NASL", "PHOTONOS_PHSA-2018-2_0-0010-A_OPENSSL.NASL", "REDHAT-RHSA-2016-0301.NASL", "REDHAT-RHSA-2016-0379.NASL", "REDHAT-RHSA-2017-1834.NASL", "REDHAT-RHSA-2017-1835.NASL", "REDHAT-RHSA-2017-1837.NASL", "REDHAT-RHSA-2017-2635.NASL", "REDHAT-RHSA-2017-2636.NASL", "REDHAT-RHSA-2017-2637.NASL", "REDHAT-RHSA-2017-2638.NASL", "REDHAT-RHSA-2017-3141.NASL", "REDHAT-RHSA-2017-3189.NASL", "REDHAT-RHSA-2017-3454.NASL", "REDHAT-RHSA-2017-3455.NASL", "REDHAT-RHSA-2017-3458.NASL", "REDHAT-RHSA-2018-0116.NASL", "REDHAT-RHSA-2018-0342.NASL", "REDHAT-RHSA-2018-0479.NASL", "REDHAT-RHSA-2018-0480.NASL", "REDHAT-RHSA-2018-0481.NASL", "REDHAT-RHSA-2018-0998.NASL", "REDHAT-RHSA-2018-1448.NASL", "REDHAT-RHSA-2018-1449.NASL", "REDHAT-RHSA-2018-1451.NASL", "REDHAT-RHSA-2018-1525.NASL", "REDHAT-RHSA-2018-2089.NASL", "REDHAT-RHSA-2018-2090.NASL", "REDHAT-RHSA-2018-2185.NASL", "REDHAT-RHSA-2018-2186.NASL", "REDHAT-RHSA-2018-2423.NASL", "REDHAT-RHSA-2018-2424.NASL", "REDHAT-RHSA-2018-2568.NASL", "REDHAT-RHSA-2018-2575.NASL", "REDHAT-RHSA-2018-2713.NASL", "REDHAT-RHSA-2018-2927.NASL", "REDHAT-RHSA-2018-3090.NASL", "REDHAT-RHSA-2018-3221.NASL", "REDHAT-RHSA-2019-0367.NASL", "REDHAT-RHSA-2019-1711.NASL", "SECURITYCENTER_5_4_3_TNS_2017_04.NASL", "SECURITYCENTER_OPENSSL_1_0_2K.NASL", "SECURITYCENTER_OPENSSL_1_0_2M.NASL", "SECURITYCENTER_OPENSSL_1_0_2N.NASL", "SLACKWARE_SSA_2016-062-02.NASL", "SLACKWARE_SSA_2017-041-02.NASL", "SLACKWARE_SSA_2017-306-02.NASL", "SLACKWARE_SSA_2017-342-01.NASL", "SLACKWARE_SSA_2018-087-01.NASL", "SL_20160301_OPENSSL_ON_SL6_X.NASL", "SL_20180410_OPENSSL_ON_SL7_X.NASL", "SL_20181030_OPENSSL_ON_SL7_X.NASL", "SL_20181030_OVMF_ON_ON_SL7_X.NASL", "SPLUNK_6334.NASL", "STRUTS_2_5_14_1.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE_SU-2016-0617-1.NASL", "SUSE_SU-2016-0620-1.NASL", "SUSE_SU-2016-0624-1.NASL", "SUSE_SU-2016-0631-1.NASL", "SUSE_SU-2017-0431-1.NASL", "SUSE_SU-2017-0441-1.NASL", "SUSE_SU-2017-0855-1.NASL", "SUSE_SU-2017-2981-1.NASL", "SUSE_SU-2017-3169-1.NASL", "SUSE_SU-2017-3343-1.NASL", "SUSE_SU-2018-0002-1.NASL", "SUSE_SU-2018-0053-1.NASL", "SUSE_SU-2018-0112-1.NASL", "SUSE_SU-2018-0293-1.NASL", "SUSE_SU-2018-0902-1.NASL", "SUSE_SU-2018-0906-1.NASL", "SUSE_SU-2018-0925-1.NASL", "SUSE_SU-2018-0975-1.NASL", "SUSE_SU-2018-2072-1.NASL", "SUSE_SU-2018-2158-1.NASL", "SUSE_SU-2018-2683-1.NASL", "SUSE_SU-2018-2839-1.NASL", "SUSE_SU-2018-2839-2.NASL", "SUSE_SU-2018-3082-1.NASL", "SUSE_SU-2020-0495-1.NASL", "UBUNTU_USN-2914-1.NASL", "UBUNTU_USN-3181-1.NASL", "UBUNTU_USN-3475-1.NASL", "UBUNTU_USN-3512-1.NASL", "UBUNTU_USN-3611-1.NASL", "UBUNTU_USN-4741-1.NASL", "VIRTUALBOX_5_2_10.NASL", "VIRTUALBOX_5_2_6.NASL", "VMWARE_ESXI_6_0_BUILD_5485776_REMOTE.NASL", "WEBSPHERE_304537.NASL"]}, {"type": "nodejsblog", "idList": ["NODEJSBLOG:DECEMBER-2017-SECURITY-RELEASES", "NODEJSBLOG:MARCH-2018-SECURITY-RELEASES", "NODEJSBLOG:OPENSSL-JANUARY-2017", "NODEJSBLOG:OPENSSL-NOVEMBER-2017"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2016-0705", "OPENSSL:CVE-2017-3732", "OPENSSL:CVE-2017-3735", "OPENSSL:CVE-2017-3736", "OPENSSL:CVE-2017-3737", "OPENSSL:CVE-2017-3738", "OPENSSL:CVE-2018-0739"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106354", "OPENVAS:1361412562310106949", "OPENVAS:1361412562310107203", "OPENVAS:1361412562310107204", "OPENVAS:1361412562310107260", "OPENVAS:1361412562310107268", "OPENVAS:1361412562310107824", "OPENVAS:1361412562310107831", "OPENVAS:1361412562310120651", "OPENVAS:1361412562310120690", "OPENVAS:1361412562310121457", "OPENVAS:1361412562310122888", "OPENVAS:1361412562310122890", "OPENVAS:1361412562310131244", "OPENVAS:1361412562310140168", "OPENVAS:1361412562310143949", "OPENVAS:1361412562310703500", "OPENVAS:1361412562310704004", "OPENVAS:1361412562310704017", "OPENVAS:1361412562310704018", "OPENVAS:1361412562310704037", "OPENVAS:1361412562310704065", "OPENVAS:1361412562310704157", "OPENVAS:1361412562310704158", "OPENVAS:1361412562310704190", "OPENVAS:1361412562310807097", "OPENVAS:1361412562310807098", "OPENVAS:1361412562310807460", "OPENVAS:1361412562310807598", "OPENVAS:1361412562310807927", "OPENVAS:1361412562310807969", "OPENVAS:1361412562310808302", "OPENVAS:1361412562310808352", "OPENVAS:1361412562310808374", "OPENVAS:1361412562310808407", "OPENVAS:1361412562310810542", "OPENVAS:1361412562310811440", "OPENVAS:1361412562310811441", "OPENVAS:1361412562310811719", "OPENVAS:1361412562310811720", "OPENVAS:1361412562310812320", "OPENVAS:1361412562310812321", "OPENVAS:1361412562310812401", "OPENVAS:1361412562310812641", "OPENVAS:1361412562310812642", "OPENVAS:1361412562310812643", "OPENVAS:1361412562310812648", "OPENVAS:1361412562310812649", "OPENVAS:1361412562310813302", "OPENVAS:1361412562310813303", "OPENVAS:1361412562310813304", "OPENVAS:1361412562310813691", "OPENVAS:1361412562310813712", "OPENVAS:1361412562310813713", "OPENVAS:1361412562310842671", "OPENVAS:1361412562310843029", "OPENVAS:1361412562310843360", "OPENVAS:1361412562310843401", "OPENVAS:1361412562310843487", "OPENVAS:1361412562310851219", "OPENVAS:1361412562310851220", "OPENVAS:1361412562310851221", "OPENVAS:1361412562310851222", "OPENVAS:1361412562310851316", "OPENVAS:1361412562310851337", "OPENVAS:1361412562310851665", "OPENVAS:1361412562310851688", "OPENVAS:1361412562310851703", "OPENVAS:1361412562310851734", "OPENVAS:1361412562310851840", "OPENVAS:1361412562310851845", "OPENVAS:1361412562310851869", "OPENVAS:1361412562310851888", "OPENVAS:1361412562310852013", "OPENVAS:1361412562310871564", "OPENVAS:1361412562310872342", "OPENVAS:1361412562310872359", "OPENVAS:1361412562310873202", "OPENVAS:1361412562310873247", "OPENVAS:1361412562310873261", "OPENVAS:1361412562310873627", "OPENVAS:1361412562310873673", "OPENVAS:1361412562310873728", "OPENVAS:1361412562310873748", "OPENVAS:1361412562310873785", "OPENVAS:1361412562310873829", "OPENVAS:1361412562310873837", "OPENVAS:1361412562310874108", "OPENVAS:1361412562310874109", "OPENVAS:1361412562310874313", "OPENVAS:1361412562310874318", "OPENVAS:1361412562310874349", "OPENVAS:1361412562310874356", "OPENVAS:1361412562310874832", "OPENVAS:1361412562310874838", "OPENVAS:1361412562310882404", "OPENVAS:1361412562310882405", "OPENVAS:1361412562310891330", "OPENVAS:1361412562310892091", "OPENVAS:1361412562311220181115", "OPENVAS:1361412562311220181179", "OPENVAS:1361412562311220181339", "OPENVAS:1361412562311220181392", "OPENVAS:1361412562311220181420", "OPENVAS:1361412562311220191009", "OPENVAS:1361412562311220191084", "OPENVAS:1361412562311220191164", "OPENVAS:1361412562311220191185", "OPENVAS:1361412562311220191201", "OPENVAS:1361412562311220191400", "OPENVAS:1361412562311220191546", "OPENVAS:1361412562311220191547", "OPENVAS:1361412562311220192509", "OPENVAS:703500"]}, {"type": "openwrt", "idList": ["OPENWRT-SA-000009"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2016V3", "ORACLE:CPUAPR2017", "ORACLE:CPUAPR2018", "ORACLE:CPUAPR2019", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2019", "ORACLE:CPUJUL2016", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2020"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-0301", "ELSA-2016-0996", "ELSA-2016-3523", "ELSA-2016-3556", "ELSA-2016-3621", "ELSA-2018-0998", "ELSA-2018-3090", "ELSA-2018-3221", "ELSA-2018-4077", "ELSA-2018-4187", "ELSA-2018-4228", "ELSA-2018-4229", "ELSA-2018-4267", "ELSA-2019-2471", "ELSA-2019-4581", "ELSA-2019-4747", "ELSA-2021-9150"]}, {"type": "osv", "idList": ["OSV:CVE-2017-3735", "OSV:DLA-1157-1", "OSV:DLA-1330-1", "OSV:DLA-2091-1", "OSV:DLA-2342-1", "OSV:DSA-3500-1", "OSV:DSA-4004-1", "OSV:DSA-4017-1", "OSV:DSA-4018-1", "OSV:DSA-4037-1", "OSV:DSA-4065-1", "OSV:DSA-4157-1", "OSV:DSA-4158-1", "OSV:DSA-4190-1", "OSV:GHSA-7VGJ-8MW4-HG8R", "OSV:GHSA-C27H-MCMW-48HV", "OSV:GHSA-CGGJ-FVV3-CQWV", "OSV:GHSA-H592-38CM-4GGP", "OSV:GHSA-QXXX-2PP7-5HMX", "OSV:GHSA-RFX6-VP9G-RH7V", "OSV:GHSA-W3F4-3Q6J-RH82"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143369"]}, {"type": "paloalto", "idList": ["PAN-SA-2018-0015"]}, {"type": "photon", "idList": ["PHSA-2018-0010", "PHSA-2018-0010-A", "PHSA-2018-0097", "PHSA-2018-1.0-0097-A"]}, {"type": "redhat", "idList": ["RHSA-2016:0301", "RHSA-2016:0379", "RHSA-2016:2957", "RHSA-2017:1834", "RHSA-2017:1835", "RHSA-2017:1836", "RHSA-2017:1837", "RHSA-2017:1839", "RHSA-2017:1840", "RHSA-2017:2477", "RHSA-2017:2546", "RHSA-2017:2547", "RHSA-2017:2633", "RHSA-2017:2635", "RHSA-2017:2636", "RHSA-2017:2637", "RHSA-2017:2638", "RHSA-2017:3141", "RHSA-2017:3189", "RHSA-2017:3190", "RHSA-2017:3454", "RHSA-2017:3455", "RHSA-2017:3456", "RHSA-2017:3458", "RHSA-2018:0116", "RHSA-2018:0294", "RHSA-2018:0342", "RHSA-2018:0478", "RHSA-2018:0479", "RHSA-2018:0480", "RHSA-2018:0481", "RHSA-2018:0576", "RHSA-2018:0577", "RHSA-2018:0998", "RHSA-2018:1447", "RHSA-2018:1448", "RHSA-2018:1449", "RHSA-2018:1450", "RHSA-2018:1451", "RHSA-2018:1525", "RHSA-2018:1786", "RHSA-2018:2088", "RHSA-2018:2089", "RHSA-2018:2090", "RHSA-2018:2185", "RHSA-2018:2186", "RHSA-2018:2187", "RHSA-2018:2423", "RHSA-2018:2424", "RHSA-2018:2425", "RHSA-2018:2428", "RHSA-2018:2568", "RHSA-2018:2575", "RHSA-2018:2713", "RHSA-2018:2927", "RHSA-2018:2930", "RHSA-2018:2938", "RHSA-2018:2939", "RHSA-2018:3090", "RHSA-2018:3221", "RHSA-2018:3505", "RHSA-2019:0366", "RHSA-2019:0367", "RHSA-2019:0910", "RHSA-2019:1711", "RHSA-2019:1712", "RHSA-2019:1782", "RHSA-2019:1797", "RHSA-2019:2858", "RHSA-2019:3149", "RHSA-2019:3892", "RHSA-2020:2562"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-12624", "RH:CVE-2017-15095", "RH:CVE-2017-15896", "RH:CVE-2017-17485", "RH:CVE-2017-3735", "RH:CVE-2017-3736", "RH:CVE-2017-3737", "RH:CVE-2017-3738", "RH:CVE-2017-7525", "RH:CVE-2018-0739", "RH:CVE-2018-5968", "RH:CVE-2018-7489", "RH:CVE-2019-10202"]}, {"type": "seebug", "idList": ["SSV:92962", "SSV:96913", "SSV:97076", "SSV:97082"]}, {"type": "slackware", "idList": ["SSA-2016-062-02", "SSA-2017-041-02", "SSA-2017-306-02", "SSA-2017-342-01", "SSA-2018-087-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0627-1", "OPENSUSE-SU-2016:0628-1", "OPENSUSE-SU-2016:0637-1", "OPENSUSE-SU-2016:0638-1", "OPENSUSE-SU-2016:1332-1", "OPENSUSE-SU-2016:1566-1", "OPENSUSE-SU-2017:3345-1", "OPENSUSE-SU-2018:0223-1", "OPENSUSE-SU-2018:0458-1", "OPENSUSE-SU-2018:1057-1", "OPENSUSE-SU-2018:2208-1", "OPENSUSE-SU-2018:2238-1", "OPENSUSE-SU-2018:2293-1", "OPENSUSE-SU-2018:2524-1", "OPENSUSE-SU-2018:2695-1", "SUSE-SU-2016:0617-1", "SUSE-SU-2016:0620-1", "SUSE-SU-2016:0621-1", "SUSE-SU-2016:0624-1", "SUSE-SU-2016:0631-1", "SUSE-SU-2016:0748-1", "SUSE-SU-2016:0778-1", "SUSE-SU-2016:0786-1", "SUSE-SU-2016:1057-1", "SUSE-SU-2017:2701-1", "SUSE-SU-2017:2968-1", "SUSE-SU-2017:2981-1", "SUSE-SU-2017:3343-1", "SUSE-SU-2018:0112-1", "SUSE-SU-2018:0902-1", "SUSE-SU-2018:0905-1", "SUSE-SU-2018:0906-1", "SUSE-SU-2018:0975-1"]}, {"type": "symantec", "idList": ["SMNTC-1351", "SMNTC-1395", "SMNTC-1423", "SMNTC-1428", "SMNTC-1443"]}, {"type": "tenable", "idList": ["TENABLE:50BE3CD37FC3509DDA43C11702778C75", "TENABLE:FF52F52E6157E81F57A22D9356B954AC"]}, {"type": "ubuntu", "idList": ["USN-2914-1", "USN-3181-1", "USN-3475-1", "USN-3512-1", "USN-3611-1", "USN-3611-2", "USN-4741-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-0705", "UB:CVE-2017-15095", "UB:CVE-2017-15896", "UB:CVE-2017-17485", "UB:CVE-2017-3732", "UB:CVE-2017-3735", "UB:CVE-2017-3736", "UB:CVE-2017-3737", "UB:CVE-2017-3738", "UB:CVE-2017-7525", "UB:CVE-2018-0739", "UB:CVE-2018-5968", "UB:CVE-2018-7489"]}, {"type": "zdt", "idList": ["1337DAY-ID-29102"]}]}, "score": {"value": 0.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "aix", "idList": ["OPENSSL_ADVISORY24.ASC", "OPENSSL_ADVISORY25.ASC", "OPENSSL_ADVISORY26.ASC"]}, {"type": "amazon", "idList": ["ALAS-2018-1065", "ALAS-2018-1069", "ALAS-2018-1070"]}, {"type": "apple", "idList": ["APPLE:B7AA5B9368DE4BD135A602B017EB0259", "APPLE:HT208331"]}, {"type": "archlinux", "idList": ["ASA-201603-2", "ASA-201603-3"]}, {"type": "centos", "idList": ["CESA-2018:0998", "CESA-2018:3090", "CESA-2018:3221"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0740"]}, {"type": "cisco", "idList": ["CISCO-SA-20170130-OPENSSL"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:78350CC978808A6C42CDCB2451BF30F4", "CFOUNDRY:9243E8457D02CBA7A3505CB1E0E03739"]}, {"type": "cloudlinux", "idList": ["CLSA-2021:1632262317"]}, {"type": "cve", "idList": ["CVE-2016-0705", "CVE-2017-12624", "CVE-2017-3735", "CVE-2017-3737", "CVE-2018-1447"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1157-1:16CF2", "DEBIAN:DLA-1330-1:A6756", "DEBIAN:DSA-4004-1:17FA8", "DEBIAN:DSA-4017-1:88D36", "DEBIAN:DSA-4018-1:01441", "DEBIAN:DSA-4037-1:25D25", "DEBIAN:DSA-4065-1:A75E5", "DEBIAN:DSA-4157-1:5A16B", "DEBIAN:DSA-4158-1:43C61", "DEBIAN:DSA-4190-1:7ADD0"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-15095", "DEBIANCVE:CVE-2017-7525", "DEBIANCVE:CVE-2018-0739"]}, {"type": "f5", "idList": ["F5:K14363514", "F5:K18364001", "F5:K21462542", "F5:K43452233", "F5:K65417229"]}, {"type": "fedora", "idList": ["FEDORA:0240B604B381", "FEDORA:3ED26601CEE3", "FEDORA:613766079706", "FEDORA:68D44601BD0C", "FEDORA:7B564604AACC", "FEDORA:98315602F10D", "FEDORA:9B33E60E86E5", "FEDORA:ACC466324C7C", "FEDORA:AEECE6075DBF", "FEDORA:B4E3C6062CB4", "FEDORA:B5C736087A8D", "FEDORA:B803860875BB", "FEDORA:B98866076020", "FEDORA:BC771622EB72", "FEDORA:BFACF60A35B3", "FEDORA:D17F86077DFD", "FEDORA:D74C160C9AD0", "FEDORA:D7E1E60C4225", "FEDORA:D8DAB61DD062", "FEDORA:DEA206060997"]}, {"type": "fortinet", "idList": ["FG-IR-17-019"]}, {"type": "freebsd", "idList": ["6D33B3E5-EA03-11E5-85BE-14DAE9D210B8", "9442A811-DAB3-11E7-B5AF-A4BADB2F4699", "BEA84A7A-E0C9-11E7-B4F3-11BAA0C2DF21"]}, {"type": "gentoo", "idList": ["GLSA-201712-03"]}, {"type": "github", "idList": ["GHSA-H592-38CM-4GGP", "GHSA-QXXX-2PP7-5HMX"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170503-01-OPENSSL"]}, {"type": "ibm", "idList": ["015CED4DD111438880FFDB361B30E09A12892E262FEEA8F7178F7A49BBE7D4D2", "041FCD681925D7AAE0B6F795A004EE207D6FA92A6E376D5597CA24D0D178AF44", "0A3CB536625237AF6E1A39B78799B41B9AF062894DA038E4F769071D72640FDB", "1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "23BA9E1A95485FDA5113C5A985FFBA48AD2E78665BA734F9E465CCC361105BD6", "57250C8399F5C4AC218847F1045931278E68593D09677651364F0897ED5E2346", "5A23BE34322F36780B2821378B1628B3331997E99E3A9C4B3B0067399EEBC3F5", "6BE8692D3822CA78B4646C336839C76002B91C314A2131C842F23F12148509D9", "7545FC6960BC08536BD63AD777890D26CE8FBACF18C55DCC74C636085DAC612B", "7E4E851053AF5C2BFADF66AC8494971BF986538EB9E1BEE4C5D8B83D2DB1BBB0", "9C6F1EFD064B98941F8B42A32A91BAB15206AC55CF09BF3BAAA5925A1B9B55C9", "9CCEB90B89301ED91DF7A501EF3103FD54D3AD611D342CF6E4B19E5105E84E35", "D272B1ACFC08FB00F71DAECEAF120EF8F47B4AA0F575849F81F09FF6E35CBFB5", "DABD6B8B6CBB73960C386B67EE3DE8B0C30A20314AB64DAA185068214240C464", "DD7E796DC101D56D3818D53295F88146B9FC7EE7058C596477B1B5AFCE363B74", "F0864C914EFB62F7C48822F52BDF423B57466738327736DD211AEFBE34B7C109", "FDE8E9C242ED2D257B3BCF9E013CB6CFC32441C70BF5803FE16A714EDE9E7DFB", "FE0CD9D782041746DBFBA9DFD5A169C98E21DF40D5DB566AD15D9898EFE9D6E4", "FEDE4F7915CF8E683DBC7AB56D68872D5740EF9C5D19FED52B140130771052A2"]}, {"type": "kaspersky", "idList": ["KLA11179", "KLA11236"]}, {"type": "lenovo", "idList": ["LENOVO:PS500190-NOSID"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-3737/"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2018-0998.NASL", "DEBIAN_DLA-1157.NASL", "DEBIAN_DLA-1330.NASL", "DEBIAN_DSA-4037.NASL", "DEBIAN_DSA-4065.NASL", "DEBIAN_DSA-4157.NASL", "DEBIAN_DSA-4158.NASL", "EULEROS_SA-2018-1115.NASL", "EULEROS_SA-2021-2542.NASL", "EULEROS_SA-2021-2566.NASL", "F5_BIGIP_SOL14363514.NASL", "FEDORA_2016-2802690366.NASL", "FEDORA_2016-E6807B3394.NASL", "FEDORA_2017-4A071ECBC7.NASL", "FEDORA_2017-4CF72E2C11.NASL", "FEDORA_2017-512A6C5AAE.NASL", "FEDORA_2017-55A3247CFD.NASL", "FEDORA_2017-DBEC196DD8.NASL", "FEDORA_2017-E16ED3F7A1.NASL", "FEDORA_2018-40DC8B8B16.NASL", "FEDORA_2018-76AFAF1961.NASL", "FREEBSD_PKG_3BB451FCDB6411E7AC58B499BAEBFEAF.NASL", "FREEBSD_PKG_6D33B3E5EA0311E585BE14DAE9D210B8.NASL", "FREEBSD_PKG_9442A811DAB311E7B5AFA4BADB2F4699.NASL", "FREEBSD_PKG_B7CFF5A931CC11E88F07B499BAEBFEAF.NASL", "GENTOO_GLSA-201712-03.NASL", "MACOSX_SECUPD2017-005.NASL", "MACOS_10_13_2.NASL", "MYSQL_5_6_39.NASL", "MYSQL_5_6_39_RPM.NASL", "MYSQL_5_7_21_RPM.NASL", "OPENSSL_1_0_2N.NASL", "OPENSUSE-2016-288.NASL", "OPENSUSE-2017-1324.NASL", "OPENSUSE-2018-116.NASL", "OPENSUSE-2018-389.NASL", "OPENSUSE-2018-5.NASL", "OPENSUSE-2018-90.NASL", "ORACLELINUX_ELSA-2018-0998.NASL", "ORACLELINUX_ELSA-2018-4228.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2018.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_JAN_2019_CPU.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2018.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2018_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "ORACLE_TUXEDO_CPU_APR_2018.NASL", "PFSENSE_SA-17_11.NASL", "REDHAT-RHSA-2017-2635.NASL", "REDHAT-RHSA-2017-2636.NASL", "REDHAT-RHSA-2017-2637.NASL", "REDHAT-RHSA-2017-2638.NASL", "REDHAT-RHSA-2017-3141.NASL", "REDHAT-RHSA-2017-3189.NASL", "REDHAT-RHSA-2018-0342.NASL", "SECURITYCENTER_OPENSSL_1_0_2M.NASL", "SECURITYCENTER_OPENSSL_1_0_2N.NASL", "SLACKWARE_SSA_2016-062-02.NASL", "SLACKWARE_SSA_2017-342-01.NASL", "SLACKWARE_SSA_2018-087-01.NASL", "SL_20180410_OPENSSL_ON_SL7_X.NASL", "STRUTS_2_5_14_1.NASL", "SUSE_SU-2017-2981-1.NASL", "SUSE_SU-2017-3169-1.NASL", "SUSE_SU-2018-0975-1.NASL", "UBUNTU_USN-2914-1.NASL", "UBUNTU_USN-3512-1.NASL", "UBUNTU_USN-3611-1.NASL", "VIRTUALBOX_5_2_10.NASL", "VIRTUALBOX_5_2_6.NASL"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2017-3736"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107260", "OPENVAS:1361412562310107268", "OPENVAS:1361412562310140168", "OPENVAS:1361412562310704037", "OPENVAS:1361412562310704065", "OPENVAS:1361412562310704157", "OPENVAS:1361412562310704158", "OPENVAS:1361412562310704190", "OPENVAS:1361412562310810542", "OPENVAS:1361412562310811719", "OPENVAS:1361412562310811720", "OPENVAS:1361412562310812320", "OPENVAS:1361412562310812321", "OPENVAS:1361412562310812401", "OPENVAS:1361412562310812641", "OPENVAS:1361412562310812642", "OPENVAS:1361412562310812643", "OPENVAS:1361412562310812648", "OPENVAS:1361412562310812649", "OPENVAS:1361412562310813302", "OPENVAS:1361412562310813303", "OPENVAS:1361412562310813304", "OPENVAS:1361412562310843360", "OPENVAS:1361412562310843401", "OPENVAS:1361412562310843487", "OPENVAS:1361412562310851688", "OPENVAS:1361412562310851734", "OPENVAS:1361412562310873247", "OPENVAS:1361412562310873261", "OPENVAS:1361412562310873627", "OPENVAS:1361412562310873673", "OPENVAS:1361412562310873728", "OPENVAS:1361412562310873748", "OPENVAS:1361412562310873785", "OPENVAS:1361412562310873829", "OPENVAS:1361412562310873837", "OPENVAS:1361412562310874349", "OPENVAS:1361412562310874356", "OPENVAS:1361412562310891330"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-0998", "ELSA-2018-4077", "ELSA-2018-4228", "ELSA-2018-4229"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143369"]}, {"type": "paloalto", "idList": ["PAN-SA-2018-0015"]}, {"type": "photon", "idList": ["PHSA-2018-0010", "PHSA-2018-0010-A", "PHSA-2018-1.0-0097-A"]}, {"type": "redhat", "idList": ["RHSA-2018:3221"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-15896", "RH:CVE-2017-3735", "RH:CVE-2017-3736"]}, {"type": "seebug", "idList": ["SSV:92962", "SSV:96913", "SSV:97076", "SSV:97082"]}, {"type": "slackware", "idList": ["SSA-2017-306-02", "SSA-2017-342-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:0223-1", "OPENSUSE-SU-2018:1057-1", "SUSE-SU-2017:2968-1", "SUSE-SU-2017:2981-1", "SUSE-SU-2018:0975-1"]}, {"type": "symantec", "idList": ["SMNTC-1395", "SMNTC-1423", "SMNTC-1428", "SMNTC-1443"]}, {"type": "tenable", "idList": ["TENABLE:50BE3CD37FC3509DDA43C11702778C75", "TENABLE:FF52F52E6157E81F57A22D9356B954AC"]}, {"type": "ubuntu", "idList": ["USN-3475-1", "USN-3512-1", "USN-3611-1", "USN-3611-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-15095", "UB:CVE-2017-7525", "UB:CVE-2018-0739"]}, {"type": "zdt", "idList": ["1337DAY-ID-29102"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "ibm cognos analytics", "version": 11}]}, "epss": [{"cve": "CVE-2016-0705", "epss": "0.033080000", "percentile": "0.898050000", "modified": "2023-03-17"}, {"cve": "CVE-2017-12624", "epss": "0.001640000", "percentile": "0.512880000", "modified": "2023-03-18"}, {"cve": "CVE-2017-15095", "epss": "0.026590000", "percentile": "0.887370000", "modified": "2023-03-18"}, {"cve": "CVE-2017-3732", "epss": "0.008180000", "percentile": "0.792380000", "modified": "2023-03-18"}, {"cve": "CVE-2017-3735", "epss": "0.031880000", "percentile": "0.896430000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3736", "epss": "0.002810000", "percentile": "0.635250000", "modified": "2023-03-18"}, {"cve": "CVE-2017-3737", "epss": "0.966690000", "percentile": "0.993610000", "modified": "2023-03-18"}, {"cve": "CVE-2017-7525", "epss": "0.776660000", "percentile": "0.976600000", "modified": "2023-03-18"}, {"cve": "CVE-2018-0739", "epss": "0.012640000", "percentile": "0.835170000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1426", "epss": "0.004700000", "percentile": "0.717660000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1427", "epss": "0.000420000", "percentile": "0.056370000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1428", "epss": "0.000550000", "percentile": "0.208940000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1447", "epss": "0.002710000", "percentile": "0.628020000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1842", "epss": "0.000480000", "percentile": "0.145540000", "modified": "2023-03-18"}], "vulnersScore": 0.9}, "_state": {"dependencies": 1677016046, "score": 1684013037, "affected_software_major_version": 1677355290, "epss": 1679165106}, "_internal": {"score_hash": "6c3c9769b0dcdd050bdc46bf1de9b25c"}, "affectedSoftware": [{"version": "11.0", "operator": "eq", "name": "ibm cognos analytics"}]}

{"ibm": [{"lastseen": "2023-02-21T21:44:46", "description": "## Summary\n\nIBM API Connect has addressed multiple vulnerabilities in GSKit and OpenSSL.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID: ** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: ** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: ** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: ** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: ** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID: ** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION: **The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM API Management | Affected Versions \n---|--- \nIBM API Connect | 5.0.0.0-5.0.8.4 \n \n## Remediation/Fixes\n\nProduct | Fixed in VRMF | APAR | Remediation / First Fix \n---|---|---|--- \n \nIBM API Connect 5.0.0.0-5.0.8.4\n\n| \n\n5.0.8.5\n\n| \n\nLI80493\n\n| \n\nAddressed in IBM API Connect V5.0.8.5 fix pack.\n\nFollow this link and find the APIConnect_Management package.\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-16T15:50:02", "type": "ibm", "title": "Security Bulletin: IBM API Connect is affected by multiple GSKit and OpenSSL vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2019-01-16T15:50:02", "id": "79C9308A38227EABEE316B0407CBC46021561F829AEBF9659F93085D4FC63547", "href": "https://www.ibm.com/support/pages/node/719379", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:49:48", "description": "## Summary\n\nMultiple security vulnerabilities (CVE-2018-1426, CVE-2018-1427, CVE-2018-1428, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705, and CVE-2018-1447) have been discovered in GSKit used with IBM Security Network Protection.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Security Network Protection 5.3.1 \nIBM Security Network Protection 5.3.3\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Security Network Protection| Firmware version 5.3.1| Download the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Protection Local Management Interface. \n[5.3.1.16-XGS-All-Models-Hotfix-IF0001](<https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.3.1.16-XGS-All-Models_Hotfix-IF0001&continue=1>) \nIBM Security Network Protection| Firmware version 5.3.3| Download the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Protection Local Management Interface. \n[5.3.3.6-XGS-All-Models-Hotfix-IF0001](<https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.3.3.6-XGS-All-Models-Hotfix-IF0001&continue=1>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:07:03", "type": "ibm", "title": "Security Bulletin: IBM Security Network Protection is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-16T22:07:03", "id": "F0864C914EFB62F7C48822F52BDF423B57466738327736DD211AEFBE34B7C109", "href": "https://www.ibm.com/support/pages/node/571209", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:05:27", "description": "## Summary\n\nMultiple vulnerabilities has been addressed in the GSKit component of Tivoli Netcool/OMNIbus.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2018-1447_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2016-0705_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus 7.4.0 \nTivoli Netcool/OMNIbus 8.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus| 7.4.0.17| IJ02853| <http://www-01.ibm.com/support/docview.wss?uid=swg24044483> \nOMNIbus| 8.1.0.16| IJ02853| <http://www-01.ibm.com/support/docview.wss?uid=swg24044414> \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n18 May 2018: Original version published, 6 June 2018: Updated with 7.4.0.17 details\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSSHTQ\",\"label\":\"Tivoli Netcool\\/OMNIbus\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.4.0;8.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:15:49", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the GSKit component of Tivoli Netcool/OMNIbus", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:15:49", "id": "2F4353DF684AD6726CB9491220A703D4AD06D4406D7B35BEBCB2D4EE11863E10", "href": "https://www.ibm.com/support/pages/node/538871", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:46", "description": "## Summary\n\nMultiple security vulnerabilities have been identified in GSKit and GSKit-Crypto that is used by IBM Cloud Manager with OpenStack. \nIBM Cloud Manager with OpenStack has addressed these vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n**Affected Product Name**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Cloud Manager with OpenStack| 4.3 \nbr> \nbr>\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Cloud Manager with OpenStack| 4.3| Upgrade to 4.3 FP 10: \n[**_http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&fixids=4.3.0.10-IBM-CMWO-FP10&source=SAR_**](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&fixids=4.3.0.10-IBM-CMWO-FP10&source=SAR>) \nbr> \nbr>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-08T04:13:55", "type": "ibm", "title": "Security Bulletin: IBM Cloud Manager with OpenStack is affected by GSKit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-08-08T04:13:55", "id": "7A811732B34C1BAA3F2209EA69EE01FCACF762E53C22EAE8A8FB7A45B4E7164D", "href": "https://www.ibm.com/support/pages/node/664853", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:46:59", "description": "## Summary\n\nIBM FileNet Image Services has addressed multiple GSKit and GSKit-Crypto vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n** \nCVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n** \nCVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM FileNet Image Services 4.2.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM FileNet Image Services| 4.2.0| Please refer [technote](<http://www-01.ibm.com/support/docview.wss?uid=swg22016493>) for the fix. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:19:30", "type": "ibm", "title": "Security Bulletin: IBM FileNet Image Services is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T12:19:30", "id": "DDAC6B14B8934B2E6C225A197BD36CA0AC38FD8684F572F5702537FFE8240DAB", "href": "https://www.ibm.com/support/pages/node/568337", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:07", "description": "## Summary\n\nIBM Content Collector for SAP Applications has addressed multiple GSKit and GSKit-Crypto vulnerabilities. Details of the vulnerabilities is mentioned below. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications 3.0.0\n\nIBM Content Collector for SAP Applications 4.0.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for SAP Applications | 3.0 | Use IBM Content Collector for SAP Applications [3.0.0.2 Interim Fix 8](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/IBM+Content+Collector+for+SAP+Applications&release=3.0.0.2&platform=All&function=all>) \nIBM Content Collector for SAP Applications | 4.0 | Use IBM Content Collector for SAP Applications[ 4.0.0.2 Interim Fix 2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/IBM+Content+Collector+for+SAP+Applications&release=4.0.0.2&platform=All&function=all>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-30T12:21:09", "type": "ibm", "title": "Security Bulletin: IBM Content Collector for SAP Applications is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-08-30T12:21:09", "id": "2BB93AE1C7A3B73A6491F3A66D7F39AEF96849CFFB0026B650053C816A375F8C", "href": "https://www.ibm.com/support/pages/node/715153", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T13:34:50", "description": "## Summary\n\nIBM Data Server Driver for ODBC and CLI is affected by multiple vulnerabilities in the GSKit library. