Security Bulletin: IBM Informix Cryptographic Library Updates (CVE-2012-2190, CVE-2012-2191, CVE-2012-2203)

Abstract

Multiple security problems exist in the IBM GSKit libraries that IBM Informix and IBM Informix ClientSDK use to provide communications security and other cryptographic functionality.

Content

**CVE ID:**CVE-2012-2190

DESCRIPTION:
GSKit allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75994 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

**CVE ID:**CVE-2012-2191

DESCRIPTION:
GSKit does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack, which allows remote attackers to cause a denial of service (application crash) via crafted values in the TLS Record Layer.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

**CVE ID:**CVE-2012-2203

DESCRIPTION:
GSKit uses the PKCS #12 file format for certificate objects without enforcing file integrity, which makes it easier for remote attackers to spoof SSL servers via vectors involving insertion of an arbitrary root Certification Authority (CA) certificate.

CVSS:
CVSS Base Score; 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

AFFECTED PRODUCTS:
IBM Informix 11.50.xC9W2 or earlier
IBM Informix 11.70.xC6 or earlier
IBM Informix ClientSDK 3.50.xC9W2 or earlier
IBM Informix ClientSDK 3.70.xC6 or earlier

REMEDIATION:
Upgrade to the latest fixpack for the products.

Fix(es):
The fix is available in these versions at Fix Central:

IBM Informix 11.50 — upgrade to Informix 11.50.xC9W3 or later
IBM Informix 11.70 — upgrade to Informix 11.70.xC7 or later
IBM Informix ClientSDK 3.50 — upgrade to CSDK 