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)\n\n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAll fix pack levels of IBM Data Server Driver for ODBC and CLI V9.7, V10.1, V10.5, and V11.1 editions on all platforms are affected.\n\n## Remediation/Fixes\n\nThe latest DB2 V11.1 m3FP3 and DB2 V10.5 FP10 has already got the most recent GSkit version V8.0.50.86 which address all the Vulnerabilties in GSKit reported till date .\n\nFor DB2 including IBM data server driver for V9.7, V10.1 level and any V10.5 level before fixpack 5,you can get all the required information and fixpack download location from:<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>.\n\n_For customers running IBM data __server client and driver types_\n\n \nUpgrading of GSKit is required if either of the following applies to you:\n\n * IBM data server client and driver types for V9.7, V10.1 level and any V10.5 level before fixpack 5.\n * IBM data server client and driver types for V10.5 fixpack 5 or later and have additionally installed GSKit.\n\nWhere to obtain the GSKit depends on the DB2 release and platform:\n\n * IBM data server client and driver types V10.5 fix pack 5 on Inspur or Linux 64-bit POWER\u2122 little endian on Power System, please contact customer support to obtain the \"IBM DB2 Support Files for SSL Functionality\".\n * IBM data server client and driver types V9.7, V10.1 level and any V10.5 level before fixpack 5: \n * _Client and the server are on the same physical computer_: For the Windows platform, you do not need to upgrade the GSKit as GSKit is automatically installed with the DB2 server image. For all other platforms, you will need to download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae.\n * _Client and the server are on different computer_: For all platforms, download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae and perform the GSKit upgrade.\n\nRefer to the GSKit Versions chart Shipped with DB2[:http://www.ibm.com/support/docview.wss?uid=swg21617892](<https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fwww-2D01.ibm.com-252Fsupport-252Fdocview.wss-253Fuid-253Dswg21617892-26data-3D02-257C01-257Cpkulkarni-2540rocketsoftware.com-257C7fbf51b507274565eca108d5dd93849b-257C79544c1eed224879a082b67a9a672aae-257C0-257C0-257C636658548041989812-26sdata-3D9OPoRoLefTu8hJWJZlgtqmLbLy8YraAVyTRcbd3JATk-253D-26reserved-3D0&d=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=C3KXIH8M6AZ_La6XO1EqlFIslnpeQGTbAhQWYd22ujw&m=rAQ_lv0-nBUHyaOKSyPupZ_WbuZ_ZKhYtLALXKCLGJU&s=r769FVEREG6CWocIt2cGRdOfhjk6qCBmlS1UamAZZ4c&e=>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-03T03:38:29", "type": "ibm", "title": "Security Bulletin: IBM Data Server Driver for ODBC and CLI is affected by multiple vulnerabilities in the GSKit library", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-03T03:38:29", "id": "5B61A8C776F5DB5A9AF0C13607CB60BA8EAB34C3208154E6FCEAAD0857CCDCEA", "href": "https://www.ibm.com/support/pages/node/715907", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:47:01", "description": "## Summary\n\neDiscovery Manager has addressed multiple GSKit and GSKit-Crypto vulnerabilities. Details of the vulnerabilities is mentioned below. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n** \nCVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n** \nCVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\neDiscovery Manager 2.2.2\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \neDiscovery Manager| 2.2.2| Use eDiscovery Manager 2.2.2 [Fix Pack 3](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/InfoSphere+eDiscovery+Manager&release=2.2.2.3&platform=All&function=all>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:19:30", "type": "ibm", "title": "Security Bulletin: eDiscovery Manager is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T12:19:30", "id": "C18E4772030D674D152D69B21575B31602E8081D2A7D63F34DF5712FA898D8EA", "href": "https://www.ibm.com/support/pages/node/568339", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T13:34:52", "description": "## Summary\n\nMultiple vulnerabilities in the IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products.\n\n## Vulnerability Details\n\nCVEID: [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \nDESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \nDESCRIPTION: IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139071 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\nCVEID: [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \nDESCRIPTION: IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139072 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nCVEID: [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \nDESCRIPTION: IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139073 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\nCVEID: [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Cloud Application Performance Management, Base Private \n\nIBM Cloud Application Performance Management, Advanced Private \n\nIBM Cloud Application Performance Management\n\n## Remediation/Fixes\n\n_Product_\n\n| _Product \nVRMF_ | _Remediation_ \n---|---|--- \nIBM Cloud Application Performance Management, Base Private \n \nIBM Cloud Application Performance Management, Advanced Private | _8.1.4_ | The vulnerabilities can be remediated by applying the Core Framework interim fix8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0003 to all systems where Cloud APM agents are installed: \n[https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003972](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003972>) \nIBM Cloud Application Performance Management | _N/A_ | \n\nAfter your subscription is upgraded to V8.1.4, the vulnerabilities can be remediated by either \n \na) downloading the Core Framework interim fix 8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0003 to all systems where Cloud APM agents are installed and applying the fix by following the instructions at this link: \n[https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003972](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003972>) \n \nb) downloading the Cloud APM agent packages for the operating systems that your agents run on and using the downloaded packages to upgrade existing agents to use the updated Core Framework or to install new agents with the updated Core Framework. \n \nPlease refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/download_agents_intro.htm> for details \non downloading agent packages from IBM Marketplace \n \nPlease refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_agent_upgrade.htm> or details on upgrading existing agents. \n \nPlease refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_intro.htm> \nfor details on installing new agents. \n \nIBM Monitoring \nIBM Application Diagnostics \nIBM Application Performance Management \nIBM Application Performance Management Advanced | _8.1.3_ | The vulnerabilities can be remediated by applying the Core Framework interim fix 8.1.3.0-IBM-IPM-CORE-FRAMEWORK-IPM-IF0007 to all systems where Performance Management agents are installed: \n[https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003966](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003966>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-03T02:48:06", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-03T02:48:06", "id": "73288A84B49A641505C576DEDC995F44E69001C227078E86112664767072BDA2", "href": "https://www.ibm.com/support/pages/node/716097", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:47:13", "description": "## Summary\n\nIBM MQ and WebSphere MQ have addressed multiple vulnerabilities in OpenSSL and GSKit. \n \nOpenSSL is used by IBM MQ Advanced Message Security on the IBM i platform only.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n_WebSphere MQ v7.0.1_\n\n * Maintenance levels: 7.0.1.0 - 7.0.1.14\n \n_WebSphere MQ v7.1_\n\n * Maintenance levels: 7.1.0.0 - 7.1.0.9\n \n_WebSphere MQ v7.5_\n\n * Maintenance levels: 7.5.0.0 - 7.5.0.8\n \n_IBM MQ v8.0 and IBM MQ Appliance v8.0_\n\n * Maintenance level: 8.0.0.0 - 8.0.0.8\n \n_IBM MQ v9.0 LTS_\n\n * Maintenance levels: 9.0.0.0 - 9.0.0.2\n \n_IBM MQ v9.0.x CD and IBM MQ Appliance v9.0.x CD_\n\n * IBM MQ version 9.0.1 - 9.0.4\n\n## Remediation/Fixes\n\n \n_WebSphere MQ v7.0.1_\n\n * Contact WebSphere MQ Support requesting an iFix for APAR IT25200\n \n_WebSphere MQ v7.1_\n\n * Contact WebSphere MQ Support requesting an iFix for APAR IT25200\n \n_WebSphere MQ v7.5_\n\n * [Apply iFix IT25200](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=7.5&platform=All&function=aparId&apars=IT25200&source=fc>)\n \n_IBM MQ v8.0 and IBM MQ Appliance v8.0_\n\n * [Apply fixpack 8.0.0.9](<http://www-01.ibm.com/support/docview.wss?uid=swg22015103>)\n \n_IBM MQ v9.0 LTS_\n\n * [Apply fixpack 9.0.0.3](<http://www-01.ibm.com/support/docview.wss?uid=swg27006037#8000>)\n \n_IBM MQ v9.0.x CD and IBM MQ Appliance v9.0.x CD_\n\n * [Upgrade to IBM MQ 9.0.5](<http://www-01.ibm.com/support/docview.wss?uid=swg24043463>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-20T01:29:42", "type": "ibm", "title": "Security Bulletin: IBM MQ and WebSphere MQ are affected by multiple vulnerabilities in OpenSSL and GSKit.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-08-20T01:29:42", "id": "A965468AD7FD6E0FC84AAD8198928B8ABF25FC38D0638161A79D59279C9E678D", "href": "https://www.ibm.com/support/pages/node/711755", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:51:59", "description": "## Summary\n\nMultiple security vulnerabilities (CVE-2018-1426, CVE-2018-1427, CVE-2018-1428, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705, and CVE-2018-1447) have been discovered in GSKit used with IBM Security Network Intrusion Prevention System.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Security Network Intrusion Prevention System 4.6.1\n\nIBM Security Network Intrusion Prevention System 4.6.2\n\n## Remediation/Fixes\n\nProduct | VRMF | Remediation/First Fix \n---|---|--- \nIBM Security Network Intrusion Prevention System | Firmware version 4.6.1 | \n\nDownload the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Intrusion Prevention System Local Management Interface.\n\n[4.6.1.0-ISS-ProvG-AllModels-Hotfix-FP0019](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&fixids=4.6.1.0-ISS-ProvG-AllModels-Hotfix-FP0019&source=SAR&function=fixId&parent=IBM%20Security>) \n \nIBM Security Network Intrusion Prevention System | Firmware version 4.6.2 | \n\nDownload the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Intrusion Prevention System Local Management Interface.\n\n[4.6.2.0-ISS-ProvG-AllModels-Hotfix-FP0027](<https://www-945.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&fixids=4.6.2.0-ISS-ProvG-AllModels-Hotfix-FP0027&source=SAR&function=fixId&parent=IBM%20Security>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-23T19:48:26", "type": "ibm", "title": "Security Bulletin: IBM Security Network Intrusion Prevention System is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-02-23T19:48:26", "id": "7E4E851053AF5C2BFADF66AC8494971BF986538EB9E1BEE4C5D8B83D2DB1BBB0", "href": "https://www.ibm.com/support/pages/node/713555", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-23T21:45:38", "description": "## Summary\n\nIBM Security Privileged Identity Manager has addressed the following vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nProduct | VRMF \n---|--- \nIBM Security Privileged Identity Manager | 2.1.0 - 2.1.0.7 \nIBM Security Privileged Identity Manager | 2.0.2 - 2.0.2.10 \n \n## Remediation/Fixes\n\n**Product** | **VRMF** | **Remediation** \n---|---|--- \nIBM Security Privileged Identity Manager | 2.1.0 - 2.1.0.7 | [_2.1.0-ISS-ISPIM-VA-FP0008 _](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?fixids=2.1.0-ISS-ISPIM-VA-FP0008&mhq=2.1.0-ISS-ISPIM-VA-FP0008&mhsrc=ibmsearch_a&product=ibm%2FTivoli%2FIBM%20Security%20Privileged%20Identity%20Manager&source=dbluesearch&function=fixId&parent=IBM%20Security>) \nIBM Security Privileged Identity Manager | 2.0.2 - 2.0.2.10 | [_2.0.2-ISS-ISPIM-VA-FP0011_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.0.2&platform=Linux&function=fixId&fixids=2.0.2-ISS-ISPIM-VA-FP0011&includeRequisites=1&includeSup&login=true>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-02T02:10:01", "type": "ibm", "title": "Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2019-07-02T02:10:01", "id": "0E703A42B01F9DF3E0FEC04EEA4F7733F5A313C86865501C0F8A79378E425C34", "href": "https://www.ibm.com/support/pages/node/871366", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:49:30", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Personal Communications. GSKit that is shipped with IBM Personal Communications contains multiple security vulnerabilities. IBM Personal Communications has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-0705&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317464102&sdata=2tIz5ha0DGBXizlOjOHLzfTvoFvSvoAHvSk15VXrH4Y%3D&reserved=0>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/111140](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F111140&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317474110&sdata=Da1cDeWj%2BFdlC9xIPo%2F37hluV4EmP3Smem3YvgCduzQ%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n**CVEID:** [CVE-2017-3732](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3732&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317484117&sdata=Ep6n2Dr77RNBPh8blWIhw1Ui0OK7aenDQPmEpgAWrzM%3D&reserved=0>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F121313&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317484117&sdata=KVBWjO6EXAx6SOBkBREoge1CIpo6uH3y%2BJadCTdo1gU%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\n**CVEID:** [CVE-2017-3736](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3736&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317494125&sdata=sJGB0T%2Bow4PkojoUUhApFy75JxiNo47WBbdCBXgsreQ%3D&reserved=0>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/134397](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F134397&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317504133&sdata=8fbkZSvpyUho6MA5UCm17btdpFbuwA%2F%2Fl4kCwX6gRNY%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n\n**CVEID:** [CVE-2018-1428](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1428&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317504133&sdata=lqDf4xXWIU6dkmXpwbMgWhFcI6E7CXcWhRW8XFhMyps%3D&reserved=0>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139073](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139073&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317514137&sdata=MT3SuUdAPUzd%2F5tmnmnF5DvNuheFXSoCabw8QlgycCA%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n\n**CVEID:** [CVE-2018-1427](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1427&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317524144&sdata=ak4M0Oq1K29x5ExXFriXrUoFpyMPSqp9p2PxkZOjOn4%3D&reserved=0>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139072](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317524144&sdata=IKNm9fqBEGjfbwzN6lHUXrQ7cT5IF%2BD48XL8SGHEWt0%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n\n**CVEID:** [CVE-2018-1426](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1426&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317534156&sdata=yQmxysYR0gNWeuLE%2FxyKtq3UMSkFrGIg8myg63%2Fl95E%3D&reserved=0>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139071](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139071&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317534156&sdata=m%2BryQA4GqSjlZT3rcPEp83DhJ55yiEJ%2B0bjUze9LHXQ%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Personal Communications 12.0, 12.0.0.1, 12.0.1, 12.0.2, 12.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation_ \n \n---|---|--- \n \nIBM Personal Communications\n\n| \n\n12.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.0.1\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.1.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.2.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.3.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-30T17:22:28", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM GSKit affect IBM Personal Communications", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-07-30T17:22:28", "id": "2614071BF8D5B0482694D82BE1651280FCE95089D3BF507FE1CD1ED3591D2446", "href": "https://www.ibm.com/support/pages/node/717437", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:27", "description": "## Summary\n\nGSKit is shipped with IBM Tivoli Network Manager IP Edition. Information about security vulnerabilities affecting GSKit has been published here. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n \n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n**CVEID: **[CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n \n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Network Manager IP Edition 3.9, 4.1.1 and 4.2\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)** | **Remediation/Fix** \n---|--- \nIBM Tivoli Network Manager IP Edition 3.9 | \n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=IJ08382.PlatformAll.3.9.0.132&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=IJ08382.PlatformAll.3.9.0.132&source=SAR>) \n \nIBM Tivoli Network Manager IP Edition 4.1.1 | \n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=IJ08382.Linux.4.1.1.49&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=IJ08382.Linux.4.1.1.49&source=SAR>) \n \nIBM Tivoli Network Manager IP Edition 4.2 | [ITNM 4.2 FP005 on Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Network+Manager+IP+Edition&release=4.2.0.4&platform=All&function=all>) \n \n \n**Please also note the** ** ** [**end of support announcement**](<http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS917-138/index.html&lang=en&request_locale=en>) ** ** **from 12 September 2017 for selected Netcool product versions. You can find detailed information on whether the product version you have installed in your environment is affected by this end of service announcement by following the ** [**Netcool End of Support Knowledge Collection.**](<https://www-01.ibm.com/support/entdocview.wss?uid=swg22009231>) ** ** **If your product version is affected, IBM recommend to upgrade your product version to the latest supported version of your product. Please contact your IBM account manager for any question you might have or for any assistance you may require for upgrading an end of service announced offering.**\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-14T16:21:16", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in GSKit, which is shipped with IBM Tivoli Network Manager IP Edition.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-08-14T16:21:16", "id": "CC714D6CB93526CA67C3B1AF953783F7648CF4A4936616886992C0290C5D5B18", "href": "https://www.ibm.com/support/pages/node/720265", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:41:17", "description": "## Summary\n\nTXSeries for Multiplatforms has addressed the following vulnerabilities : CVE-2018-1426, CVE-2018-1427, CVE-2018-1428, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705\n\n## Vulnerability Details\n\n \n**CVEID:**[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:**IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:**[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID:**[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:**IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:**[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n## Affected Products and Versions\n\n**Aff****ected TXSeries for Multiplatforms**\n\n| **Affected Versions** \n---|--- \nTXSeries for Multiplatforms | 9.1 \nTXSeries for Multiplatforms | 8.2 \nTXSeries for Multiplatforms | 8.1 \nTXSeries for Multiplatforms | 7.1 \n \n## Remediation/Fixes\n\n**Product**\n\n| VRMF| APAR| Remediation / First Fix \n---|---|---|--- \nTXSeries for Multiplatforms| 9.1.| The updated GSkit have been made available on FixCentral as a special fix \n \nFixID : TXSeriesV91-SpecialFix_GSKit| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=9.1.0.0&platform=All&function=fixId&fixids=TXSeriesV91-SpecialFix_GSKit&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=9.1.0.0&platform=All&function=fixId&fixids=TXSeriesV91-SpecialFix_GSKit&includeSupersedes=0&source=fc>) \nTXSeries for Multiplatforms| 8.2| The updated GSkit have been made available on FixCentral as FixPacks \nAIX : \n8.2.0.2-TXSeries-AIX-FixPack2 \n \nLinux x86 : 8.2.0.2-TXSeries-Linux-FixPack2 \n \nWindows : 8.2.0.2-TXSeries-WINDOWS-FixPack2 \n \nHPUX-IA64 : 8.2.0.2-TXSeries-HPUX-IA64-FixPack2| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=8.2.0.2&platform=All&function=all&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=8.2.0.2&platform=All&function=all&source=fc>) \nTXSeries for Multiplatforms| 8.1| The updated GSkit have been made available on FixCentral as a special fix \n \nFixID :TXSeriesV81-SpecialFix_GSKit| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=8.1.0.0&platform=All&function=fixId&fixids=TXSeriesV81-SpecialFix_GSKit&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=8.1.0.0&platform=All&function=fixId&fixids=TXSeriesV81-SpecialFix_GSKit&includeSupersedes=0&source=fc>) \nTXSeries for Multiplatforms| 7.1| The updated GSkit have been made available on FixCentral as a special fix \n \nFixID :TXSeriesV71-SpecialFix_GSKit| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=7.1.0.6&platform=All&function=fixId&fixids=TXSeriesV71-SpecialFix_GSKit&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=7.1.0.6&platform=All&function=fixId&fixids=TXSeriesV71-SpecialFix_GSKit&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: TXSeries for Multiplatforms is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-08-03T04:23:43", "id": "5711509DD871227FC9F7CD530DA0E06F21DDA1D522E7B1C76AC95D3AD5F6BC07", "href": "https://www.ibm.com/support/pages/node/571623", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:03:02", "description": "## Summary\n\nGSKit is an IBM component that is used by Host On-Demand. GSKit that is shipped with Host On-Demand contains multiple security vulnerabilities .Host On-Demand has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:**[CVE-2018-1426](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1426&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=M5qIAIZRv2pwFj4070mAqPKwBYv5Bp9VtctmJnCT4WI%3D&reserved=0>) \n**DESCRIPTION:**IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139071](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139071&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=gPpF21vx%2B1dcHum0GrEhHWKdNKwzOiAkonlrXlLz9bU%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:**[CVE-2018-1427](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1427&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=QC7ESqmyHvgI5ow8l6ZxreJZylEikfBAvbni3NbXhNo%3D&reserved=0>) \n**DESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139072](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=IJsptD8OiwisaEdw78jCGaMlASeDAKjjamr24c8rq2U%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:**[CVE-2018-1428](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1428&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=CdBNWfAS3cJbT5Td72wTBP1LgwUj9Nok%2FUmprLP2DsU%3D&reserved=0>) \n**DESCRIPTION:**IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139073](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139073&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=Ww6SrhAO8kTTKTgAuU8SA9OO6UfEYFcRrHPtNQPA1bc%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:**[CVE-2017-3736](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3736&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=oBEwXm%2B9EjdT6LXbWoTv05s4DUQ%2FowzLWM96LrtT13g%3D&reserved=0>) \n**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/134397](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F134397&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=0gTXmKqt6zahWePHxfbd3a4%2FzIDj3l1z%2BkZCDNCtH20%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:**[CVE-2017-3732](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3732&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=SZXzDnI1%2F7dryeBhWtbvV9gEHETaiGomULG8RgxFLVM%3D&reserved=0>) \n**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F121313&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=R%2BOjm%2FxWj06jo24qUVvF0mZfZFW0GrA5yT4CXh9%2FqGo%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:**[CVE-2016-0705](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n## Affected Products and Versions\n\nHost On-Demand 13.0 \n\nHost On-Demand 12.0, 12.0.0.1, 12.0.1, 12.0.2, 12.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation_ \n \n---|---|--- \n \nHost On-Demand\n\n| \n\n12.0\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.0.1\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.1\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.2\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.3\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n13.0\n\n| \n\n[Upgrade to Host On-Demand 13.0.1](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=13.0.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n13 July 2018: Original version published \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSS9FA\",\"label\":\"IBM Host On-Demand\"},\"Component\":\"GSKit\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"12.0.0;12.0.0.1;12.0.1;12.0.2;12.0.3;13.0.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-01T16:04:04", "type": "ibm", "title": "Security Bulletin : Multiple vulnerabilities in\u00a0IBM GSKit affect\u00a0IBM Host On-Demand.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-08-01T16:04:04", "id": "BC7F561FAB80D5D0A48021AB45201595C02030C9CECEBEB548DFB50B6376384A", "href": "https://www.ibm.com/support/pages/node/716977", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:43:58", "description": "## Summary\n\nVulnerabilities in IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[ https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Monitoring 8.1.3 \nIBM Advanced Diagnostics 8.1.3 \nIBM Application Performance Management 8.1.3 \nIBM Application Performance Management Advanced 8.1.3 \nIBM Application Performance Management, Base Private 8.1.4 \nIBM Application Performance Management, Advanced Private 8.1.4\n\n## Remediation/Fixes\n\n_Product_\n\n| _Product_ \n_VRMF_| _Remediation_ \n---|---|--- \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| _8.1.3_ \n \n_ _ \n_ _| The vulnerabilities can be remediated by applying the following 8.1.3.0-IBM-IPM-SERVER-IF0012 server patch to the system where the Performance Management server is installed: [http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003854](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003854>) \nIBM Cloud Application Performance Management Base Private \n\nIBM Cloud Application Performance Management Advanced Private\n\n| _8.1.4_| The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0004 server patch to the system where the Cloud APM server is installed: [http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003783](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003783>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:51:29", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-06-17T15:51:29", "id": "F90FD904FE2AD66DEF4FDDFD5D99DDE1F5E9A79893EE2F3ADB1619E2F648B6FC", "href": "https://www.ibm.com/support/pages/node/570497", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-23T21:39:12", "description": "## Summary\n\nIBM Informix Client SDK has addressed the issues reported for the following GSKIT vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected IBM Informix Dynamic Server**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Informix Client Software Development Kit | 4.10.xC1 through 4.10.xC12 \n \n## Remediation/Fixes\n\nUpgrade to 4.10.xC13\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Informix Client Software Development Kit | \n\n4.10.xC13\n\n| \n\n[Fix Central](<https://www-945.ibm.com/support/fixcentral>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-07T15:25:06", "type": "ibm", "title": "Security Bulletin: IBM Informix Client SDK is affected by GSKIT vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2020-12-07T15:25:06", "id": "EFC96C84FC6627E09277E1FB61859CD2CA1859DFD91107C5D299A533D68503BF", "href": "https://www.ibm.com/support/pages/node/964993", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:02:38", "description": "## Summary\n\nIBM Algo One Core has addressed the following vulnerabilities: CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, and CVE-2018-1426.\n\n## Vulnerability Details\n\n**Relevant CVE Information:**\n\n**CVEID:** [_CVE-2016-0705_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Algo One Core 5.0.0, 5.1.0\n\n## Remediation/Fixes\n\n**Product Name**\n\n| **iFix Name**| **Remediation/First Fix** \n---|---|--- \nIBM Algo One Core| 510-371| [Fix Central Download](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.1.0.0-Algo-One-AlgoCore-if0371:0&includeSupersedes=0&source=fc&login=true>) \nIBM Algo One Core| 500-403| [Fix Central Download](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-AlgoCore-if0403:0&includeSupersedes=0&source=fc&login=true>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSHKAP\",\"label\":\"Algo One\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Algo Core\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"5.1.0;5.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-22T01:40:32", "type": "ibm", "title": "Security Bulletin: Algo One Core is affected by GSKit vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-06-22T01:40:32", "id": "9872D764206750F6FD9C7F555D6B4C23926B755B4AE368CDD8485546CDEBC462", "href": "https://www.ibm.com/support/pages/node/711803", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:02", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Tivoli Storage Manager FastBack. IBM Tivoli Storage Manager FastBack has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n\n## Affected Products and Versions\n\nIBM Tivoli Storage Manager FastBack versions 6.1.0.0 through 6.1.12.4 are affected.\n\n## Remediation/Fixes\n\n**_Tivoli Storage Manager FastBack Release_**\n\n| **_First \nFixing \nVRM Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n6.1| 6.1.12.5| Windows| [https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Tivoli+Storage+Manager+FastBack&fixids=6.1.12.5-TIV-TSMFB-FP001&source=SAR&function=fixId&parent=ibm/Tivoli](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Tivoli+Storage+Manager+FastBack&fixids=6.1.12.5-TIV-TSMFB-FP001&source=SAR&function=fixId&parent=ibm/Tivoli>) \n \n\n\nCustomers on older versions of the product should upgrade to a fixed supported level.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:54", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Tivoli Storage Manager FastBack", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:54", "id": "5641564DE1A4B9249AC0EED2F265EE204961C428F093EC99321D93DA0AA23C3E", "href": "https://www.ibm.com/support/pages/node/569543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:30", "description": "## Summary\n\nIBM Security Access Manager has addressed these vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n#### **CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Software releases**\n\n**Affected product**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Access Manager (software) | 7.0-7.0.0.34 \n \n \n**Appliance releases**\n\n**Affected IBM Security Access Manager Appliance**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Access Manager for Web | 7.0-7.0.0.34 \nIBM Security Access Manager for Web | 8.0-8.0.1.7 \nIBM Security Access Manager for Mobile | 8.0-8.0.1.7 \nIBM Security Access Manager | 9.0.0.0 - 9.0.4.0 \n \n## Remediation/Fixes\n\nThe table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch. \n\n\n**Product** | **VRMF** | **APAR** | **Remediation** \n---|---|---|--- \nIBM Security Access Manager for Web (software) | 7.0 - 7.0.0.34 (software) | IJ06612 / IJ07064 / IJ07965 | Apply Interim Fix 35: \n[7.0.0-ISS-SAM-IF0035](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>) \nIBM Security Access Manager for Web (appliance) | 7.0 - 7.0.0.34 (appliance) | IJ06612 / IJ07965 / IJ07064 | Apply Interim Fix 35: \n[7.0.0-ISS-WGA-IF0035](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>) \nIBM Security Access Manager for Web (appliance) | 8.0 - 8.0.1.7 | IJ06588 / IJ07004 | Upgrade to 8.0.1.8: \n[_8.0.1-ISS-WGA-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.1.3&platform=All&function=all>) \nIBM Security Access Manager for Mobile (appliance) | 8.0 - 8.0.1.7 | IJ06609 / IJ07005 | Upgrade to 8.0.1.8: \n[_8.0.1-ISS-ISAM-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Security+Access+Manager+for+Mobile&release=8.0&platform=Linux&function=all>) \nIBM Security Access Manager (appliance) | 9.0 - 9.0.4.0 | IJ06588 / IJ07004 | Upgrade to 9.0.5.0: \n[9.0.5-ISS-ISAM-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.0.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-24T16:00:01", "type": "ibm", "title": "Security Bulletin: IBM Security Access Manager is affected by multiple vulnerabilities in GSKit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-10-24T16:00:01", "id": "C7752951E8085C186BF5D89E852FCD41F36C211BD9364B8CA87F6E4FF8AFF924", "href": "https://www.ibm.com/support/pages/node/715277", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:38:57", "description": "## Summary\n\nIBM SPSS Statistics has addressed the following vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION: **OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \n****CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n** \nCVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n** \nCVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n** \n****CVEID: **[_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \n****DESCRIPTION: The **GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM SPSS Statistics\n\n| \n\nAffected Versions \n \n---|--- \nSPSS Statistics| 21.0.0.2 \nSPSS Statistics| 22.0.0.2 \nSPSS Statistics| 23.0.0.3 \nSPSS Statistics| 24.0.0.2 \nSPSS Statistics| 25.0.0.1 \n** \n**\n\n## Remediation/Fixes\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation / First Fix \n \n---|---|---|--- \nSPSS Statistics| 21.0.0.2| None| Install [_Statistics 21 FP002 IF016_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-ALL-FP002-IF016&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 22.0.0.2| None| Install [_Statistics 22 FP002 IF017_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-ALL-FP002-IF017&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 23.0.0.3| None| Install [_Statistics 23 FP003 IF013_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-ALL-FP003-IF013&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 24.0.0.2| None| Install [_Statistics 24 FP002 IF010_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.2&platform=All&function=fixId&fixids=24.0-IM-S24STAT-ALL-FP002-IF010&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 25.0.01| None| Install [_Statistics 25 FP001 IF006_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=25.0.0.1&platform=All&function=fixId&fixids=25.0-IM-S25STAT-ALL-FP001-IF006&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n** \n**\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-13T14:43:07", "type": "ibm", "title": "Security Bulletin: IBM SPSS Statistics is affected by multiple GSKit vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2020-04-13T14:43:07", "id": "470FB53E20DCF01D3FF4FB7251C5868A5D215FF7480131C88B1F5C06E159D01A", "href": "https://www.ibm.com/support/pages/node/569155", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:40:46", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Client. The IBM Spectrum Protect Client has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of the IBM Spectrum Protect (formerly Tivoli Storage Manager) Client are affected: \n\n * 8.1.0.0 through 8.1.4.0\n * 7.1.0.0 through 7.1.8.1\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) Client Release_**\n\n| **_First \nFixing \nVRM Level_** | **_Platform_** | **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1 | 8.1.4.1 | AIX \nLinux \nMacintosh \nSolaris \nWindows | <http://www.ibm.com/support/docview.wss?uid=swg24043653> \n7.1 | 7.1.8.2 | AIX \nHP-UX \nLinux \nMacintosh \nSolaris \nWindows | [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043984>) <http://www.ibm.com/support/docview.wss?uid=swg24044550> \n \n \nCustomers using older versions of the product (6.4 and below) should upgrade to a supported fixed version. \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-07T23:00:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Client", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2019-02-07T23:00:01", "id": "ACB1BEB9F23F8E2951B24CB2F49DBE6E43DA9F3C9311028237E3DCFF917143EE", "href": "https://www.ibm.com/support/pages/node/568221", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:04", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Server. The IBM Spectrum Protect Server has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following IBM Spectrum Protect (formerly Tivoli Storage Manager) Server levels: \n\n * 8.1.0.0 through 8.1.4.x\n * 7.1.0.0 through 7.1.8.x\n \n_ _\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) Server Release_**\n\n| **_First_** \n**_Fixing \nVRM \nLevel_**| **_ \n \nPlatform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.5| AIX \nLinux \nWindows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v8r1/> \n7.1| 7.1.9| AIX \nHP-UX \nLinux \nSolaris \nWindows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v7r1/> \n \nCustomers using older versions of the product (6.4 and below) should upgrade to a supported fixed version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:45", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:45", "id": "96172B0289A3157617DE620C9610D6DE694BCA12DD20D67BEB2C4BE5720F1E6F", "href": "https://www.ibm.com/support/pages/node/568879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:04", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware. IBM Spectrum Protect for Virtual Environments: Data Protection for VMware has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of the IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware are affected: \n\n * 8.1.0.0 through 8.1.4.0\n * 7.1.0.0 through 7.1.8.0\n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) for Virtual Environments: Data Protection for VMare Release_**\n\n| **_First \nFixing \nVRM Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.4.1| Linux \nWindows| <http://www.ibm.com/support/docview.wss?uid=swg24044643> \n7.1| 7.1.8.1| Linux \nWindows| You can either upgrade to Data Protection for VMware 7.1.8.1 or apply the IBM Spectrum Protect 7.1.8.2 client fix. \nLink for Data Protection for VMware 7.1.8.1:_ \n_[](<http://www-01.ibm.com/support/docview.wss?uid=swg24043984>)<http://www.ibm.com/support/docview.wss?uid=swg24044553> \nLink for IBM Spectrum Protect 7.1.8.2 client fix: \n<http://www.ibm.com/support/docview.wss?uid=swg24044550> \n \nCustomers using older versions of the product (6.4 and below) should upgrade to a supported fixed version. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:44", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:44", "id": "F1D303774ACA9A5AD0E510C3DF5F1397009E7D6FD2FDAFAC4642501D873381FE", "href": "https://www.ibm.com/support/pages/node/568853", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:04", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V. IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of the IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V are affected: \n\n * 8.1.0.0 through 8.1.4.0\n * 7.1.0.0 through 7.1.8.0\n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V Release_**\n\n| **_First \nFixing \nVRM Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.4.2| Windows| <http://www.ibm.com/support/docview.wss?uid=swg24044927> \n7.1| \n| Windows| Install the IBM Spectrum Protect Client 7.1.8.2 fix or higher using the following link: \n[](<http://www.ibm.com/support/docview.wss?uid=swg24044550>)<http://www.ibm.com/support/docview.wss?uid=swg24044550> \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:48", "id": "F590F9B8CCE606C3A8B1868747618F53738AF0A967C71C872865E6F97E3E2A42", "href": "https://www.ibm.com/support/pages/node/569233", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:03", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager for Workstations). IBM Spectrum Protect for Workstations has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations) are affected: \n\n * 8.1.0.0 through 8.1.2.0\n * 7.1.0.0 through 7.1.8.1\n \n\n\n## Remediation/Fixes\n\n**IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manger FastBack for Workstations) Release**\n\n| **First Fixing VRMF level**| ** Platform**| **Link to Fix** \n---|---|---|--- \n \n8.1\n\n| 8.1.2.1| Windows \nx64 \n \n \nWindows \nx64 \nStarter \nEdition \n| [`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-x64_windows&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-x64_windows&source=SAR>) \n \n`[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-SE-x64_windows&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-SE-x64_windows&source=SAR>)` \n \n7.1\n\n| 7.1.8.2| Windows \nx64 \n \n \nWindows \nx64 \nStarter \nEdition| `[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x64_windows-FP0002&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x64_windows-FP0002&source=SAR>)` \n \n[`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x64_windows-FP0002&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x64_windows-FP0002&source=SAR>) \n` `7.1| 7.1.8.2| Windows \nx32 \n \n \nWindows \nx32 \nStarter \nEdition| [`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x86_windows-FP0002&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x86_windows-FP0002&source=SAR>) \n \n[`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x86_windows-FP0002&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x86_windows-FP0002&source=SAR>) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:47", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:47", "id": "88D4396F5AFD082566BDD5FF95312101BB6F94623E716D993F113380B02DC7D4", "href": "https://www.ibm.com/support/pages/node/569089", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:41:30", "description": "## Summary\n\nDb2 is affected by multiple vulnerabilities in the GSKit library.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAll fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 editions on all platforms are affected.\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \n**FIX:** \n \nThe fix for DB2 V11.1 is in V11.1.3 FP3, available for download from [Fix Central](<https://www-01.ibm.com/support/docview.wss?uid=swg24044630>). \n \nCustomers running any vulnerable fixpack level of an affected Program, V9.7, V10.1, and V10.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.7 FP11, V10.1 FP6, and V10.5 FP9. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. \n\n\n**Release** | **Fixed in fix pack** | **APAR** | **Download URL** \n---|---|---|--- \nV9.7 | TBD | [IT24060](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24060>) | Special Build for V9.7 FP11: \n\n[AIX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-aix64-universal_fixpack-9.7.0.11-FP011%3A342430609765551296&includeSupersedes=0>) \n[HP-UX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-hpipf64-universal_fixpack-9.7.0.11-FP011%3A647468550017045760&includeSupersedes=0>) \n[Linux 32-bit, x86-32](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linuxia32-universal_fixpack-9.7.0.11-FP011%3A100802993476380880&includeSupersedes=0>) \n[Linux 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linuxx64-universal_fixpack-9.7.0.11-FP011%3A846014147085173504&includeSupersedes=0>) \n[Linux 64-bit, POWER\u2122 big endian](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linuxppc64-universal_fixpack-9.7.0.11-FP011%3A210757668673804416&includeSupersedes=0>) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linux390x64-universal_fixpack-9.7.0.11-FP011%3A776704555879687168&includeSupersedes=0>) \n[Solaris 64-bit, SPARC](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-sun64-universal_fixpack-9.7.0.11-FP011%3A266307692735048160&includeSupersedes=0>) \n[Solaris 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-sunamd64-universal_fixpack-9.7.0.11-FP011%3A962344119922453248&includeSupersedes=0>) \n[Windows 32-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-nt32-universal_fixpack-9.7.1100.352-FP011%3A963026636921819392&includeSupersedes=0>) \n[Windows 64-bit, x86](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-ntx64-universal_fixpack-9.7.1100.352-FP011%3A752185724875373440&includeSupersedes=0>) \n \nV10.1 | TBD | [IT24061](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24061>) | Special Build for V10.1 FP6: \n\n[AIX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-aix64-universal_fixpack-10.1.0.6-FP006%3A443466106958785728&includeSupersedes=0>) \n[HP-UX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-hpipf64-universal_fixpack-10.1.0.6-FP006%3A250032157453062944&includeSupersedes=0>) \n[Linux 32-bit, x86-32](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linuxia32-universal_fixpack-10.1.0.6-FP006%3A256262794475707328&includeSupersedes=0>) \n[Linux 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linuxx64-universal_fixpack-10.1.0.6-FP006%3A135750620039121520&includeSupersedes=0>) \n[Linux 64-bit, POWER\u2122 big endian](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linuxppc64-universal_fixpack-10.1.0.6-FP006%3A459172922007315328&includeSupersedes=0>) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linux390x64-universal_fixpack-10.1.0.6-FP006%3A612113355309593216&includeSupersedes=0>) \n[Solaris 64-bit, SPARC](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-sun64-universal_fixpack-10.1.0.6-FP006%3A638512873974999424&includeSupersedes=0>) \n[Solaris 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-sunamd64-universal_fixpack-10.1.0.6-FP006%3A424428187597334144&includeSupersedes=0>) \n[Windows 32-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-nt32-universal_fixpack-10.1.600.580-FP006%3A279857245880667744&includeSupersedes=0>) \n[Windows 64-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-ntx64-universal_fixpack-10.1.600.580-FP006%3A160886734969399104&includeSupersedes=0>) \n \nV10.5 | FP10 | [IT24058](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24058>) | <https://www-01.ibm.com/support/docview.wss?uid=swg24045012> \nV11.1.3 | FP3 | [IT24059](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24059>) | <https://www-01.ibm.com/support/docview.wss?uid=swg24044630> \n \n \n_For customers running IBM data __server client and driver types_ \n \nUpgrading of GSKit is required if either of the following applies to you:\n\n * IBM data server client and driver types for V9.7, V10.1 level and any V10.5 level before fixpack 5.\n * IBM data server client and driver types for V10.5 fixpack 5 or later and have additionally installed GSKit.\n * Where to obtain the GSKit depends on the DB2 release and platform:\n\n * IBM data server client and driver types V10.5 fix pack 5 on Inspur or Linux 64-bit POWER\u2122 little endian on Power System, please contact customer support to obtain the \"IBM DB2 Support Files for SSL Functionality\".\n * IBM data server client and driver types V9.7, V10.1 level and any V10.5 level before fixpack 5: \n * _Client and the server are on the same physical computer_: For the Windows platform, you do not need to upgrade the GSKit as GSKit is automatically installed with the DB2 server image. For all other platforms, you will need to download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae.\n * _Client and the server are on different computer_: For all platforms, download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae and perform the GSKit upgrade.\n * Refer to the following chart below for the proper version of GSKit\n\n**Release** | **GSkit Version** \n---|--- \nV9.7 | V8.0.50.86 \nV10.1 | V8.0.50.86 \nV10.5 | V8.0.50.86 \nV11.1 | V8.0.50.86 \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-11T19:03:44", "type": "ibm", "title": "Security Bulletin: IBM\u00ae Db2\u00ae is affected by multiple vulnerabilities in the GSKit library", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-11T19:03:44", "id": "3D737E91C4B3785D05EA6B518DF81A98A3D897F7446C9E2969F3A9E22A7F3BF4", "href": "https://www.ibm.com/support/pages/node/304801", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:52:54", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix. IBM Spectrum Protect Snapshot for Unix has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) components and levels are affected: \n\n\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix and Linux\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for DB2\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Oracle\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Oracle with SAP environments\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Custom Applications \n * The above components are affected at these levels: \n \n\n\n * 8.1.0.0 through 8.1.4.0 \n * 4.1.0.0 through 4.1.6.1 (AIX and Linux)\n * 4.1.0.0 through 4.1.1.5 (HP_UX and Solaris)\n \n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix Release_**\n\n| **_First Fixing VRMF Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.4.1| AIX \nLinux| <http://www.ibm.com/support/docview.wss?uid=swg24044634> \n4.1| 4.1.6.2| AIX \nLinux| [](<http://www.ibm.com/support/docview.wss?uid=swg24043441>)<http://www.ibm.com/support/docview.wss?uid=swg24044570> \n4.1| 4.1.1.6| HP-UX \nSolaris| [](<http://www.ibm.com/support/docview.wss?uid=swg24043442>)<http://www.ibm.com/support/docview.wss?uid=swg24044564> \n \nCustomers using older versions of the product (3.2 and below) should upgrade to a supported fixed version. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T11:19:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-02-01T11:19:59", "id": "E8A312ECF86D6A1C6D9722B8D51FDE987A400AF0C6568E0E843C6327878D3511", "href": "https://www.ibm.com/support/pages/node/568873", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:52:54", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware. IBM Spectrum Protect Snapshot for VMware has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following levels of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware are affected: \n\n\n * 4.1.0.0 through 4.1.6.3 \n\n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware Release _**\n\n| **_First Fixing VRMF Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n4.1| 4.1.6.4| Linux| <http://www.ibm.com/support/docview.wss?uid=swg24044554> \n \nCustomers using older versions of the product (3.2 and below) should upgrade to a supported fixed version. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T11:19:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-02-01T11:19:59", "id": "308A05F5B1028A741D58EC30AC13C7A0A2B660380B87E8811177772F0014DA1B", "href": "https://www.ibm.com/support/pages/node/568861", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:51:18", "description": "## Summary\n\nVulnerabilities in GSKit and GSKit-Crypto were addressed by IBM InfoSphere Information Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. \nConsider changing your passwords to ensure that the new passwords are stored more securely. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following products, running on all supported platforms, are affected: \nIBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7 \nIBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud| 11.7| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--New installations of IBM InfoSphere Information Server version 11.7.0.1 (and later) are not vulnerable \n\\--If IBM InfoSphere Information Server version 11.7.0.0 or earlier was installed, apply Information Server Framework [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113-11701_JR59097_ISF_services_engine*>) \n\\--Consider changing your passwords to ensure that the new passwords are stored more securely. \nInfoSphere Information Server, Information Server on Cloud| 11.5| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--Apply IBM InfoSphere Information Server version [_11.5.0.2_](<http://www.ibm.com/support/docview.wss?uid=swg24043666>) \n\\--Apply Information Server Framework [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113-11701_JR59097_ISF_services_engine*>) \n\\--Consider changing your passwords to ensure that the new passwords are stored more securely. \nInfoSphere Information Server| 11.3| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--Apply IBM InfoSphere Information Server version [_11.3.1.2 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24040138>) \n\\--Apply Information Server Framework [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113-11701_JR59097_ISF_services_engine*>) \n\\--Consider changing your passwords to ensure that the new passwords are stored more securely. \nInfoSphere Information Server| 9.1| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--Upgrade to a new release \n \n \nFor IBM InfoSphere Information Server version 9.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-22T01:53:09", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit and GSKit-Crypto affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-22T01:53:09", "id": "3DF4EFFCBD4398CD9D2C6995C59DEC9020B7665B1A75D2B23F0CFA94C34BBB8A", "href": "https://www.ibm.com/support/pages/node/711793", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:41:26", "description": "## Summary\n\nGSKit is used by IBM Workload Manager and is vulnerable to some OpenSSL vulnerabilities. IBM Workload Manager has addressed the applicable CVEs using an updated version of GSKit libraries.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nTWS uses GSKit only for secure communication between internal processes. \nFor Tivoli Workload Scheduler Distributed, TWS nodes are impacted by these security exposures only if the TWS workstation has been defined with \u201csecuritylevel\u201d set to on or enabled or force and GSKit has been explictly enabled. \nFurthermore the vulnerability applies to Dynamic Agents or zCentric agents too. \nThe security exposures apply to the following versions: \nTivoli Workload Scheduler Distributed 8.6.0 FP04 and earlier \nTivoli Workload Scheduler Distributed 9.1.0 FP02 and earlier \nTivoli Workload Scheduler Distributed 9.2.0 FP02 and earlier \nIBM Workload Scheduler Distributed 9.3.0 FP03 and earlier \nIBM Workload Scheduler Distributed 9.4.0 FP03 and earlier\n\n## Remediation/Fixes\n\nAPAR IJ06473 has been opened to address the GSKit vulnerabilities for IBM Workload Scheduler. \nThe following limited availability fixes for IJ06473 are available for download on FixCentral \n8.6.0-TIV-TWS-FP0004-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 8.6.0 FP04 \n9.1.0-TIV-TWS-FP0002-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.1.0 FP02 \n9.2.0-TIV-TWS-FP0002-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.2.0 FP02 \n9.3.0-TIV-TWS-FP0003-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.3.0 FP03 \n9.4.0-TIV-TWS-FP0003-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.4.0 FP03 \n \nFor Unsupported releases IBM recommends upgrading to a fixed, supported release of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T15:00:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in GSKit affect IBM Workload Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2020-06-19T15:00:50", "id": "7C371350C79C6F7596054D8B19A4BAAD069A8ADE699FB847B44E70E03F3D6988", "href": "https://www.ibm.com/support/pages/node/717133", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:43:31", "description": "## Summary\n\nIBM HTTP Server is used by IBM Netezza Performance Portal. IBM Netezza Performance Portal has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID: **[CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION: **The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Netezza Performance Portal 1.0-2.1.1.7\n\n## Remediation/Fixes\n\nTo resolve the above reported CVE for IBM HTTP Server on Netezza Performance Portal, update to the following IBM Netezza Performance Portal release:\n\nProduct\n\n| VRMF | Remediation / First Fix \n---|---|--- \nIBM Netezza Performance Portal | 2.1.1.8 | _[Link to Fix Centra](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FNetezza+Applications&release=PERFPORTAL_2.1&platform=All&function=fixId&fixids=2.1.1.8-IM-Netezza-PERFPORTAL-fp122059>)l_ \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-10-18T03:36:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affects Netezza Performance Portal", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2019-10-18T03:36:34", "id": "06FAF3AD79C8BAC8455C602C3F4C354C0CD9450DE060FB4D831ED000993782B4", "href": "https://www.ibm.com/support/pages/node/718249", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T21:47:15", "description": "## Summary\n\nThere are multiple security vulnerabilities in the GSKit used by Edge Caching proxy of WebSphere Application Server. \nThis is a separate install from WebSphere Application Server. You only need to apply this if you use the Edge Caching Proxy. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) contains several enviornment variables that a local attacker could overflow and cause a denial of service. IBM X-Force ID: 139072. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the Edge Caching Proxy (separate install) shipped with the following versions and releases of IBM WebSphere Application Server:\n\n * Version 9.0\n * Version 8.5\n * Version 8.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. \n \n**_Fix:_** \nApply an Interim Fix, Fix Pack or PTF containing APAR PH00635 if you use the Edge Caching Proxy component (separate install from WebSphere Application Server) as noted below: \n \n**For IBM WebSphere Application Server ** \n**For V9.0.0.0 through 9.0.0.8:**\n\n * Upgrade to 9.0.0.7 or 9.0.0.8 fix pack level then apply Interim Fix [9.0.8-WS-EDGECP-FP00000081.zip](<http://download4.boulder.ibm.com/sar/CMA/WSA/07v6h/2/9.0.8-WS-EDGECP-FP00000081.zip>)\n\n\\-- OR\n\n * Apply Fix Pack 9 (9.0.0.9), or later.\n\n` ` \n**For V8.5.0.0 through 8.5.5.14:**\n\n * Upgrade to 8.5.5.13 or 8.5.5.14 fix pack level and then apply Interim Fix [8.5.5-WS-EDGECP-FP000000141.zip](<http://download4.boulder.ibm.com/sar/CMA/WSA/07v6i/1/8.5.5-WS-EDGECP-FP000000141.zip>)\n\n\\-- OR\n\n * Apply Fix Pack 15 (8.5.5.15), or later (targeted availability 1Q2019).\n\n` ` \n**For V8.0.0.0 through 8.0.0.1** **5:**\n\n * Upgrade to 8.0.0.15 fix pack level and then apply Interim Fix [8.0.0-WS-EDGECP-FP000000151.zip](<http://download4.boulder.ibm.com/sar/CMA/WSA/07v6j/2/8.0.0-WS-EDGECP-FP000000151.zip>)\n\n_WebSphere Application Server V8 is no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-01T20:10:01", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in GSKit used by Edge Caching proxy of WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-10-01T20:10:01", "id": "DA52C8AAC8E49FE83875D8FD83693222E58D6D178EBC1C00B564B8EB59727C9C", "href": "https://www.ibm.com/support/pages/node/732391", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:02", "description": "## Summary\n\nThe following security issues have been identified in the GSKit component included as part of the IBM Tivoil Monitoring product.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>)** \nDESCRIPTION:** GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n \n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 all CVE's above except for CVE-2018-1388 \n\nIBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 all CVE's above except for CVE-2016-0702\n\n## Remediation/Fixes\n\n**All ITM distributed components (GSKIT/Basic Services)**\n\n \nThe patches upgrade the GSKit version to the level listed below: \n \n\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Upgraded GSKit Version**\n\n| **Remediation / First Fix** \n---|---|---|--- \nIBM Tivoli Monitoring| 6.2.3 any Fix Pack Level| 7.0.5.15| <http://www.ibm.com/support/docview.wss?uid=swg24044748> \nIBM Tivoli Monitoring| 6.3.0 Fix Pack 2 to Fix Pack 7| 8.0.50.88 \n \n \nIBM Tivoli Monitoring components and agents built for 6.2.3 are shipped with GSKit version 7 \nIBM Tivoli Monitoring components and agents built for 6.3.0 are shipped with GSKit version 8 \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:54", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:54", "id": "DDBD4BDAEE1412B8C8199BA8BCDE15F2A42D1C2982D2BFF3B062BFCD642CDD23", "href": "https://www.ibm.com/support/pages/node/569421", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-22T01:47:34", "description": "## Summary\n\nThe following security issues have been identified in the GSKit component included as part of the IBM Tivoil Monitoring product.\n\n## Vulnerability Details\n\nCVEID: [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \nDESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>) \nDESCRIPTION: GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\nCVEID: [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \nDESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\nCVEID: [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\nCVEID: [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\nCVEID: [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \nDESCRIPTION: IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \nDESCRIPTION: IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nCVEID: [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \nDESCRIPTION: IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Fix details \n---|--- \nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5 | [Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring](<https://www-01.ibm.com/support/docview.wss?uid=swg22015424>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-26T07:50:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring shipped with IBM Operations Analytics - Log Analysis", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-12-26T07:50:01", "id": "73AC0A21A1C1C6C3987AD6559B838B31C02E7FC2112C00D32E18ABA3B130AC8F", "href": "https://www.ibm.com/support/pages/node/792541", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:41:19", "description": "## Summary\n\nIBM BigInsights is affected by multiple vulnerabilities in IBM Db2. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1448_](<https://vulners.com/cve/CVE-2018-1448>) \n**DESCRIPTION:** IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/140043_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140043>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM BigInsights: 4.2, 4.2.5\n\n## Remediation/Fixes\n\nBigInsights 4.2: Fixes are available in a downloadable image here: [https://www.ibm.com/support/entdocview.wss?uid=swg24044682](<https://www-01.ibm.com/support/entdocview.wss?uid=swg24044682>) \nBigInsights 4.2.5: Fixes are available in a downloadable image here: [https://www.ibm.com/support/entdocview.wss?uid=swg24044646](<https://www-01.ibm.com/support/entdocview.wss?uid=swg24044646>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-18T23:34:36", "type": "ibm", "title": "Security Bulletin: IBM BigInsights is affected by multiple vulnerabilities in IBM Db2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447", "CVE-2018-1448"], "modified": "2020-07-18T23:34:36", "id": "7BD03C97D3450FEAE4EB4F8F33140691B9F85B4915C83AFD5212FE881A12ADDA", "href": "https://www.ibm.com/support/pages/node/735117", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T01:33:47", "description": "## Summary\n\nIBM Security SiteProtector System has addressed the following vulnerabilities in GSKit. \n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM Security SiteProtector System | Affected Versions \n---|--- \nIBM Security SiteProtector System | 3.0.0 \nIBM Security SiteProtector System | 3.1.1 \n \n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _Remediation/First Fix_ \n---|---|--- \nIBM Security SiteProtector System | 3.1.1.16 | \n\nApply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:\n\nServicePack3_1_1_16.xpu \nAgentManager_WINNT_XXX_ST_3_1_1_52.xpu \nRSEvntCol_WINNT_XXX_ST_3_1_1_10.xpu \nDB_SP_3_1_1_65.xpu \nUpdateServer_3_1_1_11.pkg \nMU_3_1_1_8.xpu \nManualUpgrader_3_1_1_8.exe \nCertificateManagerTools_3_1_1_6.exe \nEventArchiver_3_1_1_7.pkg \nEventArchiverImporter_3_1_1_7.exe \nConsole-Setup.exe \n \nIBM Security SiteProtector System | 3.0.0.19 | \n\nApply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:\n\nServicePack3_0_0_19.xpu \nAgentManager_WINNT_XXX_ST_3_0_0_83.xpu \nRSEvntCol_WINNT_XXX_ST_3_0_0_16.xpu \nDB_SP_3_0_0_82.xpu \nUpdateServer_3_1_1_11.pkg \nMU_3_1_1_8.xpu \nManualUpgrader_3_1_1_8.exe \nCertificateManagerTools_3_1_1_6.exe \nEventArchiver_3_1_1_7.pkg \nEventArchiverImporter_3_1_1_7.exe \nConsole-Setup.exe \n \nAlternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL: \n \n<https://ibmss.flexnetoperations.com/service/ibms/login>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-07-19T08:30:38", "type": "ibm", "title": "Security Bulletin: IBM Security SiteProtector System is affected by GSKit vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-19T08:30:38", "id": "23BA9E1A95485FDA5113C5A985FFBA48AD2E78665BA734F9E465CCC361105BD6", "href": "https://www.ibm.com/support/pages/node/713561", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T01:41:38", "description": "## Summary\n\nVulnerabilities have been addressed in the GSKit component of IBM Rational ClearCase.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**_ _[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_ _](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cjohn.kohl%40hcl.com%7C710ec60815784571b80508d5890fccf3%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636565623318353378&sdata=3%2BkVIKYQVmXaMT2U92O7TivZobwll5ZKjiMxI5RxPJw%3D&reserved=0>)[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See_ _<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**_ _[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**ClearCase Windows CMI/OSLC client**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n**CMI and OSLC integrations:** \nWindows clients only, of the indicated releases. \n\n\nThe IBM GSKit is used if ClearCase on Windows platforms is configured to integrate with a change management system with communication over SSL (https). This applies to any integration using Change Management Interface (CMI), and to non-CMI based UCM-enabled CQ integration via OSLC. If your ClearCase deployment is not using these integrations, or not using SSL with the integrations, then your deployment is not affected by this portion of the vulnerability. \n \nThe UCM-enabled CQ integration without using OSLC (SQUID) is not affected by this vulnerability.\n\n**CCRC WAN server release**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n**CCRC WAN Server:** \nAll platforms of the indicated releases. \n\n## Remediation/Fixes\n\n**Note:** After applying the fixes as noted below, please refer to this document [_http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html_](<http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html>) for information concerning password re-stashing. It is advised that you re-stash your password due to CVE-2018-1447 after you apply the fixes. \n \nThe solution is to upgrade to a newer fix pack or release of ClearCase, and to apply fixes for IBM HTTP Server (IHS). \n \n**CMI and OSLC integrations on Windows clients:** \nThe solution is to install a newer, fixed version of the GSKit runtime component. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n9.0.1 through 9.0.1.2 \n9.0 through 9.0.0.6\n\n| Install [Rational ClearCase Fix Pack 3 (9.0.1.3) for 9.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044201>) \n \n8.0.1 through 8.0.1.16 \n8.0 through 8.0.0.21 \n\n| Install [Rational ClearCase Fix Pack 17 (8.0.1.17) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044199>) \n**CCRC WAN Server:** \nApply an IHS fix for the issue: \n\n 1. Determine the IHS version used by your CCRC WAN server. Navigate to the IBM HTTP Server installation directory (typically `/opt/ibm/HTTPServer` or `C:\\Program Files (x86)\\IBM\\HTTPServer`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM HTTP Server for WebSphere Application Server\". Make note of the version listed in this section.\n 2. Review the following IHS security bulletin for the available fixes: **_ _**[Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>). **Note: **there may be newer security fixes for IBM HTTP Server. Follow the link below (in the section \"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in GSKit shipped with IBM Rational ClearCase", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-07-10T08:34:12", "id": "BFFC97D9B867396253756A09ED28B13F581A2B14A0637B4684951D9BD6071488", "href": "https://www.ibm.com/support/pages/node/303325", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:08", "description": "## Summary\n\nDB2 contains several vulnerabilities which can affect the IBM Performance Management product. Some of the information about security vulnerabilities affecting DB2 has been published in security bulletins.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-1571](<https://vulners.com/cve/CVE-2017-1571>) \n**DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 131853. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-1677](<https://vulners.com/cve/CVE-2017-1677>) \n**DESCRIPTION:** IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1)deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133999> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2018-1448](<https://vulners.com/cve/CVE-2018-1448>) \n**DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140043. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140043> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nDetails of these vulnerabilities are published in the following security bulletins: \n[Security: IBM Db2 is affected by multiple vulnerabilities in the GSKit library (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426)](<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>) \n[Security: IBM Db2 vulnerability allows local user to overwrite Db2 files (CVE-2018-1448)](<http://www-01.ibm.com/support/docview.wss?uid=swg22014388>) \n[Security: IBM Db2 performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012896>) \n[Security: Under specific circumstances IBM Db2 installation creates users with a weak password hashing algorithm (CVE-2017-1571).](<http://www-01.ibm.com/support/docview.wss?uid=swg22012948>) \n\n\n## Affected Products and Versions\n\nIBM Monitoring 8.1.3 \nIBM Application Diagnostics 8.1.3 \nIBM Application Performance Management 8.1.3 \nIBM Application Performance Management Advanced 8.1.3 \nIBM Cloud Application Performance Management, Base Private 8.1.4 \nIBM Cloud Application Performance Management, Advanced Private 8.1.4\n\n## Remediation/Fixes\n\nProduct | Product VRMF | Remediation \n---|---|--- \n \nIBM Cloud Application Performance Management Base Private\n\nIBM Cloud Application Performance Management Advanced Private\n\n| 8.1.4 | \n\nThe vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5, or V11.1 server. The fixes can be accessed from the following security bulletins:\n\n[Security: IBM Db2 is affected by multiple vulnerabilities in the GSKit library (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426)](<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>)\n\n[Security: IBM Db2 vulnerability allows local user to overwrite Db2 files (CVE-2018-1448)](<http://www-01.ibm.com/support/docview.wss?uid=swg22014388>)\n\n[Security: IBM Db2 performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012896>)\n\n[Security: Under specific circumstances IBM Db2 installation creates users with a weak password hashing algorithm (CVE-2017-1571)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012948>)\n\nTo use your updated DB2 V10.5, or V11.1 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.4.0&platform=All&function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.4.0&platform=All&function=all>) \n \n \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| 8.1.3 | \n\nThe vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5 server. The fixes can be accessed from the following security bulletins:\n\n[Security: IBM Db2 is affected by multiple vulnerabilities in the GSKit library (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426)](<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>)\n\n[Security: IBM Db2 vulnerability allows local user to overwrite Db2 files (CVE-2018-1448)](<http://www-01.ibm.com/support/docview.wss?uid=swg22014388>)\n\n[Security: IBM Db2 performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012896>)\n\n[Security: Under specific circumstances IBM Db2 installation creates users with a weak password hashing algorithm (CVE-2017-1571)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012948>)\n\nTo use your updated DB2 V10.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.3.0-IBM-IPM-SERVER-IF0011 or later server patch to the system where the APM server is installed. Interim fixes for the APM server version 8.1.3 are available to download from IBM Fix Central at this link: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.3.0&platform=All&function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.3.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-30T09:49:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-1571", "CVE-2017-1677", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1448"], "modified": "2018-08-30T09:49:34", "id": "CF8080897BA997E374072C563D7B6C6088F56DDA07F407BD98DF25411FE5E09C", "href": "https://www.ibm.com/support/pages/node/729759", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:40:52", "description": "## Summary\n\nThere are multiple vulnerabilities in the GSKit component that is included in the IBM HTTP Server used by WebSphere Application Server. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2016-7056](<https://vulners.com/cve/CVE-2016-7056>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by the failure to properly set the BN_FLG_CONSTTIME for nonces when signing with the P-256 elliptic curve by the ecdsa_sign_setup() function.. An attacker could exploit this vulnerability using a cache-timing attack to recover ECDSA P-256 private keys. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120434> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.\n\n * Version 9.0\n * Version 8.5\n * Version 8.0\n * Version 7.0\n\n## Remediation/Fixes\n\n**NOTE:** After applying the interim fixes or fixpack levels as noted below, please refer to this document <http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html> for information concerning password res-stashing. It is advised that you re-stash your password due to CVE-2018-1447 after you apply the interim fixes.\n\n**For V9.0.0.0 through 9.0.0.7:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI94222](<http://www-01.ibm.com/support/docview.wss?uid=swg24044861>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.8 or later.\n\n \n**For V8.5.0.0 through 8.5.5.13:**\n\n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI94222](<http://www-01.ibm.com/support/docview.wss?uid=swg24044861>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.14. \n \n \n**For V8.0.0.0 through 8.0.0.14:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI94222](<http://www-01.ibm.com/support/docview.wss?uid=swg24044861>)\n\n \n**For V7.0.0.0 through 7.0.0.43:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI91913_](<http://www-01.ibm.com/support/docview.wss?uid=swg24044636>) \n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.45 or later. \n \n_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-10-29T15:00:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-7056", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-10-29T15:00:02", "id": "78B5CDD949B0594AC0F181656CB6536E0B075D4B064576C915C9BFAF10028314", "href": "https://www.ibm.com/support/pages/node/569301", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T21:47:58", "description": "## Summary\n\nWebSphere DataPower Appliances has addressed the following vulnerabilities: \nCVE-2018-1447 \nCVE-2018-1388 \nCVE-2016-0702 \nCVE-2016-0705 \nCVE-2017-3732 \nCVE-2017-3736 \nCVE-2018-1428\n\n## Vulnerability Details\n\nCVEID: [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \nDESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>) \n**DESCRIPTION:** GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected WebSphere DataPower Appliances | Affected Versions \n---|--- \nIBM DataPower Gateway | 7.1.0.0 - 7.1.0.23 \nIBM DataPower Gateway | 7.2.0.0 - 7.2.0.21 \nIBM DataPower Gateway | 7.5.0.0 - 7.5.0.15 \nIBM DataPower Gateway | 7.5.1.0 - 7.5.1.14 \nIBM DataPower Gateway | 7.6.0.0 - 7.6.0.7 \nIBM DataPower Gateway | 7.5.2.0 - 7.5.2.14 \nIBM DataPower Gateway CD | 7.7.0.0 - 7.7.1.0 \n \n## Remediation/Fixes\n\nProduct | VRMF | APAR | Remediation / First Fix \n---|---|---|--- \nIBM DataPower Gateway | 7.5.0.16 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway | 7.5.1.15 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway | 7.5.2.15 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway | 7.6.0.8 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway CD | 7.7.1.1 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataDower Gateway | 7.1.0.22 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataDower Gateway | 7.2.0.24 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \n \nFor IBM DataPower Gateway version 7.0 and below, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n## Monitor IBM Cloud Status for Future Security Bulletins\n\nMonitor the [security notifications](<https://cloud.ibm.com/status?selected=security>) on the IBM Cloud Status page to be advised of future security bulletins.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n13 August 2018: Original version published \n11 September: Fix typo in summary\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SS9H2Y\",\"label\":\"IBM DataPower Gateway\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF009\",\"label\":\"Firmware\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-11T13:21:30", "type": "ibm", "title": "Security Bulletin: WebSphere DataPower Appliances is affected by multiple issues", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1388", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-09-11T13:21:30", "id": "072EBEFE4EF574F4A87AC95BEA1237C43CF6D39DDD94C6BD9B965A322BB8CD15", "href": "https://www.ibm.com/support/pages/node/726039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:40:48", "description": "## Summary\n\nA vulnerability has been addressed in the GSKit component of IBM Sterling Connect:Direct for UNIX. Further, OpenSSL vulnerabilities disclosed by the OpenSSL Project affect GSKit. IBM Sterling Connect:Direct for UNIX uses GSKit and therefore is also vulnerable.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139072](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID: **[CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID: **[CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/134397](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct for Unix 4.2.0\n\n## Remediation/Fixes\n\n**V.R.M.F** | **APAR** | **Remediation/First Fix** \n---|---|--- \n4.2.0 | None | Apply 4.2.0.4.iFix086, available in cumulative iFix088 on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+for+UNIX&release=4.1.0.4&platform=All&function=fixId&fixids=4.2.0.4*iFix088*&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:19:08", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affects IBM Sterling Connect:Direct for UNIX", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1427"], "modified": "2020-07-24T22:19:08", "id": "6DB274E6F7EB4D6F538135EC07CF4443980A5C2FC8C1652E16833E39D5F430D2", "href": "https://www.ibm.com/support/pages/node/726077", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:13", "description": "## Summary\n\nVulnerabilities have been found in the IBM GSKit component used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID: **[**CVE-2017-3732**](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: **[**CVE-2017-3736**](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**** **[**CVE-2018-1427**](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct for Microsoft Windows 4.7.0.0 through 4.7.0.5_iFix012\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM Sterling Connect:Direct for Microsoft Windows| 4.7.0| [IT24136](<http://www.ibm.com/support/docview.wss?uid=swg1IT24136>)| Apply 4.7.0.5_iFix013, available on [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Sterling+Connect%3ADirect+for+Microsoft+Windows&release=4.7.0.5&platform=All&function=aparId&apars=IT24136>) \n_For older versions/releases IBM recommends upgrading to a fixed, supported version/release of the product._\n\n## Workarounds and Mitigations\n\nTo protect the system from issues CVE-2017-3732 & CVE-2017-3736, only use Cipher Suites that start with TLS_ECDHE_ECDSA...\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:19:08", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in GSKit Affect IBM Sterling Connect:Direct for Microsoft Windows", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1427"], "modified": "2020-07-24T22:19:08", "id": "D5AA5A836C6CC887766560D5C0DEA7A00ECE08E7210420C4B9BBFF45EA1FF9F6", "href": "https://www.ibm.com/support/pages/node/304413", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:50:48", "description": "## Summary\n\nFileNet Capture has addressed multiple GSKit and GSKit-Crypto vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nFileNet Capture 5.2.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM** | **Remediation** \n---|---|--- \nFileNet Capture | 5.2.1 | Use FileNet Capture 5.2.1.8 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Capture&release=5.2.1.8&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-02T18:45:28", "type": "ibm", "title": "Security Bulletin: FileNet Capture is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1447"], "modified": "2018-07-02T18:45:28", "id": "5B4C19B2CA9D2714AEF1546FC810D709406148AD04288568A5EFCF5FDEF9B2D5", "href": "https://www.ibm.com/support/pages/node/715255", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-22T01:47:10", "description": "## Summary\n\nThere are multiple security vulnerabilities in IBM\u00ae GSKit version 8. \nGSKit is used by IBM Rational Directory Server (Tivoli). \n\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: ** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) | Affected Supporting Product(s) and Version(s) \n---|--- \nRational Directory Server (Tivoli) v5.2.1 | Tivoli Directory Server 6.3, \nSecurity Directory Server 6.4 \n \n## Remediation/Fixes\n\nConsult the security bulletin [Security Bulletin: IBM Security Directory Server is affected by multiple vulnerabilities in GSKit](<https://www-01.ibm.com/support/docview.wss?uid=ibm10718847>) for vulnerability details and information about fixes.\n\n_For versions of Rational Directory Server that are earlier than version 5.2.1, and Rational Directory Administrator versions earlier than 6.0.0.2, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-01-28T20:20:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM GSKit affect Rational Directory Server (Tivoli)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2019-01-28T20:20:01", "id": "7B815188E16C52B322DD4246EBAB0FC7BA3EDE14D3D566E6B024A1EA3CA43349", "href": "https://www.ibm.com/support/pages/node/794839", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T21:44:33", "description": "## Summary\n\nIBM Security Directory Server has addressed the following vulnerabilities caused by issues in GSKit.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: ** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM Security Directory Server | Affected SDS Versions | Affected GSKit Versions \n---|---|--- \nIBM Tivoli Directory Server | 6.2 - 6.2.0.55, 6.3 - 6.3.0.48 | 7.0.5.14 and lower \nIBM Security Directory Server | 6.3.1 - 6.3.1.23, 6.4 - 6.4.0.15 | 8.0.50.85 and lower \n \n## Remediation/Fixes\n\nAffected IBM Security Directory Server | VRMF | Updated GSKit Version | Remediation \n---|---|---|--- \nIBM Tivoli Directory Server | 6.2 - 6.2.0.55 | 7.0.5.15 | [6.2.0.56-ISS-ITDS-IF0056 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.56&platform=All&function=all>) \nIBM Tivoli Directory Server | 6.3 - 6.3.0.48 | 8.0.50.89 | [6.3.0.49-ISS-ITDS-IF0049](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.49&platform=All&function=all>) \nIBM Security Directory Server | 6.3.1 - 6.3.1.23 | 8.0.50.89 | [6.3.1.24-ISS-ISDS-IF0024 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.3.1.24&platform=All&function=all>) \nIBM Security Directory Server | 6.4 - 6.4.0.15 | 8.0.50.89 | [6.4.0.16-ISS-ISDS-IF0016 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.4.0.16&platform=All&function=all>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-02-15T07:50:01", "type": "ibm", "title": "Security Bulletin: IBM Security Directory Server is affected by multiple vulnerabilities in GSKit", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2019-02-15T07:50:01", "id": "B61307CAECBB5590BF8837472BAB9C85B9153B31B334257C484DD1ADD641B9ED", "href": "https://www.ibm.com/support/pages/node/718847", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T05:48:17", "description": "## Summary\n\nVulnerabilities have been addressed in the GSKit component of IBM Rational ClearQuest.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**_ _[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_ _](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cjohn.kohl%40hcl.com%7C710ec60815784571b80508d5890fccf3%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636565623318353378&sdata=3%2BkVIKYQVmXaMT2U92O7TivZobwll5ZKjiMxI5RxPJw%3D&reserved=0>)[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**ClearQuest version**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n\n\n**ClearQuest CM Server release**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n**ClearQuest CM Server:** \nAll platforms of the indicated releases. \n \nYou are vulnerable if you configure Rational ClearQuest to use LDAP authentication with secure sockets connections. \n\n## Remediation/Fixes\n\n**Note:** After applying the fixes as noted below, please refer to this document [_http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html_](<http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html>) for information concerning password re-stashing. It is advised that you re-stash your password due to CVE-2018-1447 after you apply the fixes. \n \nThe solution is to upgrade to a newer fix pack or release of ClearQuest, and to apply fixes for IBM HTTP Server (IHS). \n \n\n\n**Affected Versions**\n\n| \n\n** Fixes** \n \n---|--- \n \n9.0.1 through 9.0.1.2 \n9.0 through 9.0.0.6\n\n| Install [Rational ClearQuest Fix Pack 3 (9.0.1.3) for 9.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044200>) \n \n8.0.1 through 8.0.1.16 \n8.0 through 8.0.0.21\n\n| Install [Rational ClearQuest Fix Pack 17 (8.0.1.17) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044198>) \n \n**ClearQuest CM Server:** \nApply an IHS fix for the issue: \n\n 1. Determine the IHS version used by your ClearQuest CM server. Navigate to the IBM HTTP Server installation directory (typically `/opt/ibm/HTTPServer` or `C:\\Program Files (x86)\\IBM\\HTTPServer`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM HTTP Server for WebSphere Application Server\". Make note of the version listed in this section.\n 2. Review the following IHS security bulletin for the available fixes: **_ _**[Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>). **Note: **there may be newer security fixes for IBM HTTP Server. Follow the link above (in the section \"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:26:53", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in GSKit shipped with IBM ClearQuest (CVE-2016-0702, CVE-2018-1447, CVE-2018-1427, CVE-2016-0705)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-06-17T05:26:53", "id": "DBEBF5B229C8DE6CB3D8A210AACEF003D3ABB0F69D7078FE103C643B2D8909C5", "href": "https://www.ibm.com/support/pages/node/569381", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-12T21:33:49", "description": "## Summary\n\nThe Elastic Storage Server and the GPFS Storage Server are affected by a multiple GSKit vulnerability in IBM Spectrum Scale. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1431](<https://vulners.com/cve/CVE-2018-1431>) \n**DESCRIPTION:** A vulnerability in GSKit affects IBM Spectrum Scale that could allow a local attacker to obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe Elastic Storage Server 5.0.0 thru 5.3.0.1 \nThe Elastic Storage Server 5.0.0 thru 5.2.2 \nThe Elastic Storage Server 4.5.0 thru 4.6.0 \nThe Elastic Storage Server 4.0.0 thru 4.0.6 \nThe Elastic Storage Server 3.5.0 thru 3.5.6 \nThe Elastic Storage Server 3.0.0 thru 3.0.5 \nThe Elastic Storage Server 2.5.0 thru 2.5.5 \nThe GPFS Storage Server 2.0.0 thru 2.0.7\n\n## Remediation/Fixes\n\nFor ESS 4.5.0 thru 4.6.0, customers should upgrade to ESS 5.3.1 \nFor ESS 4.0.0 thru 4.0.6, customers should upgrade to ESS 5.3.1 \nFor ESS 3.5.0 thru 3.5.6, customers should upgrade to ESS 5.3.1 \nFor ESS 3.0.0 thru 3.0.5, customers should upgrade to ESS 5.3.1 \nFor ESS 2.5.0 thru 2.5.5, customers should upgrade to ESS 5.3.1\n\nFor IBM Elastic Storage Server V5.0.0. thru 5.3.0.1, apply V5.3.1 available from FixCentral at:\n\n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Softw\u2026](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+\$ESS\$&release=5.3.0&platform=All&function=all>)\n\nFor IBM Elastic Storage Server V5.0.0. thru 5.2.2, apply V5.2.2.1 available from FixCentral at:\n\n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Softw\u2026](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+\$ESS\$&release=5.2.0&platform=All&function=all>)\n\nNotes: \nIf you are unable to upgrade to ESS 5.3.1 or 5.2.2.1, please contact IBM Service to obtain an efix:\n\n\\- For IBM Elastic Storage Server 5.3, reference APAR IJ05680 \n\\- For IBM Elastic Storage Server 4.0.0 - 4.6.0, reference APAR IJ05666 \n\\- For IBM Elastic Storage Server 2.5.0 thru 3.5.6, reference APAR IJ05628\n\nFor the GPFS Storage Server 2.0.0 thru 2.0.7, contact IBM Service to obtain an efix referencing APAR IJ05628.\n\nTo contact IBM Service, see <http://www.ibm.com/planetwide/>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-06T07:58:00", "type": "ibm", "title": "Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2018-1431", "CVE-2018-1447"], "modified": "2018-07-06T07:58:00", "id": "2EB8A3A34F13FAA08E22E3997DB0F3D1575349656D6F141EC72ED1BF89C93546", "href": "https://www.ibm.com/support/pages/node/716005", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:12:31", "description": "## Summary\n\nA fix is available for IBM Storwize V7000 Unified, for GPFS security vulnerabilities\n\n## Vulnerability Details\n\nIBM General Parallel File System (GPFS) is a high-performance clustered file system. It is used in IBM Storwize V7000 Unified.\n\n**CVEID:** [CVE-2018-1431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1431>) \n**DESCRIPTION:** A vulnerability in GSKit affects IBM Spectrum Scale that could allow a local attacker to obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2018-1447](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running supported code releases 1.6.0.0 to 1.6.2.4. The product running unsupported code releases 1.5 or earlier are also affected.\n\n## Remediation/Fixes\n\nA fix for these issues is in version v1.6.2.5 of IBM Storwize V7000 Unified. Customers running an affected version of IBM Storwize V7000 Unified should upgrade to 1.6.2.5 or a later version. \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>) \n \nSystems running an unsupported version (v1.5 or earlier) should be upgraded to the current release containing the security fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nPR ID : 112925, Advisory id : 11527\n\n[{\"Product\":{\"code\":\"ST5Q4U\",\"label\":\"IBM Storwize V7000 Unified (2073)\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"1.6.2\",\"Platform\":[{\"code\":\"\",\"label\":\"IBM Storwize V7000\"}],\"Version\":\"1.6.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T17:35:01", "type": "ibm", "title": "Security Bulletin : IBM Storwize V7000 Unified is affected by multiple GSKit vulnerabilities in GPFS", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2018-1431", "CVE-2018-1447"], "modified": "2018-10-17T17:35:01", "id": "11452E38010E945A0FE01EFC4554F3798D8F99A1582985B386C674085821DFEE", "href": "https://www.ibm.com/support/pages/node/734249", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:49:18", "description": "## Summary\n\nIBM Spectrum Scale v5.0.0 is shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0. Information about security vulnerabilities affecting IBM Spectrum Scale v5.0.0 have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM Spectrum Scale v5.0.0, which is shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0 | IBM Spectrum Scale v5.0.0 | [Vulnerabilities in GSKit affect IBM Spectrum Scale ( CVE-2018-1431, CVE-2016-0705, CVE-2017-3732, CVE-2018-1447 )](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012049>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-02T16:55:09", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM Spectrum Scale v5.0.0 shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0 (CVE-2018-1431, CVE-2016-0705, CVE-2017-3732, CVE-2018-1447)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2018-1431", "CVE-2018-1447"], "modified": "2018-08-02T16:55:09", "id": "E7A3E01F56125C0D2C4DCAD5C1C2ED2C377E247B54F164A5E471F3418EA2DA10", "href": "https://www.ibm.com/support/pages/node/717745", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:48", "description": "## Summary\n\nDB2 LUW is affected by a vulnerability in IBM\u00ae Spectrum Scale Version V4.2 and V4.1 that is used by DB2\u00ae pureScale\u2122 Feature on AIX and Linux. IBM Spectrum Scale is previously known as General Parallel File System (GPFS).\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1431](<https://vulners.com/cve/CVE-2018-1431>) \n**DESCRIPTION:** A vulnerability in GSKit affects IBM Spectrum Scale that could allow a local attacker to obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAll fix pack levels of IBM Db2 V10.5, and V11.1 editions on all Unix-type platforms are affected. Windows platforms are not affected.\n\n## Remediation/Fixes\n\nCustomers running any vulnerable fixpack level of an affected Program, V10.5 and V11.1, can contact IBM technical support to obtain the Spectrum Scale security package update. Before installing the Spectrum Scale security package, the DB2 level might need to be upgraded to the level that includes the supported Spectrum Scale level. Do not attempt to upgrade Spectrum Scale by any other means. The table below lists the DB2 releases and the Spectrum Scale security package to request from IBM technical support.\n\n**DB2 Release** | **Obtain following from IBM technical support:** \n---|--- \n10.5 AIX 64-bit | \n\nU881200.gpfs.gskit.bff \n \n10.5 Linux 64-bit, x86-64 | \n\ngpfs.gskit-8.0.50-86.x86_64.rpm \n \n10.5 Linux 64-bit, POWER\u2122 little endian | \n\ngpfs.gskit-8.0.50-86.ppc64le.rpm \n \n11.1 AIX 64-bit | \n\nU881200.gpfs.gskit.bff \n \n11.1 Linux 64-bit, x86-64 | \n\ngpfs.gskit-8.0.50-86.x86_64.rpm \n \n11.1 Linux 64-bit, POWER\u2122 little endian | \n\ngpfs.gskit-8.0.50-86.ppc64le.rpm \n \nThe Spectrum Scale security package upgrade instructions are available here: <https://www-01.ibm.com/support/docview.wss?uid=ibm10731637>\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-19T19:50:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2\u00ae pureScale\u2122 (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2018-1431", "CVE-2018-1447"], "modified": "2018-09-19T19:50:01", "id": "12160D8B9DA998BD9B96E21D163BC830E6C209BFFCC664A483A9178521D4B6C0", "href": "https://www.ibm.com/support/pages/node/731657", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:49:25", "description": "## Summary\n\nVulnerabilities in GSKit affect IBM Spectrum Scale where: \n\\- a local attacker could obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node (CVE-2018-1431) \n\\- OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key (CVE-2017-3736) \n\\- OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key (CVE-2017-3732) \n\\- OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service (CVE-2016-0705)\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2018-1431_](<https://vulners.com/cve/CVE-2018-1431>) \n**DESCRIPTION:** A vulnerability in GSKit affects IBM Spectrum Scale that could allow a local attacker to obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Spectrum Scale V5.0.0.0 thru V5.0.0.2\n\nIBM Spectrum Scale V4.2.3.0 thru V4.2.3.8\n\nIBM Spectrum Scale V4.2.2.0 thru V4.2.2.3\n\nIBM Spectrum Scale V4.2.1.0 thru V4.2.1.2\n\nIBM Spectrum Scale V4.2.0.0 thru V4.2.0.4\n\nIBM Spectrum Scale V4.1.1.0 thru V4.1.1.19\n\nIBM General Parallel File System V4.1.0.0 thru V4.1.0.8\n\n## Remediation/Fixes\n\nFor IBM Spectrum Scale V5.0.0.0 thru 5.0.0.2, apply V5.0.1 available from FixCentral at: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.0.1&platform=All&function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.0.1&platform=All&function=all>) \n \nFor IBM Spectrum Scale V4.2.0.0 thru V4.2.3.8, apply V4.2.3.9 available from FixCentral at: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.3&platform=All&function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.3&platform=All&function=all>) \n \nFor IBM Spectrum Scale V4.1.0.0 (GPFS) thru V4.1.1.19, apply V4.1.1.20 available from FixCentral at: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all>) \n \nIf you cannot apply the latest level of service, contact IBM Service for a stand-alone GSKit package (gpfs.gskit) for you level and platform of IBM Spectrum Scale: \n \n\\- For IBM Spectrum Scale V5.0, reference APAR IJ05680 \n\\- For IBM Spectrum Scale V4.2, reference APAR IJ05666 \n\\- For IBM Spectrum Scale V4.1.1, reference APAR IJ05628 \n \nTo contact IBM Service, see [_http://www.ibm.com/planetwide/_](<http://www.ibm.com/planetwide/>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-01T18:44:04", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale (CVE-2018-1431, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705 )", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1431"], "modified": "2018-08-01T18:44:04", "id": "BBC001607D4FFC5BF566D998892962E49A145A0E15B990B9422BF06E1B00D42E", "href": "https://www.ibm.com/support/pages/node/650589", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:04", "description": "## Summary\n\nMultiple vulnerabilities are identified in IBM\u00ae SDK Java\u2122 Technology Edition Version 1.7 and Version 1.8 that are used by IBM Application Delivery Intelligence V5.0.4 and V5.0.5 respectively. These issues were disclosed as part of the IBM Java SDK updates in July 2018. \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-2973](<https://vulners.com/cve/CVE-2018-2973>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146835> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Application Delivery Intelligence V5.0.4\n\nIBM Application Delivery Intelligence V5.0.5\n\n## Remediation/Fixes\n\nObtain the latest Java JRE CPU update for the IBM Java SDK by using the following information.\n\n[ADI 5.0.5, Java 1.8](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Application+Delivery+Intelligence&release=5.0.5.2&platform=All&function=all>)\n\n[ADI 5.0.4, Java 1.7 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Application+Delivery+Intelligence&release=5.0.4.3&platform=All&function=all>)\n\n 1. If you are running ADI V5.0.5, skip this step. For V5.0.4, complete the following substeps. \n 1. **Stop the server** **.** Navigate to the server directory in your Rational product installation path and run this script: `server.shutdown`\n 2. **Modify the healthcenter parameter set. **\n * Navigate to the server directory in your Rational product installation path, open the `server.startup` script by using your preferred text editor (e.g., Notepad for Windows or Vim Editor for Linux).\n * Search parameter _-Dcom.ibm.java.diagnostics.healthcenter.agent_ in the `server.startup` script to find the line that contains the healthcenter parameter. \nNOTE: For some Rational Collaborative Lifecycle Management versions,_ -Dcom.ibm.java.diagnostics.healthcenter.agent_ parameter may not be found in the `server.startup`, in this case the update is not needed and you can start using your server.\n * **Windows:** \nComment out the line (where the _HEALTHCENTER_OPTS_ parameter is located) by inserting \"rem \" at the beginning of the line: \n \n**_Before modification:_ ** \n_set HEALTHCENTER_OPTS=-agentlib:healthcenter_ **_... \n \nAfter modification:_ ** \n_rem set HEALTHCENTER_OPTS=-agentlib:healthcenter ..._\n * **Linux:** \nComment out the line (where the _HEALTHCENTER_OPTS_ parameter is located) by inserting \"# \" at the beginning of the line: \n \n**_Before modification:_ ** \n_export HEALTHCENTER_OPTS=\"-agentlib:healthcenter_ **_... \n \nAfter modification:_ ** \n_# export HEALTHCENTER_OPTS=\"-agentlib:healthcenter ..._\n 3. **Start the server** **.** Navigate to the server directory in your Rational product installation path and run this script: `server.startup`\n 2. Upgrade your JRE by following the instructions in the link below: \n[_How to update the IBM SDK for Java of IBM Rational products based on version 3.0.1.6 or later of IBM's Jazz technology_ ](<http://www.ibm.com/support/docview.wss?uid=swg21674139>)\n 3. Navigate to the server directory in your Rational product installation path, and go to _jre/lib/security_ path.\n\n 1. Open the `java.security` file by using your preferred text editor (e.g., Notepad for Windows or Vim Editor for Linux).\n\n 2. Remove the MD5 option from the _jdk.jar.disabledAlgorithms_ parameter set:\n\n * **_Before modification:_ ** \n_jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024_ \n\n * **_After modification:_ ** \n_jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024_\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-07T05:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java SDK (July 2018) affecting IBM Application Delivery Intelligence V5.0.5 and V5.0.4 (CVE-2016-0705, CVE 2017-3732, CVE 2017-3736, and CVE-2018-2973)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-2973"], "modified": "2018-11-07T05:10:01", "id": "2C50142AFAF98D1A6DAAE0DCF60AF9902BA861EACEB35AD2405F8E31A1B54456", "href": "https://www.ibm.com/support/pages/node/737281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:41:59", "description": "## Summary\n\nVulnerabilities found in several components have been addressed in IBM Planning Analytics 2.0.5. \n \nThere are vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 7. These issues were disclosed as part of the IBM Java SDK updates in October 2017. \n \nMultiple vulnerabilities affect components consumed by IBM Planning Analytics including: OpenSSL, IBM SDK for Node.js, IBM GSKit and IBM WAS Liberty. \n \nA XSS vulnerability where detailed information can be revealed in a TM1Web JSP error page has also been addressed. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-1681_](<https://vulners.com/cve/CVE-2017-1681>) \n**DESCRIPTION:** IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.15) could allow a local attacker to obtain sensitive information, caused by improper handling of application requests, which could allow unauthorized access to read a file. IBM X-Force ID: 134003. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134003_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134003>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3738_](<https://vulners.com/cve/CVE-2017-3738>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136078_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136078>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n \n**CVEID:** [_CVE-2017-10356_](<https://vulners.com/cve/CVE-2017-10356>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/133785_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/133785>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** _[CVE-2018-1676](<https://vulners.com/cve/CVE-2018-1676>)_ \n**DESCRIPTION:** IBM Planning Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145118> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Planning Analytics Local 2.0.4\n\nIBM Planning Analytics Local 2.0.3\n\nIBM Planning Analytics Local 2.0.2\n\nIBM Planning Analytics Local 2.0.1\n\nIBM Planning Analytics Local 2.0.0\n\n## Remediation/Fixes\n\nPlease upgrade to [IBM Planning Analytics 2.0.5 ](<http://www.ibm.com/support/docview.wss?uid=swg24044955>) \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-02-24T07:27:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities exist in IBM Planning Analytics Local", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2016-0702", "CVE-2017-10356", "CVE-2017-1681", "CVE-2017-3732", "CVE-2017-3736", "CVE-2017-3738", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447", "CVE-2018-1676"], "modified": "2020-02-24T07:27:10", "id": "B7FF1129A02D2738AED73A8C157F3D6D872B530527C875906B3678301D70ECBB", "href": "https://www.ibm.com/support/pages/node/715229", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-22T01:47:33", "description": "## Summary\n\nThere are multiple vulnerabilities in GSKit that affect IBM Tivoli Directory Server and IBM Security Directory Server for AIX.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>) \n**DESCRIPTION:** GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAIX 5.3, 6.1, 7.1, 7.2\n\nThe following fileset levels (VRMF) are vulnerable, if the respective IBM Tivoli Directory Server (ITDS) or IBM Security Directory Server (ISDS) version is installed:\n\nAffected IBM Security Directory Server | Affected Versions \n---|--- \nIBM Tivoli Directory Server on AIX | 6.2 - 6.2.0.55, 6.3 - 6.3.0.48 \nIBM Security Directory Server on AIX | 6.3.1 - 6.3.1.23, 6.4 - 6.4.0.15 \n \nNote: To find out whether the affected ITDS or ISDS filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.\n\nExample: lslpp -L | grep -i itds\n\n## Remediation/Fixes\n\nNote: Recommended remediation is to always install the most recent package available for the respective IBM Tivoli Directory Server or IBM Security Directory Server version.\n\nAffected IBM Security Directory Server | VRMF | Remediation \n---|---|--- \nIBM Tivoli Directory Server | 6.2 - 6.2.0.55 | [6.2.0.56-ISS-ITDS-IF0056 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.56&platform=All&function=all>) \nIBM Tivoli Directory Server | 6.3 - 6.3.0.48 | [6.3.0.49-ISS-ITDS-IF0049](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.49&platform=All&function=all>) \nIBM Security Directory Server | 6.3.1 - 6.3.1.23 | [6.3.1.24-ISS-ISDS-IF0024 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.3.1.24&platform=All&function=all>) \nIBM Security Directory Server | 6.4 - 6.4.0.15 | [6.4.0.16-ISS-ISDS-IF0016 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.4.0.16&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-01-02T14:15:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Tivoli Directory Server and IBM Security Directory Server for AIX", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2019-01-02T14:15:01", "id": "235A36D9CC1BA1B9BEC5F6CAD35060A5EF1602254ADE78302EA78955288ACDFE", "href": "https://www.ibm.com/support/pages/node/788069", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T01:45:42", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM Workload Manager. IBM Workload Manager has addressed the applicable CVEs\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a propagation error in the BN_mod_exp() function. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nTWS uses OpenSSL only for secure communication between internal processes. \n\nFor Tivoli Workload Scheduler Distributed, TWS nodes are impacted by OpenSSL security exposures only if the TWS workstation has been defined with \u201csecuritylevel\u201d set to _on_ or _enabled_ or _force_.\n\nThese security exposures do not apply to the embedded WebSphere Application Server but only to programs installed under <TWS home>/bin. \n\nTivoli Workload Scheduler Distributed 8.6.0 FP04 and earlier\n\n \nTivoli Workload Scheduler Distributed 9.1.0 FP02 and earlier \nTivoli Workload Scheduler Distributed 9.2.0 FP02 and earlier \nIBM Workload Scheduler Distributed 9.3.0 FP03 and earlier \nIBM Workload Scheduler Distributed 9.4.0 FP01 and earlier \n\n## Remediation/Fixes\n\nAPAR IJ00716 has been opened to address the openssl vulnerabilities for Tivoli Workload Scheduler. \n\nThe following limited availability fixes for IJ00716 are available for download on FixCentral\n\n8.6.0-TIV-TWS-FP0004-IJ00716 \nto be applied on top of Tivoli Workload Scheduler Distributed 8.6.0 FP04\n\n9.1.0-TIV-TWS-FP0002-IJ00716 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.1.0 FP02\n\n9.2.0-TIV-TWS-FP0002-IJ00716 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.2.0 FP02\n\n9.3.0-TIV-TWS-FP0003-IJ00716 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.3.0 FP03\n\n9.4.0-TIV-TWS-FP0001-IJ00716 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.4.0 FP01\n\nFor these affected releases IJ00716, supersedes IV85683, IV82641, IV71646, IV70763, IV66395, IV66398, IV62010, IV61392, IV75062, IV91052.\n\nFor Unsupported releases IBM recommends upgrading to a fixed, supported release of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:47:06", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3735"], "modified": "2018-06-17T15:47:06", "id": "9D892AD714895E9B8DA3E59547784D03B32EADD3AC421AB0003E3191C1AE27AD", "href": "https://www.ibm.com/support/pages/node/299009", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:50:05", "description": "## Summary\n\nContent Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections has addressed multiple GSKit and GSKit-Crypto vulnerabilities. Details of the vulnerabilities is mentioned below. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n \n**CVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nContent Collector for Email 3.0 - 4.0.1 \nContent Collector for File Systems 3.0 - 4.0.1 \nContent Collector for Microsoft SharePoint 3.0 - 4.0.1 \nContent Collector for IBM Connections 3.0 - 4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM** | **Remediation** \n---|---|--- \nContent Collector for Email | 3.0 - 4.0.1 | \n\nUse Content Collector for Email 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for Email 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for Email 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \nContent Collector for File Systems | 3.0 - 4.0.1 | \n\nUse Content Collector for File Systems 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for File Systems 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for File Systems 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \nContent Collector for Microsoft SharePoint | 3.0 - 4.0.1 | \n\nUse Content Collector for Microsoft SharePoint 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for Microsoft SharePoint 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for Microsoft SharePoint 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \nContent Collector for IBM Connections | 3.0 - 4.0.1 | \n\nUse Content Collector for IBM Connections 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for IBM Connections 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for IBM Connections 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-12T10:16:52", "type": "ibm", "title": "Security Bulletin: Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2018-1447"], "modified": "2018-07-12T10:16:52", "id": "33E618FFA988ABAF1F8980465E0C050DDAE38F327AE61E58375E39344D009142", "href": "https://www.ibm.com/support/pages/node/715203", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:45:21", "description": "## Summary\n\nOpen SSL is shipped with IBM Tivoli Network Manager IP Edition version 3.9. Information about security vulnerabilities affecting Open SSL has been published here.\n\n## Vulnerability Details\n\nCVEID: [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \nCVEID: [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Network Manager IP Edition v3.9 Fix Pack 4 & Fix Pack 5.\n\n## Remediation/Fixes\n\n**IBM Tivoli Network Manager IP Edition 3.9**\n\n| **IJ02240**| Please call IBM service and reference APAR IJ02240, to obtain a fix. \n---|---|--- \n \n## Workarounds and Mitigations\n\nNote that only IBM Tivoli Network Manager IP Edition v3.9 customers using SSL based (HTTPS supporting) perl collectors are affected by the security issues described herein.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:48:52", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in Open SSL, which is shipped with IBM Tivoli Network Manager IP Edition.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2018-06-17T15:48:52", "id": "09C0C603EECE682CFFD6D5C27B3EAA66D128B79E9D89A33E4AF2314E9BF9995F", "href": "https://www.ibm.com/support/pages/node/303657", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:45:39", "description": "## Summary\n\nVulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2017-3735, CVE-2017-3736)\n\n## Vulnerability Details\n\n**CVEID:** CVE-2017-3735 \n**Description****:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n \n**CVEID****:** CVE-2017-3736 \n**DESCRIPTION****:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n**ITCAM for Transactions includes multiple agents; this bulletin applies only to versions 7.4 of the Internet Service Monitoring agent(ISM).**\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Composite Application Manager for Transactions (Internet Service Monitoring)| _7.4.0.1_| ![](/support/pages/system/files/support/swg/tivtech.nsf/0/ac3495da97c4e256852581d600308c86/RemediationFixes/0.3E2.gif)| [https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003683](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003683>) \nIBM Tivoli Composite Application Manager for Transactions (Internet Service Monitoring)| _7.4.0.2_| ![](/support/pages/system/files/support/swg/tivtech.nsf/0/ac3495da97c4e256852581d600308c86/RemediationFixes/0.7FE.gif)| [https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003684](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003684>) \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:47:22", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2017-3735, CVE-2017-3736)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2018-06-17T15:47:22", "id": "362CA001FD00553BE7174C03BCCCBF89F5AB1348C42B438F71C6E4CFB81D7E56", "href": "https://www.ibm.com/support/pages/node/299591", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:51:44", "description": "## Summary\n\nMultiple vulnerabilities have been discovered in OpenSSL that was used by IBM FSM SMIA configuration tool (commonly known as Network Advisor). This bulletin addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n \nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0 \n\n## Remediation/Fixes\n\nIBM recommends updating the FSM SMIA configuration tool using the instructions referenced in this table. \n\n**IMPORTANT:** Before installing a SMIA iFix you need to determine the version that is currently installed. To determine the SMIA version level installed on the FSM log into your FSM Web-based UI and navigate to the Home page and Applications tab. The version is listed next to the \"SMIA Configuration Tool\" link.\n\n * If your SMIA version is less than 14.0.2, update your FSM using the instructions listed in this [Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=isg3T1024508>) (<http://www-01.ibm.com/support/docview.wss?uid=isg3T1024508>), restart the FSM and then install the iFix listed in this table. \n * If your version is 14.0.2 or greater, then install the iFix listed in this table.\n\nProduct | \n\nVRMF | \n\nSMIA Remediation \n---|---|--- \nFlex System Manager| \n\n1.3.4.0\n\n| Install [fsmfix1.3.4.0_IT20926](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.4.0_IT20926&function=fixId&parent=Flex%20System%20Manager%20Node>). \nFlex System Manager| \n\n1.3.3.0\n\n| Install [fsmfix1.3.3.0_IT20926](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT20926&function=fixId&parent=Flex%20System%20Manager%20Node>). \nFlex System Manager| \n\n1.3.2.0 \n1.3.2.1\n\n| [](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT12600_IT17778&function=fixId&parent=Flex%20System%20Manager%20Node>)Install [fsmfix1.3.2.0_IT20926.](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT20926&function=fixId&parent=Flex%20System%20Manager%20Node>) \n \nFor a complete list of FSM security bulletins refer to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>) \n \nFor 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:38:27", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool (CVE-2017-3735, CVE-2017-3736)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2018-06-18T01:38:27", "id": "8A4B8F016E20BE062D275D1D7DA531E398846FA5F653F9077E943F8758AD58E1", "href": "https://www.ibm.com/support/pages/node/632291", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:49:56", "description": "## Summary\n\nA vulnerability was found in the OpenSSL release used by the Windows and z/OS Security Identity Adapters. These adapters have been upgraded to a more current OpenSSL release that corrects CVE-2017-3735 \"Malformed X.509 IPAddressFamily could cause OOB read\" vulnerability. \n\n## Vulnerability Details\n\n**CVEID**: [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n** \nDESCRIPTION**: \nCVE-2017-3735 : OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:l/I:N/A:N) [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n\n\n## Affected Products and Versions\n\nIBM Security Identity Manager v6.0 Adapters for Windows and z/OS platforms \nIBM Security Identity Adapters v7.x for Windows and z/OS platforms\n\n## Remediation/Fixes\n\nObtain the latest GA levels of 6.0 or 7.x adapters, as found on the Fix Link pages listed below: \n\nProduct\n\n| Fix Link \n---|--- \nISIM v6.0 Adapters| [Adapters for IBM Security Identity Manager v6.0](<http://www-01.ibm.com/support/docview.wss?uid=swg21599053>) \nSecurity Identity v7.x Adapters for IGI, ISIM, PIM| [IBM Security Identity Adapters](<http://www-01.ibm.com/support/docview.wss?uid=swg21687732>) \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T22:06:05", "type": "ibm", "title": "Security Bulletin: Vulnerability found in OpenSSL release used by Windows and z/OS Security Identity Adapters (CVE-2017-3735)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2018-06-16T22:06:05", "id": "5EE17E6FA7B2E867293769D2B457CC1C902CEA1D9C6F97B78C2166BEB5DBD8E2", "href": "https://www.ibm.com/support/pages/node/568153", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:40:29", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on November 2, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**Description:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM SDK for Node.js v4.8.5.0 and earlier releases. \nThese vulnerabilities affect IBM SDK for Node.js v6.11.5.0 and earlier releases. \nThese vulnerabilities affect IBM SDK for Node.js v8.9.0.0 and earlier releases.\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM SDK for Node.js v4.8.6.0 and subsequent releases. \nThe fixes for these vulnerabilities are included in IBM SDK for Node.js v6.12.0.0 and subsequent releases. \nThe fixes for these vulnerabilities are included in IBM SDK for Node.js v8.9.3.0 and subsequent releases. \n \nIBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from [_here_](<http://www.ibm.com/developerworks/web/nodesdk/>). \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-09T04:20:36", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM\u00ae SDK for Node.js\u2122 (CVE-2017-3735 CVE-2017-3736)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2018-08-09T04:20:36", "id": "345F51EBDC4B614107E623B2D5435B6EE46DAFBE316CB6F79143A9BB38DCD9B2", "href": "https://www.ibm.com/support/pages/node/298543", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:51:12", "description": "## Summary\n\nIBM Unified Extensible Firmware Interface (UEFI) has addressed the following vulnerabilities in OpenSSL.\n\n## Vulnerability Details\n\n**Summary**\n\nIBM Unified Extensible Firmware Interface (UEFI) has addressed the following vulnerabilities in OpenSSL.\n\n**Vulnerability Details**\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>)\n\n**Description:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)\n\n**Description:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.\n\nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**Affected Products and Versions**\n\nSystem Name | Affected Version \n---|--- \nBladeCenter HS23 7875/1929 | tke1 \nBladeCenter HS23E 8038/8039 | ahe1 \nFlex System x220 2585/7906 | kse1 \nFlex System x222 7916 | cce1 \nFlex System x240 7863/8737/8738/8956 | b2e1 \nFlex System x280, x480, x880 7903 | n2e1 \nFlex System x440 7917 | cne1 \nSystem x iDataPlex dx360 M4 7912/7913 | tde1 \nSystem x NeXtScale nx360 M4 5455 | fhe1 \nSystem x3100 M5 5457 | j9e1 \nSystem x3250 M5 5458 | jue1 \nSystem x3300 M4 7382 | yae1 \nSystem x3500 M4 7383 | y5e1 \nSystem x3550 M4 7914 | d7e1 \nSystem x3630 M4 7158 \nSystem x3530 M4 7160 | bee1 \nSystem x3650 M4 7915 \nSystem x3650 M4 HD 5460 | vve1 \nSystem x3650 M4 BD 5466 | yoe1 \nSystem x3750 M4 8718/8722/8733/8752 | koe1 \nSystem x3850 x6 3837/3839 \nSystem x3950 x6 3839 | a8e1 \n \n**Note:** The following systems are not affected by this vulnerability.\n\nSystem x3100 M4 2582 \nSystem x3250 M4 2583 | jqe1 \n---|--- \n \n**Remediation/Fixes**\n\nFirmware fix versions are available on Fix Central: \n<http://www.ibm.com/support/fixcentral/>.\n\nIt is recommended to update to the firmware level listed below, or a later version.\n\nSystem Name | Fixed Version \n---|--- \nBladeCenter HS23 7875/1929 \n(ibm_fw_uefi_tke158g-2.30_anyos_32-64) | tke158g-2.30 \nBladeCenter HS23E 8038/8039 \n(ibm_fw_uefi_ahe158f-2.70_anyos_32-64) | ahe158f-2.70 \nFlex System x220 2585/7906 \n(ibm_fw_uefi_kse156f-2.10_anyos_32-64) | kse156f-2.10 \nFlex System x222 7916 \n(ibm_fw_uefi_cce158h-1.90_anyos_32-64) | cce158h-1.90 \nFlex System x240 7863/8737/8738/8956 \n(ibm_fw_uefi_b2e160f-2.10_anyos_32-64) | b2e160f-2.10 \nFlex System x280, x480, x880 7903 \n(ibm_fw_uefi_n2e128g-1.80_anyos_32-64) | n2e128g-1.80 \nFlex System x440 7917 \n(ibm_fw_uefi_cne160g-2.00_anyos_32-64) | cne160g-2.00 \nSystem x iDataPlex dx360 M4 7912/7913 \n(ibm_fw_uefi_tde154g-2.00_anyos_32-64) | tde154g-2.00 \nSystem x NeXtScale nx360 M4 5455 \n(ibm_fw_uefi_fhe118f-1.80_anyos_32-64) | fhe118f-1.80 \nSystem x3100 M5 5457 \n(ibm_fw_uefi_j9e132f-1.70_anyos_32-64) | j9e132f-1.70 \nSystem x3250 M5 5458 \n(ibm_fw_uefi_jue132f-1.70_anyos_32-64) | jue132f-1.70 \nSystem x3300 M4 7382 \n(ibm_fw_uefi_yae154f-2.00_anyos_32-64) | yae154f-2.00 \nSystem x3500 M4 7383 \n(ibm_fw_uefi_y5e156f-2.50_anyos_32-64) | y5e156f-2.50 \nSystem x3550 M4 7914 \n(ibm_fw_uefi_d7e162f-2.60_anyos_32-64) | d7e162f-2.60 \nSystem x3630 M4 7158 \nSystem x3530 M4 7160 \n(ibm_fw_uefi_bee162f-2.90_anyos_32-64) | bee162f-2.90 \nSystem x3650 M4 7915 \nSystem x3650 M4 HD 5460 \n(ibm_fw_uefi_vve158f-2.60_anyos_32-64) | vve158f-2.60 \nSystem x3650 M4 BD 5466 \n(ibm_fw_uefi_yoe124f-2.10_anyos_32-64) | yoe124f-2.10 \nSystem x3750 M4 8718/8722/8733/8752 \n(ibm_fw_uefi_koe158f-2.10_anyos_32-64) | koe158f-2.10 \nSystem x3850 x6 3837/3839 \nSystem x3950 x6 3839 \n(ibm_fw_uefi_a8e126f-1.60_anyos_32-64) | a8e126f-1.60 \n \n**Workarounds and Mitigations**\n\nNone\n\n**References**\n\n * [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide.html>)\n * [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Lenovo Product Security Advisories](<https://support.lenovo.com/us/en/product_security/home>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n19 March 2018: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-31T02:40:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Unified Extensible Firmware Interface (UEFI) (CVE-2017-3735 CVE-2017-3736)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2019-01-31T02:40:01", "id": "6EE71D5B8CC229B17D346C2973483FC9B94D57474DA00268794EAB3444B084E0", "href": "https://www.ibm.com/support/pages/node/868950", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:48:17", "description": "## Summary\n\nSecurity vulnerabilities affect IBM Watson Explorer Foundational Components.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nThe vulnerability applies to the following product and version:\n\n * Watson Explorer Foundational Components versions 11.0.0.0 - 11.0.0.3, 11.0.1, 11.0.2 - 11.0.2.1\n * Watson Explorer Foundational Components versions 10.0.0.0 - 10.0.0.4\n * Watson Explorer Foundational Components versions 9.0.0.0 - 9.0.0.8\n * InfoSphere Data Explorer versions 8.2 - 8.2-6\n\n## Remediation/Fixes\n\nFollow these steps to upgrade to the required version of OpenSSL. \n \nThe table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>.\n\n**Affected Product** | **Affected Versions** | **Fix** \n---|---|--- \nWatson Explorer Foundational Components | 11.0.0.0 - 11.0.0.3, 11.0.1, \n11.0.2 - 11.0.2.1 | Upgrade to Version 11.0.2.2. \n \nSee [Watson Explorer Version 11.0.2.2 Foundational Components](<http://www.ibm.com/support/docview.wss?uid=swg24044332>) for download information and instructions. \nWatson Explorer Foundational Components | 10.0.0.0 - 10.0.0.4 | \n\nUpgrade to Version 10.0.0.5.\n\nSee [Watson Explorer Version 10.0.0.5 Foundational Components](<https://www.ibm.com/support/docview.wss?uid=ibm10725861>) for download information and instructions. \n \nWatson Explorer Foundational Components | 9.0.0.0 - 9.0.0.8 | Upgrade to Version 9.0.0.9 \n \nSee Watson Explorer Version 9.0.0.9 Foundational Components for [download information](<http://www.ibm.com/support/docview.wss?uid=swg24044663>) and instructions. \nInfoSphere Data Explorer | 8.2 - 8.2-6 | Upgrade to Version 8.2-7 \n \nSee Watson Explorer Version 8.2-7 Foundational Components for [download information](<http://www.ibm.com/support/docview.wss?uid=swg24044665>) and instructions. \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-22T13:35:59", "type": "ibm", "title": "Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2017-3735, CVE-2017-3736)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2018-08-22T13:35:59", "id": "BA623255812F5894326A7A04E7565E7B402C3E556C22462052D019D08EA0871E", "href": "https://www.ibm.com/support/pages/node/711623", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:49:52", "description": "## Summary\n\nIBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware has addressed the following vulnerabilities in OpenSSL: \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Product **\n\n| \n\n**Affected Version ** \n \n---|--- \n \nIBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware\n\n| \n\n3.3-3.6 \n \n## Remediation/Fixes\n\nFirmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/>\n\n**Product **\n\n| \n\n**Fix Version ** \n \n---|--- \n \nIBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware\n\n(mlnx_fw_ppc_m460ex-sx-3.6.6000_anyos_noarch)\n\n| \n\n3.6.6000 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-19T20:26:58", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2018-07-19T20:26:58", "id": "D320768EDA0A256974922526FBD9B0D787A99E5EB5A51830D413ECE091D3B830", "href": "https://www.ibm.com/support/pages/node/717975", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:39:32", "description": "## Summary\n\nOpen Source OpenSSL is used by IBM Netezza Host Management. IBM Netezza Host Management has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n** ** \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n * IBM Netezza Host Management 5.4.2.1 - 5.4.15.0\n\n## Remediation/Fixes\n\nTo resolve the reported CVE for Red Hat Enterprise Linux (RHEL) on PureData System for following platforms : \n \nPureData System for Analytics N3001 \nPureData System for Analytics N200x \nPureData System for Analytics N1001 \nIBM Netezza High Capacity Appliance C1000 \nIBM Netezza 1000 \nIBM Netezza 100, update to the following IBM Netezza Host Management release: \n \n\n\n_Product_| _VRMF_| _Remediation/First Fix_ \n---|---|--- \n_IBM Netezza Host Management _| _5.4.16.0_| [_Link to Fix Central_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information+Management&product=ibm/Information+Management/Netezza+Platform&release=HOSTMGMT_5&platform=All&function=fixId&fixids=5.4.16.0-IM-Netezza-HOSTMGMT-fp119562>) \n \n \nThe Netezza Host Management software contains the latest RHEL updates for the operating systems certified for use on IBM Netezza/PureData System for Analytics appliances. IBM recommends upgrading to the latest Netezza Host Management version to ensure that your hosts have the latest fixes, security changes, and operating system updates. IBM Support can assist you with planning for the Netezza Host Management and operating system upgrades to your appliances. \n \nFor more details on IBM Netezza Host Management security patching: \n\n * [_Red Hat Enterprise Linux (RHEL) Security Patching for IBM PureData System for Analytics appliances_](<http://www-01.ibm.com/support/docview.wss?uid=swg21615012>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-10-18T03:10:29", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Open Source OpenSSL affect IBM Netezza Host Management", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2019-10-18T03:10:29", "id": "06852EEA8CD7CA7F8840D2FC93096A4DD156B248C6D17CEEEBA4095B19D215B6", "href": "https://www.ibm.com/support/pages/node/300417", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-15T18:10:15", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by Rational BuildForge Agent shipped with IBM Rational Team Concert. Rational BuildForge has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 5.0 - 6.0.5 \n \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.5\n\n## Remediation/Fixes\n\nUpgrade your Rational Build Forge Agent to version 8.0.0.6: \n\n\n * Rational Build Forge 8.0.0.6 [Download](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+Build+Forge&fixids=RationalBuildForge-8.0.0.6&source=SAR>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: OpenSSL vulnerabilities affect IBM Rational Team Concert", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2021-04-28T18:35:50", "id": "DE6FC785FAEA5CDC22FA3DD95C1113BD7CE8E4668A2B0686DFF968822706AA72", "href": "https://www.ibm.com/support/pages/node/301661", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:45:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8.5.15 used by Rational Asset Analyzer. Rational Asset Analyzer has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n# **Product**\n\n| \n\n# **Affected Versions** \n \n---|--- \nRational Asset Analyzer | 6.1.0.0 - 6.1.0.18 \n \n## Remediation/Fixes\n\n# **Product**\n\n| \n\n# **VRMF**\n\n| \n\n# ** APAR **\n\n| \n\n# ** Remediation **/ First Fix \n \n---|---|---|--- \n \nRational Asset Analyzer\n\n| 6.1.0.19 | \n\n-\n\n| \n\n[ RAA 6.1 Fix Pack 19](<http://www-01.ibm.com/support/docview.wss?uid=swg27021389>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-01T05:35:01", "type": "ibm", "title": "Security Bulletin: There are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8.5.15 used by Rational Asset Analyzer. Rational Asset Analyzer has addressed the applicable CVEs.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736"], "modified": "2018-12-01T05:35:01", "id": "9CCEB90B89301ED91DF7A501EF3103FD54D3AD611D342CF6E4B19E5105E84E35", "href": "https://www.ibm.com/support/pages/node/743097", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T18:03:31", "description": "## Summary\n\nOpenSSL is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3737](<https://vulners.com/cve/CVE-2017-3737>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the \\\"error state\\\" mechanism when directly calling SSL_read() or SSL_write() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nPower HMC V8.6.0.0 \nPower HMC V8.7.0.0 \nPower HMC V9.1.910.0\n\n## Remediation/Fixes\n\nThe following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/Fix \n \n---|---|---|--- \n \nPower HMC\n\n| \n\nV8.8.6.0 SP3\n\n| \n\nMB04172\n\n| \n\n[MH01784](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMC&release=V8R8.6.0&platform=All>) \n \nPower HMC\n\n| \n\nV8.8.7.0 SP2 ppc\n\n| \n\nMB04174\n\n| \n\n[MH01786](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMCppc&release=V8R8.7.0&platform=All>) \n \nPower HMC\n\n| \n\nV8.8.7.0 SP2 x86\n\n| \n\nMB04173\n\n| \n\n[MH01785](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMC&release=V8R8.7.0&platform=All>) \n \nPower HMC\n\n| \n\nV9.1.920.0 ppc\n\n| MB04176 | [MH01760](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMCppc&release=V9R1&platform=All>) \nPower HMC | V9.1.920.0 x86 | MB04175 | [MH01759](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMC&release=V9R1&platform=All>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-09-22T23:05:38", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2017-3737, CVE-2017-3736)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3736", "CVE-2017-3737"], "modified": "2021-09-22T23:05:38", "id": "B5FF3A0A4BEBE5C4947ADA43EB1B39C0645EF9ABEBE4A315AFFAEB9638C6CB41", "href": "https://www.ibm.com/support/pages/node/717891", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:46:07", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Java Runtime Environment, Versions 7 and 8 that are used by Rational Publishing Engine.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION:** The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nRational Publishing Engine 2.1.0 \nRational Publishing Engine 2.1.1 \nRational Publishing Engine 2.1.2 \nRational Publishing Engine 6.0.5 \nRational Publishing Engine 6.0.6\n\n## Remediation/Fixes\n\nFor Rational Publishing Engine 6.0.5 and 6.0.6, upgrade the IBM Java Runtime environment used with Rational Publishing Engine to version 8.0.5.20, which can be downloaded from: \n[Rational-RPE-JavaSE-JRE-8.0SR5FP20 ](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-8.0SR5FP20&source=SAR>)\n\nFor Rational Publishing Engine 2.1.0, 2.1.1 and 2.1.2 versions, upgrade the IBM Java Runtime environment used with Rational Publishing Engine to version 7.1.4.30, which can be downloaded from: \n[Rational-RPE-JavaSE-JRE-7.1SR4FP30 ](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-7.1SR4FP30&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-02T15:50:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java Runtime affect Rational Publishing Engine", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-12539", "CVE-2018-1656"], "modified": "2018-11-02T15:50:02", "id": "EF2B4F4110ACF96FDC34CF6D7B916C577277400859F5F464947088E0CE635995", "href": "https://www.ibm.com/support/pages/node/738347", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:41", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 that is used by IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and IBM Spectrum Protect (formerly Tivoli Storage Manager) Client Management Service. These issues were disclosed as part of the IBM Java SDK updates in July 2018. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION:** The IBM Java Runtime Environment''s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThe following levels of IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center are affected:\n\n * 8.1.0.000 through 8.1.6.000\n * 7.1.0.000 through 7.1.9.100\n\n \nThe following levels of IBM Spectrum Protect (formerly Tivoli Storage Manager) Client Management Services (CMS) are affected:\n\n * 8.1.0.000 through 8.1.6.000\n * 7.1.0.000 through 7.1.9.100\n\n## Remediation/Fixes\n\n**Operations \nCenter \nRelease**\n\n| **First Fixing \nVRM Level** | \n \n**Platform** | \n \n**Link to Fix** \n---|---|---|--- \n8.1 | 8.1.6.100 | AIX \nLinux \nWindows | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/opcenter/8.1.6.100> \n7.1 | 7.1.9.200 | AIX \nLinux \nWindows | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/opcenter/7.1.9.200> \n \n.\n\n**Client \nManagement Service (CMS) \nRelease** | **First Fixing \nVRM Level** | \n \n \n**Platform** | \n \n \n**Link to Fix** \n---|---|---|--- \n8.1 | 8.1.6.100 | Linux \nWindows | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/cms/8.1.6.100> \n7.1 | 7.1.9.200 | Linux \nWindows | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/cms/7.1.9.200> \n \n.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-01T00:25:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1656, CVE-2018-12539)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-12539", "CVE-2018-1656"], "modified": "2019-02-01T00:25:01", "id": "440F021094DE35C6A13F9FADEA7C56D6B4093B16EFDEAEC496EC398C5AC7A327", "href": "https://www.ibm.com/support/pages/node/735433", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:38", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 7 and 8 that are used by Rational Developer for i and Rational Developer for AIX and Linux. These issues were disclosed as part of the IBM Java SDK updates in July 2018 (CVE-2017-3736 CVE-2017-3732 CVE-2016-0705 CVE-2018-1656 CVE-2018-12539). \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION:** The IBM Java Runtime Environment''s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Product Name**\n\n| **Versions Affected** \n---|--- \nRational Developer for i, RPG and COBOL Tools, Modernization Tools- Java Edition, Modernization Tools- EGL Edition | 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1, 9.5, 9.5.0.1, 9.5.0.2, 9.5.0.3, 9.5.1, 9.5.1.1, 9.5.1.2, 9.6, 9.6.0.1, 9.6.0.2, 9.6.0.3, 9.6.0.4 \nRational Developer for AIX and Linux, AIX COBOL Edition | 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1, 9.1.1.2, 9.1.1.3, 9.1.1.4 \nRational Developer for AIX and Linux, C/C++ Edition | 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1, 9.1.1.2, 9.1.1.3, 9.1.1.4 \n \n## Remediation/Fixes\n\nUpdate the IBM SDK, Java Technology Edition of the product to address this vulnerability:\n\n**Product**\n\n| **VRMF** | **Remediation/First Fix** \n---|---|--- \nRational Developer for i | 9.0 through to 9.1.1.1 | \n\n * For all versions, update the currently installed product using Installation Manager. ** **For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSAE4W_9.1.1/com.ibm.etools.iseries.install.doc/topics/t_upgrading.html>) in the IBM Knowledge Center.\n * Or, you can optionally download the update manually and apply interim fix: [IBM SDK Java Technology Edition Critical Patch Update - July 2018 - RDi](<http://www.ibm.com/support/docview.wss?uid=ibm10740445>). Make sure to click on the **Java 7.0** **Update** FC link to update to IBM Java 7 SR10 FP30. \nRational Developer for i | 9.5 through to 9.6.0.4 | \n\n * For all versions, update the currently installed product using Installation Manager. ** ** For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_ ](<http://www.ibm.com/support/knowledgecenter/SSAE4W_9.6.0/com.ibm.etools.iseries.install.doc/topics/t_upgrading.html>) in the IBM Knowledge Center.\n * Or, you can optionally download the update manually and apply interim fix: [IBM SDK Java Technology Edition Critical Patch Update - July 2018 - RDi](<http://www.ibm.com/support/docview.wss?uid=ibm10740445>). Make sure to click on the **Java 8.0** **Update** FC link to update to IBM Java 8 SR5 FP20. \nRational Developer for AIX and Linux | 9.0 through to 9.1.1.4 | \n\n * For all client versions, update the currently installed product using Installation Manager. For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSPSQF_9.1.1/com.ibm.etools.install.rdal.doc/topics/t_upgrading.html>) in the IBM Knowledge Center.\n * Or, you can optionally download the update manually and apply interim fix: [IBM SDK Java Technology Edition Critical Patch Update - July 2018- RDAL](<http://www.ibm.com/support/docview.wss?uid=ibm10740465>). Make sure to click on the **Java 7.0** **Update** FC link to update to IBM Java 7 SR10 FP30. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-22T17:20:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux - July 2018", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-12539", "CVE-2018-1656"], "modified": "2018-11-22T17:20:01", "id": "3E4520A9DDDBF10F6B94F393C5ACDA44738184D5CB46AB64AABDC963283BECFE", "href": "https://www.ibm.com/support/pages/node/738743", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:20", "description": "## Summary\n\nThe following security issues have been identified in OpenSSL 1.0.2, which is included as part of IBM Tivoli Netcool System Service Monitors/Application Service Monitors. Upgrading to OpenSSL 1.0.2o addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVE-ID: CVE-2017-3737 \nDescription: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the \\\"error state\\\" mechanism when directly calling SSL_read() or SSL_write() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \nCVE-ID: CVE-2017-3738 \nDescription: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. \nNote: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/136078> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Netcool System Service Monitors/Application Service Monitors v4.0.1\n\n## Remediation/Fixes\n\n \n\n\nProduct | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n4.0.1.3-TIV-SSM-IF0003 | 4.0.1.3 (all platforms) | None | [4.0.1.3-TIV-SSM-IF0003](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003982>) \n \n## Workarounds and Mitigations\n\nNone known.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-10-30T18:30:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2018-10-30T18:30:02", "id": "BA224C929D509ADDCB0F46007C0E0FACD292F79987D47E9F02DEFD7F67D0990C", "href": "https://www.ibm.com/support/pages/node/715747", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:51:32", "description": "## Summary\n\nMultiple vulnerabilities have been identified in OpenSSL that is embedded in the FSM. This bulletin addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3738_](<https://vulners.com/cve/CVE-2017-3738>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136078_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136078>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3737_](<https://vulners.com/cve/CVE-2017-3737>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the \\\"error state\\\" mechanism when directly calling SSL_read() or SSL_write() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136077_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136077>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n \nFlex System Manager 1.3.4.2 \nFlex System Manager 1.3.4.1 \nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.2 \nFlex System Manager 1.3.3.1 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.3 \nFlex System Manager 1.3.2.2 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table. \n \n \n\n\nProduct| VRMF| Remediation \n---|---|--- \nFlex System Manager| 1.3.4.0 \n1.3.4.1 \n1.3.4.2| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [847550927](<http://www-01.ibm.com/support/docview.wss?uid=nas769be7782d8bdfd878625825700552750>) for instructions on installing updates for FSM version 1.3.4 and Agents. \nFlex System Manager| 1.3.3.0 \n1.3.3.1 \n1.3.3.2| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [847550927](<http://www-01.ibm.com/support/docview.wss?uid=nas769be7782d8bdfd878625825700552750>) for instructions on installing updates for FSM version 1.3.3 and Agents. \nFlex System Manager| 1.3.2.0 \n1.3.2.1 \n1.3.2.2 \n1.3.2.3| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [847550927](<http://www-01.ibm.com/support/docview.wss?uid=nas769be7782d8bdfd878625825700552750>) for instructions on installing updates for FSM version 1.3.2 and Agents. \n \nFor all other VRMF IBM recommends upgrading to a fixed, supported version/release of the product. \n \nNote: Installation of the fixes provided in the technote will install a cumulative fix package that will update the version of the FSM. Reference the technote for more details. \n \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix may disable older encrypted protocols by default.\n\nIBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.\n\nFor a complete listing of FSM security iFixes go to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:42:30", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2018-06-18T01:42:30", "id": "38CCAB39CAFB6C2CE3724A92B67DF0EB31883A90C9A3CCC11561802DAE51A944", "href": "https://www.ibm.com/support/pages/node/664625", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:51:32", "description": "## Summary\n\nThere are multiple vulnerabilities in OpenSSL that is used by IBM Systems Director(ISD) Platform Agent. These OpenSSL vulnerabilities were disclosed in August 2017 and December 2017 by the OpenSSL Project.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2017-3737_](<https://vulners.com/cve/CVE-2017-3737>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the \\\"error state\\\" mechanism when directly calling SSL_read() or SSL_write() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136077_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136077>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2017-3738_](<https://vulners.com/cve/CVE-2017-3738>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136078_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136078>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Systems Director: \n\n\n * 6.3.5.0 \n * 6.3.6.0\n * 6.3.7.0\n\n## Remediation/Fixes\n\nTo determine the ISD level installed, enter **smcli lsver** on a command line. IBM Systems Director versions pre-6.3.5 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product. \n \nPlease follow the instructions provided to apply fixes on the below releases. \n\n\n * 6.3.5.0 \n * 6.3.6.0\n * 6.3.7.0\n\n1\\. Open the below link to download the fix: \n\n_ \n_[**_http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FDirector%2FSystemsDirector&fixids=SysDir6_3_5_0_6_3_6_0_6_3_7_0_IT23969_IT23970_IT23971_IT24320 _**](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FDirector%2FSystemsDirector&fixids=SysDir6_3_5_0_6_3_6_0_6_3_7_0_IT23969_IT23970_IT23971_IT24320>)\n\n \n \n\n\n2\\. Select the below fix package that includes fixes for all the supported platforms: \n\nSysDir6_3_5_0_6_3_6_0_6_3_7_0_IT23969_IT23970_IT23971_IT24320.zip\n\n3\\. Follow the Instructions in the table for your desired platform\n\n_Product_| _VRMF_| _Associated Technote_ \n---|---|--- \nIBM Systems Director and IBM Systems Director Platform Agent| Xlinux Platform Agent 6.3.5 to 6.3.7| [847016899](<http://www-01.ibm.com/support/docview.wss?uid=nas75c5d4e3b8dd301268625825200292b88>) \n\n\nGo to <http://www-01.ibm.com/support/us/search/> and search for the technote number. \n \nIBM Systems Director and IBM Systems Director Platform Agent| Windows Platform Agent 6.3.5 to 6.3.7| [847024529](<http://www-01.ibm.com/support/docview.wss?uid=nas7b08d7b391554c23e862582520025d518>)\n\nGo to <http://www-01.ibm.com/support/us/search/> and search for the technote number. \n \nIBM Systems Director and IBM Systems Director Platform Agent| Power Linux Platform Agent 6.3.5 to 6.3.7| [847063638](<http://www-01.ibm.com/support/docview.wss?uid=nas7fad412b8c94b3078862582520023bbdb>) \nGo to <http://www-01.ibm.com/support/us/search/> and search for the technote number. \nIBM Systems Director and \nIBM Systems Director Platform Agent| Zlinux Platform Agent 6.3.5 to 6.3.7| [847025689](<http://www-01.ibm.com/support/docview.wss?uid=nas73e7b40356a020a5f8625825200277e82>) \nGo to <http://www-01.ibm.com/support/us/search/> and search for the technote number. \nIBM Systems Director and \nIBM Systems Director Platform Agent| AIX Platform Agent 6.3.5 to 6.3.7| [84701391](<http://www-01.ibm.com/support/docview.wss?uid=nas7bf9436cc64e5591486258252002f7cf3>) \nGo to <http://www-01.ibm.com/support/us/search/> and search for the technote number. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:42:22", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Systems Director Platform Agent .", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2018-06-18T01:42:22", "id": "8AD3371B44D7ADBB4D07C11C71F4D7936BA847B275560A957AE1E42342ED2618", "href": "https://www.ibm.com/support/pages/node/664571", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:41:48", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed on August 28, November 2, and December 7, 2017 by the OpenSSL Project. OpenSSL is used by IBM Rational ClearCase. IBM Rational ClearCase has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID**: [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION**: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVE-ID**: [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION**: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n**CVE-ID**: [CVE-2017-3737](<https://vulners.com/cve/CVE-2017-3737>) \n**DESCRIPTION**: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the \"error state\" mechanism when directly calling SSL_read() or SSL_write() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVE-ID**: [CVE-2017-3738](<https://vulners.com/cve/CVE-2017-3738>) \n**DESCRIPTION**: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. \n \nNote: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/136078> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Rational ClearCase versions: \n \n\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n9.0 through 9.0.0.6\n\n| \n\nAffected \n \n8.0.1 through 8.0.1.16\n\n| \n\nAffected \n \n8.0 through 8.0.0.21\n\n| \n\nAffected \n \n \nNot all deployments of Rational ClearCase use OpenSSL in a way that is affected by these vulnerabilities. \n \nYou are vulnerable if your use of Rational ClearCase includes _any_ of these configurations: \n\n\n 1. You use the base ClearCase/ClearQuest integration client on any platform, configured to use SSL to communicate with a ClearQuest server. \n\n 2. You use the UCM/ClearQuest integration on UNIX/Linux clients, configured to use SSL to communicate with a ClearQuest server. \n**Note:** Windows clients using the UCM/ClearQuest integration are not vulnerable. \n\n 3. On UNIX/Linux clients, you use the Change Management Integration (CMI), when configured to use SSL to communicate with the server. \n**Note:** Windows clients using the CMI integration are not vulnerable. \n\n 4. You use ratlperl, ccperl, or cqperl to run your own perl scripts, **and** those scripts use SSL connections.\n\n## Remediation/Fixes\n\nApply a fix pack as listed in the table below. The fix pack includes OpenSSL **1.0.2n.** \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n9.0.1 through 9.0.1.2 \n9.0 through 9.0.0.6\n\n| Install [Rational ClearCase Fix Pack 3 (9.0.1.3) for 9.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044201>) \n \n8.0.1 through 8.0.1.16 \n8.0 through 8.0.0.21 \n\n| Install [Rational ClearCase Fix Pack 17 (8.0.1.17) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044199>) \n_For 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2017-3736, CVE-2017-3735, CVE-2017-3737, CVE-2017-3738)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2018-07-10T08:34:12", "id": "45EE862A886525741A09CA53CB36F782AC0F17020C63C71E3DF1B5FD95DE8F34", "href": "https://www.ibm.com/support/pages/node/302463", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:42:20", "description": "## Summary\n\nMegaRAID Storage Manager has addressed the following vulnerabilities in OpenSSL.\n\n## Vulnerability Details\n\n**Summary**\n\nMegaRAID Storage Manager has addressed the following vulnerabilities in OpenSSL.\n\n**Vulnerability Details**\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>)\n\n**Description:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)\n\n**Description:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.\n\nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3737](<https://vulners.com/cve/CVE-2017-3737>)\n\n**Description:** An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact.\n\nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3738](<https://vulners.com/cve/CVE-2017-3738>)\n\n**Description:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.\n\nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136078> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**Affected Products and Versions**\n\nProduct | Affected Version \n---|--- \nMegaRAID Storage Manager | 17.0 \n \n**Remediation/Fixes**\n\nFirmware fix versions are available on Fix Central: \n<http://www.ibm.com/support/fixcentral/>.\n\nProduct | Fix Version \n---|--- \nMegaRAID Storage Manager \n(ibm_utl_msm_17.05.01.03_linux_32-64) \n(ibm_utl_msm_17.05.01.03_windows_32-64) | 17.05.01.03 \n \n**Workarounds and Mitigations**\n\nNone\n\n**References**\n\n * [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide.html>)\n * [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>)\n\n**Related Information** \n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Lenovo Product Security Advisories](<https://support.lenovo.com/us/en/product_security/home>)\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n28 March 2018: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-10-24T14:31:04", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2019-10-24T14:31:04", "id": "55B312F2DF953395E8F31E665185E8F229A2FB4AA7956F73AA21C6BE4D286CF0", "href": "https://www.ibm.com/support/pages/node/868954", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:48:48", "description": "## Summary\n\nMultiple security vulnerabilities have been identified in OpenSSL that is used by IBM Cloud Manager with OpenStack. IBM Cloud Manager with OpenStack has addressed these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \nbr> \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2017-3738_](<https://vulners.com/cve/CVE-2017-3738>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136078_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136078>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n**CVEID:** [_CVE-2017-3737_](<https://vulners.com/cve/CVE-2017-3737>)** \nDESCRIPTION:** An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136077_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136077>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product Name**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Cloud Manager with OpenStack| 4.3 \nbr> \nbr>\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Cloud Manager with OpenStack| 4.3| Upgrade to 4.3 FP 10: \n[**_http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&fixids=4.3.0.10-IBM-CMWO-FP10&source=SAR_**](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&fixids=4.3.0.10-IBM-CMWO-FP10&source=SAR>) \nbr> \nbr>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-08T04:13:55", "type": "ibm", "title": "Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2018-08-08T04:13:55", "id": "CBAD9A5D72D7476363185541BD693344F4EEB28C6708F8A48B2849B3FD618351", "href": "https://www.ibm.com/support/pages/node/664287", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T17:52:21", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed August, November, and December 2017 by the OpenSSL Project. OpenSSL, used by IBM Spectrum Control (formerly Tivoli Storage Productivity Center), has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2017-3735_](<https://vulners.com/cve/CVE-2017-3735>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/131047_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131047>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2017-3737_](<https://vulners.com/cve/CVE-2017-3737>)** \nDESCRIPTION:** An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136077_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136077>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3738_](<https://vulners.com/cve/CVE-2017-3738>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136078_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136078>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n** Affected Product**\n\n| ** Affected Versions** \n---|--- \nIBM Tivoli Storage Productivity Center| 5.2.0 - 5.2.7.1 \nIBM Spectrum Control| 5.2.8 - 5.2.15.2 \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control. \n \n\n\n## Remediation/Fixes\n\nThe solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable_._\n\nStarting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control.\n\n \n \n** Release**| **First Fixing VRM Level**| **Link to Fix/Fix Availability Target** \n---|---|--- \n5.2.x| 5.2.16| [_http://www.ibm.com/support/docview.wss?uid=swg21320822_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>) \n \n**Note:** It is always recommended to have a current backup before applying any update procedure. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-22T19:27:34", "type": "ibm", "title": "Security Bulletin: IBM Spectrum Control (formerly IBM Tivoli Storage Productivity Center) is affected by OpenSSL vulnerabilities (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2022-02-22T19:27:34", "id": "972701C7DC1452FBCF01B7BFE4A7289076C9DC38C28E80665321248205EAAF12", "href": "https://www.ibm.com/support/pages/node/300519", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:41:26", "description": "## Summary\n\nRational DOORS has addressed the following vulnerabilities\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2018-1457_](<https://vulners.com/cve/CVE-2018-1457>) \n**DESCRIPTION: **An undisclosed vulnerability in IBM Rational DOORS 9 application allows an attacker to gain DOORS administrator privileges. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/140208_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140208>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nRational DOORS: 9.5.1 - 9.5.1.9 \nRational DOORS: 9.5.2 - 9.5.2.8 \nRational DOORS: 9.6.0 - 9.6.0.7 \nRational DOORS: 9.6.1 - 9.6.1.10\n\nRational DOORS: 9.7.x \n \nThe following Rational DOORS components are affected:\n\n * Rational DOORS desktop client\n * Rational DOORS interoperation server\n\n## Remediation/Fixes\n\nUpgrade to the fix pack that corresponds to the version of Rational DOORS that you are running, as shown in the following table. Upgrade the Rational DOORS client, the Rational DOORS database server, and the Rational DOORS interoperation server. \nNOTE: You should verify applying this fix does not cause any compatibility issues. \n**Rational DOORS version** | **Upgrade to fix pack** \n---|--- \n9.5.1 - 9.5.1.9 | [9.5.1.10](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.5.1.10-RATIONAL-DOORS-fixpack1&release=9.5&platform=All&source=SAR>) \n9.5.2 - 9.5.2.8 | [](<http://w3.hursley.ibm.com/java/jim/ibmsdks/java60/601615/index.html>)[9.5.2.9](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.5.2.9-RATIONAL-DOORS-fixpack1&release=9.5&platform=All&source=SAR>) \n9.6.0 - 9.6.0.7 | [9.6.0.8](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.6.0.8-RATIONAL-DOORS-fixpack1&release=9.6.0.0&platform=All&source=SAR>) \n9.6.1 - 9.6.1.10 | [9.6.1.11](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.6.1.11-RATIONAL-DOORS-fixpack&release=9.6.1.10&platform=All&source=SAR>) \n \n \n_For Rational DOORS version 9.5.0.x and earlier, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \n**Citrix and Remote desktop** \nTo reduce installation overhead and to increase security, many clients make use of remote desktop software (Citrix or Microsoft Remote Desktop). All remote desktop solutions provide communication level security in addition to the benefits for installation. Clients using a remote desk top solution such as Citrix XenApp can organize their network infrastructure to forbid users accessing DOORS directly and so avoid issues regarding communication exposures as described by this vulnerability.\n\n \n**Update to Server Security** \nThe fix to prevent an attacker to gain DOORS administrator privileges is an enhancement to the DOORS server security functionality. DOORS must be configured to use server security to enable this feature. When enabled, interop servers will now only connect to the database server if approved. This can be done by either starting the database server using the \"secureInteropbyIP\" command line switch or by adding the interop server certificate information to a allowlist.dat file. The allowlist.dat file needs to be located at the top level of the DOORS data directory.\n\nIf the database server is started using the \"secureInteropbyIP\" command line switch then the allowlist.dat file is unnecessary if all the interop servers are running on the same machine as the database server. Interop servers must be started with the \"sssServer\" command line switch to be recongised as secure by the database server. \nFor further information see the documentation on how to configure [server security](<https://www.ibm.com/support/knowledgecenter/SSYQBZ_9.6.1/com.ibm.doors.configuring.doc/topics/c_configuringrserversidesecurity.html>).\n\n**Configure Rational DOORS Web Access** \nIf you are using Rational DOORS Web Access, after you upgrade, _but before you start the Rational DOORS Web Access server_, edit the core configuration file and set the required version of the interoperation server to the version of the fix pack upgrade, as described in the following steps.\n\n**Procedure:**\n\n 1. To edit the Rational DOORS Web Access core configuration file, open the `festival.xml` file, which is in the `server\\festival\\config` directory.\n 2. Add the following line in the `<f:properties>` section: \n \n`<``**f:property name=\"interop.version\" value=\"9.n.n.n\"**`` />` \n \nReplace \"`9.n.n.n`\" with the version of the fix pack upgrade: 9.5.1.10, 9.5.2.9, 9.6.0.8, or 9.6.1.11.\n 3. Save and close the file.\n\nAfter this revision, only the specified version of the interoperation server can access the Rational DOORS database.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-29T16:11:30", "type": "ibm", "title": "Security Bulletin: Rational DOORS is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1427", "CVE-2018-1447", "CVE-2018-1457"], "modified": "2020-06-29T16:11:30", "id": "050C4CD191E772BBB89D37433656A4CF140CE5C30F03D9CE4A5D8081AA772A03", "href": "https://www.ibm.com/support/pages/node/712319", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:44:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6, Version 7 ,version 8, that is used by DB2 Recovery Expert for Linux, Unix and Windows. These issues were disclosed as part of the IBM Java SDK updates in July 2018.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID: **[CVE-2018-2952](<https://vulners.com/cve/CVE-2018-2952>) \n**DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146815> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID: **[CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION: **The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nDB2 Recovery Expert for LUW 5.1 \nDB2 Recovery Expert for LUW 5.1 Interim Fix 1 (IF1) \nDB2 Recovery Expert for LUW 5.1.0.1 (also called 5.1 Fix Pack 1) \nDB2 Recovery Expert for LUW 5.1.0.1 IF1 \nDB2 Recovery Expert for LUW 5.1.0.1 IF2 \nDB2 Recovery Expert for LUW 5.1.0.2 (also called 5.1 Fix Pack 2) \nDB2 Recovery Expert for LUW 5.1.0.2 IF1 \n\n\n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _Remediation/First Fix_ \n---|---|--- \n**_DB2 Recovery Expert for Linux, Unix and Windows_** | _had been fixed in V5.1.0.3_ | [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EInformation%20Management&product=ibm/Information+Management/DB2+Recovery+Expert+for+Linux+UNIX+and+Windows&release=All&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EInformation%20Management&product=ibm/Information+Management/DB2+Recovery+Expert+for+Linux+UNIX+and+Windows&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nThere are no workarounds except to replace to the latest JRE. \nTo solve the problem without updating the entire Recovery Expert product, the user can replace the existing JRE that is installed into the product installation tree in the \u201cjre\u201d directory with a newer JRE that includes the security fixes. \n \nInstructions to replace the IBM JRE for DB2 Recovery Expert for Linux, UNIX and Windows \n \n1\\. Identify the version and platform of your DB2 Recovery Expert installation. \n2\\. See the table below to find the IBM JRE download link that matches your product version and platform. If you cannot find a JRE download link for your product version and platform, contact IBM Technical Support and refer to this tech-note \n3\\. Download the zip file (for example: ibm-java-jre-x.x-x.x-linux-x86_64.tgz) and extract it to a folder on a local file system (for example: /tmp/ibm-jre-x.x-x.x). \n4\\. Stop the DB2 Recovery Expert server using the stop.sh command (for example: /opt/ibm/RE/stop.sh). \n5\\. Back-up and then delete the contents of the \u201cjre\u201d folder from your product installation directory (for example: /opt/ibm/RE/jre). \n6\\. Copy the contents of the \u201cjre\u201d folder from the latest IBM JRE that you downloaded in Step 3 (for example: /tmp/ibm-jre-x.x-x.x/jre/) to the \u201cjre\u201d folder in your product installation directory (for example: /opt/ibm/RE/jre/).* \n7\\. Ensure that the file permissions for the new JRE files and folders match the file permissions for the original JRE files and folders. If necessary, set 775 recursively. \n8\\. Restart the DB2 Recovery Expert server using the start.sh command (for example: /opt/ibm/RE/start.sh). \n \n* NOTE: You must repeat from Step 6 again any time you install an APAR or upgrade to an affected version of DB2 Recovery Expert.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-02T07:42:29", "type": "ibm", "title": "Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jul 2018 - Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-12539", "CVE-2018-1656", "CVE-2018-2952"], "modified": "2019-08-02T07:42:29", "id": "773DDD02D33CA887669E403873832C97214FE7479EC22378C819CABAB56A0F98", "href": "https://www.ibm.com/support/pages/node/964590", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 and 8 that is used by IBM Operational Decision Manager (ODM). These issues were disclosed as part of the IBM Java SDK updates in July 2018 \n \n\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION:** The IBM Java Runtime Environment''s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-2973](<https://vulners.com/cve/CVE-2018-2973>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146835> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n * IBM Operational Decision Manager v8.5\n * IBM Operational Decision Manager v8.6\n * IBM Operational Decision Manager v8.7\n * IBM Operational Decision Manager v8.8\n * IBM Operational Decision Manager v8.9\n\n## Remediation/Fixes\n\nIBM recommends upgrading to a fixed, supported version/release/platform of the product:\n\n * IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 30 and subsequent releases\n * IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 20 and subsequent releases\n\n \nSelect the following interim fix to upgrade your JDK based on your version of the product and operating system:\n\nIBM Operational Decision Manager v8.5: \nIBM Operational Decision Manager v8.6: \nIBM Operational Decision Manager v8.7: \nIBM Operational Decision Manager v8.8: \nInterim fix for APAR RS03231 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): \n**8.5.0.0-WS-ODM_JDK7-<OS>-****IF002** \n \nIBM Operational Decision Manager v8.8: \nIBM Operational Decision Manager v8.9: \nInterim fix for APAR RS03231 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): \n**8.8.0.0-WS-ODM_JDK8-<OS>-****IF002** \n \n \nFor IBM WebSphere Operational Decision Management v7.1, v7.5, v8.0, v8.5 IBM recommends upgrading to a fixed supported version.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-16T14:35:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Operational Decision Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-12539", "CVE-2018-1656", "CVE-2018-2973"], "modified": "2018-11-16T14:35:01", "id": "3165A2AA157F1B9BD1D78DE6275BFF661B98BF29C82399B7216463D7581B8060", "href": "https://www.ibm.com/support/pages/node/740447", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:47", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7.0.10.30 and Version 8.0.5.20 used by Rational Functional Tester (RFT) version 8.3.0 - 8.6.0.6 and 8.6.0.7 - 9.2.0.1. RFT has addressed the applicable CVEs.\n\n## Vulnerability Details\n\nRational Functional Tester has addressed the following vulnerabilities:\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the \"**IBM Java SDK Security Bulletin**\", located in the References section for more information.\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION:** The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID: ** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION: ** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2018-0705>) \n**DESCRIPTION: ** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. \nAn attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in \nthe x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the \nprivate key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw i \nn the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system co \nuld exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n * Rational Functional Tester: 8.3.0 - 8.6.0.6\n * Rational Functional Tester: 8.6.0.7 - 9.2.0.1\n\n## Remediation/Fixes\n\nApply the correct fix pack or iFix for your version of the Rational Functional Tester :\n\n**Product** | **Version** | **APAR** | **Remediation/ First Fix** \n---|---|---|--- \nRFT | 8.3.0 - 8.3.0.x, 8.5.0 - 8.5.0.x, 8.5.1 - 8.5.1.x, and 8.6.0 - 8.6.0.6 | None | Download IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 30 _ [**iFix**](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Functional+Tester&release=8.6.0.6&platform=All&function=fixId&fixids=Rational-RFT-Java7SR10FP30-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true>) _ from the Fix Central and apply it. \nRFT | 8.6.0.7 - 8.6.0.10, 9.1 - 9.1.1.1, and 9.2 - RFT9.2.0.1 | None | Download IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 20 **_ [iFix](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Functional+Tester&release=9.2.1&platform=All&function=fixId&fixids=Rational-RFT-Java8SR5FP20-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) _ **from the Fix Central and apply it. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-08T15:40:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-0705", "CVE-2018-12539", "CVE-2018-1656"], "modified": "2019-01-08T15:40:01", "id": "1E5AE139B10CF500092EA776D2FBEC36F6F4E6FA4F54A5E7D26647544F0BCEDC", "href": "https://www.ibm.com/support/pages/node/730123", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-22T01:47:35", "description": "## Summary\n\nThere are multiple vulnerabilities related to IBM\u00ae Runtime Environment Java\u2122 Technology Edition which is used and shipped by different versions of IBM Rational License Key Server Administration and Reporting Tool Admin (ART). \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-3180](<https://vulners.com/cve/CVE-2018-3180>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. \nCVSS Base Score: 5.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151497> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2018-2973](<https://vulners.com/cve/CVE-2018-2973>) \n**DESCRIPTION:** An unspecified vulnerability in Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146835> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-2940](<https://vulners.com/cve/CVE-2018-2940>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146803> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n * RLKS Administration and Reporting Tool version 8.1.5\n * RLKS Administration and Reporting Tool version 8.1.5.1\n * RLKS Administration and Reporting Tool version 8.1.5.2\n * RLKS Administration and Reporting Tool version 8.1.5.3\n * RLKS Administration and Reporting Tool version 8.1.5.4\n * RLKS Administration and Reporting Tool version 8.1.5.5\n\n## Remediation/Fixes\n\nFor the 8.1.5 - 8.1.5.5 releases, upgrade the RLKS Administration and Reporting Tool Admin and Agent to version 8.1.5.6 or later:\n\n * _[RLKS Administration and Reporting Tool Admin 8.1.5.6](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Rational/Rational+Common+Licensing&release=All&platform=All&function=fixId&fixids=IBM_RLKS_Administration_And_Reporting_Tool_8156&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)_\n * _[RLKS Administration and Reporting Tool Agent 8.1.5.6](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Rational/Rational+Common+Licensing&release=All&platform=All&function=fixId&fixids=IBM_RLKS_Administration_And_Reporting_Agent_8156&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)_\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-21T20:15:01", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-2940", "CVE-2018-2973", "CVE-2018-3180"], "modified": "2018-12-21T20:15:01", "id": "43D6A9E05A4CC6A06B189CA54AC124E51768DDF9C5BF0CCD807BBC3420EEFF39", "href": "https://www.ibm.com/support/pages/node/791413", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:21", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 used by Content Collector for SAP Applications. These issues were disclosed as part of the IBM Java SDK updates in July 2018.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION:** The IBM Java Runtime Environment''s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-2952](<https://vulners.com/cve/CVE-2018-2952>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146815> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION:** The IBM Java Runtime Environment''s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-2952](<https://vulners.com/cve/CVE-2018-2952>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146815> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications v4.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for SAP Applications | 4.0 | Use IBM Content Collector for SAP Applications[ 4.0.0.2-ICCSAP-JRE-7.0.10.30](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/IBM+Content+Collector+for+SAP+Applications&release=4.0.0.2&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-30T12:25:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-12539", "CVE-2018-1656", "CVE-2018-2952"], "modified": "2018-10-30T12:25:01", "id": "46D4B9F92B3C18E29E5C7BBEC13D92B5ECA31B1A6E3BE57749375938FC2B3CBC", "href": "https://www.ibm.com/support/pages/node/737813", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 7 and 8 that are used by IBM Rational Application Developer for WebSphere Software. These issues were disclosed as part of the IBM Java SDK updates in August 2018.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1656](<https://vulners.com/cve/CVE-2018-1656>) \n**DESCRIPTION: **The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2018-12539](<https://vulners.com/cve/CVE-2018-12539>) \n**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2018-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. \nAn attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Application Developer 9.0- 9.0.1.2\n\nRational Application Developer 9.1 - 9.1.1.2\n\nRational Application Developer 9.5 - 9.5.0.3\n\nRational Application Developer 9.6 - 9.6.1.1\n\n## Remediation/Fixes\n\nUpdate the IBM SDK, Java Technology Edition of the product to address this vulnerability:\n\n**Product**\n\n| **VRMF** | **APAR** | **Remediation/First Fix** \n---|---|---|--- \nRational Application Developer | 9.5 through 9.6 | \n\nPH03600\n\n| \n\n * For all versions, [IBM SDK Technology Edition Critical Patch Update](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FRational%2FIBM+Rational+Application+Developer+for+WebSphere+Software&fixids=Rational-RAD-Java7SR10FP30_RAD_RSA-ifix&source=SAR&function=fixId&parent=ibm/Rational>) \nRational Application Developer | 9.0 through 9.1 | \n\nPH03600\n\n| \n\n * For all versions, [IBM SDK Technology Edition Critical Patch Update](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FRational%2FIBM+Rational+Application+Developer+for+WebSphere+Software&fixids=Rational-RAD-Java8SR5FP20_RAD_RSA-ifix&source=SAR&function=fixId&parent=ibm/Rational>) \n \n## Workarounds and Mitigations\n\nNo known workarounds.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-04T18:30:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-0705", "CVE-2018-12539", "CVE-2018-1656"], "modified": "2018-10-04T18:30:01", "id": "0C0756C600D4B428F9DDC7547681FF909EA01654FA2BE7931EB24F307960FE26", "href": "https://www.ibm.com/support/pages/node/733905", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:41:47", "description": "## Summary\n\nMultiple vulnerabilities in OpenSSL affect WebSphere Message Broker, IBM Integration Bus and IBM App Connect. The DataDirect ODBC Drivers used by WebSphere Message Broker , IBM App Connect and IBM Integration Bus have addressed the applicable CVEs. \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3738](<https://vulners.com/cve/CVE-2017-3738>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136078> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-0737](<https://vulners.com/cve/CVE-2018-0737>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a cache-timing side channel attack in the RSA Key generation algorithm. An attacker with access to mount cache timing attacks during the RSA key generation process could exploit this vulnerability to recover the private key and obtain sensitive information. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141679> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3737](<https://vulners.com/cve/CVE-2017-3737>) \n**DESCRIPTION:** An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM App Connect V11.0.0.0 - V11.0.0.1\n\nIBM Integration Bus V10.0.0.0 -V10.0.0.13 \n\nIBM Integration Bus V9.0.0.0 - V9.0.0.10\n\nWebSphere Message Broker V8.0.0.0 -V8.0.0.9\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| APAR | \n\n**Remediation / Fix** \n \n---|---|---|--- \nIBM App Connect | V11.0.0.0-V11.0.0.1 | IT22675,IT25537 | \n\nThe APAR is available in fix pack 11.0.0.2\n\n[IBM App Connect Enterprise Version V11-Fix Pack 11.0.0.2](<https://www-01.ibm.com/support/docview.wss?uid=ibm10734317>) \n \nIBM Integration Bus | V10.0.0.0 - V10.0.0.13 | IT22675,IT25537 | \n\nThe APAR is available in fix pack 10.0.0.14\n\n[IBM Integration Bus V10.0 - Fix Pack 10.0.0.14](<http://www-01.ibm.com/support/docview.wss?uid=ibm10732699>) \n \nIBM Integration Bus | V9.0.0.0 - V9.0.0.10 | IT22675 | \n\nThe APAR is available in fix pack 9.0.0.11\n\n[IBM Integration Bus V9.0 - Fix Pack 9.0.0.11](<https://www-01.ibm.com/support/docview.wss?uid=swg24044511>) \n \nWebSphere Message Broker\n\n| V8.0.0.0 - V8.0.0.9 | IT22675 | Contact IBM support to request for Fix APAR \n \n_Websphere Message Broker V8 is no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _ \n_If you are a customer with extended support and require a fix, contact IBM support._\n\nNote: CVE-2017-3735 is addressed in 10.0.0.13.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-03-23T20:41:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker , IBM Integration Bus and IBM App Connect", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738", "CVE-2018-0737"], "modified": "2020-03-23T20:41:52", "id": "BC2283C42C5754BA56D4B137D9299A766BC1E54917CDB4BD5C57BE600AAD1E60", "href": "https://www.ibm.com/support/pages/node/735561", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:45:16", "description": "## Summary\n\nIBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to security vulnerabilities 3 issues for OpenSSL: 2 for a denial of service and 1 for an error while parsing an IPAdressFamily extension in an X.509 certificate.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-0732](<https://vulners.com/cve/CVE-2018-0732>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144658> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-0739](<https://vulners.com/cve/CVE-2018-0739>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140847> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3735](<https://vulners.com/cve/CVE-2017-3735>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Security Identity Governance and Intelligence (IGI) 5.2.4, 5.2.4.1, 5.2.5.0;\n\n## Remediation/Fixes\n\nProduct Name\n\n| VRMF | First Fix \n---|---|--- \nIGI | 5.2.4 | [](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>)[5.2.5.0-ISS-SIGI-FP0001 ](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=All&platform=Linux&function=fixId&fixids=5.2.5.0-ISS-SIGI-FP0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) \nIGI | 5.2.4.1 | [](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>)[5.2.5.0-ISS-SIGI-FP0001](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=All&platform=Linux&function=fixId&fixids=5.2.5.0-ISS-SIGI-FP0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) \nIGI | 5.2.5.0 | [5.2.5.0-ISS-SIGI-FP0001](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=All&platform=Linux&function=fixId&fixids=5.2.5.0-ISS-SIGI-FP0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## Workarounds and Mitigations\n\n**None**\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-07-19T10:10:01", "type": "ibm", "title": "Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2018-0732, CVE-2018-0739, CVE-2017-3735)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2018-0732", "CVE-2018-0739"], "modified": "2019-07-19T10:10:01", "id": "3F709EA726EB2BD99A9BF0A52B5FBF758B042727BAB188CBB7DC446E3FE28E4C", "href": "https://www.ibm.com/support/pages/node/959275", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T17:56:29", "description": "## Summary\n\nLinux OpenSSL is vulnerable to a denial of service, affected by CVES : CVE-2017-3735, CVE-2018-0732, CVE-2018-0739.\n\n## Vulnerability Details\n\nVEID: CVE-2018-0732 \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144658> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \nCVEID: CVE-2018-0739 \nDESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140847> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \nCVEID: CVE-2017-3735 \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131047> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nPower HMC V8.7.0.0 \nPower HMC V9.1.910.0\n\n## Remediation/Fixes\n\n## Remediation/Fixes\n\nThe following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/Fix \n \n---|---|---|--- \n \nPower HMC\n\n| \n\nV8.8.7. 2 PTF3 ppc\n\n| \n\nMB04193\n\n| \n\n[MH01807](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMCppc&release=V8R8.7.0&platform=All>) \n \nPower HMC\n\n| \n\nV8.8.7. 2 PTF3 x86\n\n| \n\nMB04192\n\n| \n\n[MH01806](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMC&release=V8R8.7.0&platform=All>) \n \nPower HMC\n\n| \n\nV9.1.920.0 SP1 ppc\n\n| \n\nMB04195\n\n| \n\n[MH01809](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMCppc&release=V9R1&platform=All>) \n \nPower HMC\n\n| \n\nV9.1.920.0 SP1 x86\n\n| \n\nMB04194\n\n| \n\n[MH01808](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm%7Ehmc%7E9100HMC&release=V9R1&platform=All>) \n \n## \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-09-22T23:05:38", "type": "ibm", "title": "Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735", "CVE-2018-0732", "CVE-2018-0739"], "modified": "2021-09-22T23:05:38", "id": "A4829964562D4DA75AC835389538AF91BE820F503BFE614BB74E402BC80BACA1", "href": "https://www.ibm.com/support/pages/node/794451", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:41:36", "description": "## Summary\n\nOpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM Workload Manager. IBM Workload Manager has addressed the applicable CVEs\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-0739](<https://vulners.com/cve/CVE-2018-0739>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140847> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-0733](<https://vulners.com/cve/CVE-2018-0733>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by the failure to properly compare byte values by the PA-RISC CRYPTO_memcmp() function used on HP-UX PA-RISC targets. An attacker could exploit this vulnerability to forge messages, some of which may be authenticated. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140849> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3738](<https://vulners.com/cve/CVE-2017-3738>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136078> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3737](<https://vulners.com/cve/CVE-2017-3737>) \n**DESCRIPTION:** An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nTWS uses OpenSSL only for secure communication between internal processes. \nFor Tivoli Workload Scheduler Distributed, TWS nodes are impacted by OpenSSL security exposures only if the TWS workstation has been defined with \u201csecuritylevel\u201d set to on or enabled or force. \nThese security exposures do not apply to WebSphere Application Server but only to programs installed under <TWS home>/bin. \nTivoli Workload Scheduler Distributed 9.1.0 FP02 and earlier \nTivoli Workload Scheduler Distributed 9.2.0 FP02 and earlier \nIBM Workload Scheduler Distributed 9.3.0 FP03 and earlier \nIBM Workload Scheduler Distributed 9.4.0 FP03 and earlier\n\n## Remediation/Fixes\n\nAPAR IJ07385 has been opened to address the openssl vulnerabilities for Tivoli Workload Scheduler. \nThe following limited availability fixes for IJ07385 are available for download on FixCentral \n9.1.0-TIV-TWS-FP0002-IJ07385 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.1.0 FP02 \n9.3.0-TIV-TWS-FP0002-IJ07385 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.3.0 FP03 \n \nAPAR IJ07385 has been included in 9.2.0-TIV-TWS-FP0003 and 9.4.0-TIV-TWS-FP0004. \nFor these affected releases IJ07385, supersedes IJ00716, IV91052, IV85683, IV82641, IV71646, IV70763, IV66395, IV66398, IV62010, IV61392, IV75062. \nFor Unsupported releases IBM recommends upgrading to a fixed, supported release of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T15:00:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738", "CVE-2018-0733", "CVE-2018-0739"], "modified": "2020-06-19T15:00:50", "id": "4829928E4C7715561CB19AF103394931A0114E34E269A614FDFFC77D2F61D9C7", "href": "https://www.ibm.com/support/pages/node/717163", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2023-05-18T15:22:34", "description": "The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities, including the following:\n\n - IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. (CVE-2018-1426)\n\n - The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. (CVE-2018-1447)\n\n - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. (CVE-2017-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-06T00:00:00", "type": "nessus", "title": "IBM HTTP Server 7.0.0.0 <= 7.0.0.43 / 8.0.0.0 <= 8.0.0.14 / 8.5.0.0 < 8.5.5.14 / 9.0.0.0 < 9.0.0.8 Multiple Vulnerabilities (569301)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3193", "CVE-2016-0702", "CVE-2016-7056", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:ibm:http_server"], "id": "IBM_HTTP_SERVER_569301.NASL", "href": "https://www.tenable.com/plugins/nessus/144773", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144773);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-0702\",\n \"CVE-2016-7056\",\n \"CVE-2017-3732\",\n \"CVE-2017-3736\",\n \"CVE-2018-1426\",\n \"CVE-2018-1427\",\n \"CVE-2018-1447\"\n );\n script_bugtraq_id(\n 83740,\n 95375,\n 95814,\n 101666,\n 103536,\n 104511,\n 105580\n );\n\n script_name(english:\"IBM HTTP Server 7.0.0.0 <= 7.0.0.43 / 8.0.0.0 <= 8.0.0.14 / 8.5.0.0 < 8.5.5.14 / 9.0.0.0 < 9.0.0.8 Multiple Vulnerabilities (569301)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities, including the following:\n\n - IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across\n fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and\n a risk of duplicate key material. (CVE-2018-1426)\n\n - The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6)\n CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A\n weak password may be recovered. Note: After update the customer should change password to ensure the new\n password is stored more securely. Products should encourage customers to take this step as a high priority\n action. (CVE-2018-1447)\n\n - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before\n 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA\n and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks\n against DH are considered just feasible (although very difficult) because most of the work necessary to\n deduce information about a private key may be performed offline. The amount of resources required for such\n an attack would be very significant and likely only accessible to a limited number of attackers. An\n attacker would additionally need online access to an unpatched system using the target private key in a\n scenario with persistent DH parameters and a private key that is shared between multiple clients. For\n example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very\n similar to CVE-2015-3193 but must be treated as a separate problem. (CVE-2017-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/569301\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM HTTP Server version 7.0.0.45, 8.5.5.14, 9.0.0.8, or later. Alternatively, upgrade to the minimal fix\npack levels required by the interim fix and then apply Interim Fix PI91913 or PI94222.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1426\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:http_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_http_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM HTTP Server (IHS)\");\n\n exit(0);\n}\n\n\ninclude('vcf.inc');\n\napp = 'IBM HTTP Server (IHS)';\nfix = 'Interim Fix PI94222';\n\napp_info = vcf::get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nif ('PI91913' >< app_info['Fixes'] || 'PI94222' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n { 'min_version' : '7.0.0.0', 'max_version' : '7.0.0.43', 'fixed_display' : '7.0.0.45 or Interim Fix PI91913'},\n { 'min_version' : '8.0.0.0', 'max_version' : '8.0.0.14', 'fixed_display' : fix },\n { 'min_version' : '8.5.0.0', 'max_version' : '8.5.5.13', 'fixed_display' : '8.5.5.14 or ' + fix },\n { 'min_version' : '9.0.0.0', 'max_version' : '9.0.0.7', 'fixed_display' : '9.0.0.8 or ' + fix }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:22:31", "description": "The remote host is affected by the vulnerability described in GLSA-201712-03 (OpenSSL: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in OpenSSL. Please review the referenced CVE identifiers for details.\n Impact :\n\n A remote attacker could cause a Denial of Service condition, recover a private key in unlikely circumstances, circumvent security restrictions to perform unauthorized actions, or gain access to sensitive information.\n Workaround :\n\n There are no known workarounds at this time.", "cvss3": {}, "published": "2017-12-15T00:00:00", "type": "nessus", "title": "GLSA-201712-03 : OpenSSL: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:openssl", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201712-03.NASL", "href": "https://www.tenable.com/plugins/nessus/105263", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201712-03.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105263);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-3735\", \"CVE-2017-3736\", \"CVE-2017-3737\", \"CVE-2017-3738\");\n script_xref(name:\"GLSA\", value:\"201712-03\");\n\n script_name(english:\"GLSA-201712-03 : OpenSSL: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201712-03\n(OpenSSL: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in OpenSSL. Please review\n the referenced CVE identifiers for details.\n \nImpact :\n\n A remote attacker could cause a Denial of Service condition, recover a\n private key in unlikely circumstances, circumvent security restrictions\n to perform unauthorized actions, or gain access to sensitive information.\n \nWorkaround :\n\n There are no known workarounds at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201712-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All OpenSSL users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-libs/openssl-1.0.2n'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-libs/openssl\", unaffected:make_list(\"ge 1.0.2n\"), vulnerable:make_list(\"lt 1.0.2n\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenSSL\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:27:12", "description": "The remote host is running a version of NSM (Network and Security Manager) Server that is prior to 2012.2R14. It is, therefore, affected by multiple vulnerabilities in the bundled version of OpenSSL.", "cvss3": {}, "published": "2018-04-27T00:00:00", "type": "nessus", "title": "Juniper NSM < 2012.2R14 OpenSSL Multiple Vulnerabilities (JSA10851)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:juniper:network_and_security_manager"], "id": "JUNIPER_NSM_JSA10851.NASL", "href": "https://www.tenable.com/plugins/nessus/109406", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109406);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2017-3735\",\n \"CVE-2017-3736\",\n \"CVE-2017-3737\",\n \"CVE-2017-3738\"\n );\n script_bugtraq_id(\n 100515,\n 101666,\n 102103,\n 102118\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0134\");\n\n script_name(english:\"Juniper NSM < 2012.2R14 OpenSSL Multiple Vulnerabilities (JSA10851)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of NSM (Network and Security\nManager) Server that is prior to 2012.2R14. It is, therefore, affected\nby multiple vulnerabilities in the bundled version of OpenSSL.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10851\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Juniper NSM version 2012.2R14 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3735\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/27\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:network_and_security_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"juniper_nsm_gui_svr_detect.nasl\");\n script_require_keys(\"Juniper_NSM_VerDetected\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\n\nkb_base = \"Host/NSM/\";\n\n# Since we can't detect the package change remotely this needs to be paranoid.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_kb_item_or_exit(\"Juniper_NSM_VerDetected\");\n\nkb_list = make_list();\n\ntemp = get_kb_list(\"Juniper_NSM_GuiSvr/*/build\");\n\nif (!isnull(temp) && max_index(keys(temp)) > 0)\n kb_list = make_list(kb_list, keys(temp));\n\ntemp = get_kb_list(\"Host/NSM/*/build\");\nif (!isnull(temp) && max_index(keys(temp)) > 0)\n kb_list = make_list(kb_list, keys(temp));\n\nif (max_index(kb_list) == 0) audit(AUDIT_NOT_INST, \"Juniper NSM Servers\");\n\nreport = '';\n\nentry = branch(kb_list);\n\nport = 0;\nkb_base = '';\n\nif (\"Juniper_NSM_GuiSvr\" >< entry)\n{\n port = entry - \"Juniper_NSM_GuiSvr/\" - \"/build\";\n kb_base = \"Juniper_NSM_GuiSvr/\" + port + \"/\";\n\n report_str1 = \"Remote GUI server version : \";\n report_str2 = \"Fixed version : \";\n}\nelse\n{\n kb_base = entry - \"build\";\n if (\"guiSvr\" >< kb_base)\n {\n report_str1 = \"Local GUI server version : \";\n report_str2 = \"Fixed version : \";\n }\n else\n {\n report_str1 = \"Local device server version : \";\n report_str2 = \"Fixed version : \";\n }\n}\n\nbuild = get_kb_item_or_exit(entry);\nversion = get_kb_item_or_exit(kb_base + 'version');\n\nversion_disp = version + \" (\" + build + \")\";\n\n# NSM 2012.2R14 or later\n# replace r or R with . for easier version comparison\n# in 2010 and 2011 versions they use S instead of R\nversion_num = ereg_replace(pattern:\"(r|R|s|S)\", replace:\".\", string:version);\n\n# remove trailing . if it exists\nversion_num = ereg_replace(pattern:\"\\.$\", replace:\"\", string:version_num);\n\nfix_disp = \"2012.2R14\";\nfix_num = \"2012.2.14\";\nif (ver_compare(ver:version_num, fix:fix_num, strict:FALSE) < 0)\n{\n report = '\\n ' + report_str1 + version_disp +\n '\\n ' + report_str2 + fix_disp +\n '\\n';\n security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Juniper NSM\", version_disp);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T15:11:42", "description": "According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.12.3 or 17.x prior to 17.12.3.0. It is, therefore, affected by multiple vulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-04-19T00:00:00", "type": "nessus", "title": "Oracle Primavera Unifier Multiple Vulnerabilities (April 2018 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15095", "CVE-2017-7525"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:primavera_unifier"], "id": "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2018.NASL", "href": "https://www.tenable.com/plugins/nessus/109164", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109164);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-7525\", \"CVE-2017-15095\");\n script_bugtraq_id(99623, 103880);\n\n script_name(english:\"Oracle Primavera Unifier Multiple Vulnerabilities (April 2018 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote web server is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Oracle Primavera\nUnifier installation running on the remote web server is 16.x prior to\n16.2.12.3 or 17.x prior to 17.12.3.0. It is, therefore, affected by \nmultiple vulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?76507bf8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle Primavera Unifier version 16.2.12.3 / 17.12.3.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7525\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:primavera_unifier\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_primavera_unifier.nbin\");\n script_require_keys(\"installed_sw/Oracle Primavera Unifier\", \"www/weblogic\");\n script_require_ports(\"Services/www\", 8002);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nget_install_count(app_name:\"Oracle Primavera Unifier\", exit_if_zero:TRUE);\n\nport = get_http_port(default:8002);\nget_kb_item_or_exit(\"www/weblogic/\" + port + \"/installed\");\n\napp_info = vcf::get_app_info(app:\"Oracle Primavera Unifier\", port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"16.0.0.0\", \"fixed_version\" : \"16.2.12.3\" },\n { \"min_version\" : \"17.0.0.0\", \"fixed_version\" : \"17.12.3.0\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE); \n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T14:23:04", "description": "It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization.", "cvss3": {}, "published": "2017-11-17T00:00:00", "type": "nessus", "title": "Debian DSA-4037-1 : jackson-databind - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15095", "CVE-2017-7525"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:jackson-databind", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4037.NASL", "href": "https://www.tenable.com/plugins/nessus/104643", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4037. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104643);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-15095\");\n script_xref(name:\"DSA\", value:\"4037\");\n\n script_name(english:\"Debian DSA-4037-1 : jackson-databind - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that jackson-databind, a Java library used to parse\nJSON and other data formats, improperly validated user input prior to\ndeserializing: following DSA-4004-1 for CVE-2017-7525, an additional\nset of classes was identified as unsafe for deserialization.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-7525\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/jackson-databind\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/jackson-databind\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-4037\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the jackson-databind packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 2.4.2-2+deb8u2.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.8.6-1+deb9u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java\", reference:\"2.4.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java-doc\", reference:\"2.4.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libjackson2-databind-java\", reference:\"2.8.6-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libjackson2-databind-java-doc\", reference:\"2.8.6-1+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-04T14:38:13", "description": "An update for rh-eclipse47-jackson-databind is now available for Red Hat Developer Tools.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.\n\nSecurity Fix(es) :\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.\n(CVE-2017-15095)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting this issue.", "cvss3": {}, "published": "2017-11-14T00:00:00", "type": "nessus", "title": "RHEL 7 : rh-eclipse47-jackson-databind (RHSA-2017:3189)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15095", "CVE-2017-7525"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rh-eclipse47-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:rh-eclipse47-jackson-databind-javadoc", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2017-3189.NASL", "href": "https://www.tenable.com/plugins/nessus/104538", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:3189. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104538);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2017-15095\");\n script_xref(name:\"RHSA\", value:\"2017:3189\");\n\n script_name(english:\"RHEL 7 : rh-eclipse47-jackson-databind (RHSA-2017:3189)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for rh-eclipse47-jackson-databind is now available for Red\nHat Developer Tools.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe jackson-databind package provides general data-binding\nfunctionality for Jackson, which works on top of Jackson core\nstreaming API.\n\nSecurity Fix(es) :\n\n* A deserialization flaw was discovered in the jackson-databind which\ncould allow an unauthenticated user to perform code execution by\nsending the maliciously crafted input to the readValue method of the\nObjectMapper. This issue extends the previous flaw CVE-2017-7525 by\nblacklisting more classes that could be used maliciously.\n(CVE-2017-15095)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting this\nissue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:3189\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-15095\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected rh-eclipse47-jackson-databind and / or\nrh-eclipse47-jackson-databind-javadoc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eclipse47-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eclipse47-jackson-databind-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:3189\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"rh-eclipse47-jackson-databind-2.7.6-3.3.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"rh-eclipse47-jackson-databind-javadoc-2.7.6-3.3.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rh-eclipse47-jackson-databind / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:22:15", "description": "According to its banner, the version of OpenSSL running on the remote host is 1.1.0 prior to 1.1.0g. It is, therefore, affected by an unspecified carry vulnerability.", "cvss3": {}, "published": "2017-11-06T00:00:00", "type": "nessus", "title": "OpenSSL 1.1.0 < 1.1.0g RSA/DSA Unspecified Carry Issue", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735", "CVE-2017-3736"], "modified": "2019-11-12T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "OPENSSL_1_1_0G.NASL", "href": "https://www.tenable.com/plugins/nessus/104409", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104409);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2017-3735\", \"CVE-2017-3736\");\n script_bugtraq_id(100515);\n\n script_name(english:\"OpenSSL 1.1.0 < 1.1.0g RSA/DSA Unspecified Carry Issue\");\n script_summary(english:\"Performs a banner check.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A service running on the remote host is affected by an unspecified \ncarry vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of OpenSSL running on the remote\nhost is 1.1.0 prior to 1.1.0g. It is, therefore, affected by an \nunspecified carry vulnerability.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20171102.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSL version 1.1.0g or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3735\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"openssl_version.nasl\");\n script_require_keys(\"openssl/port\");\n\n exit(0);\n}\n\ninclude(\"openssl_version.inc\");\n\nopenssl_check_version(fixed:'1.1.0g', min:\"1.1.0\", severity:SECURITY_WARNING);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:22:05", "description": "The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected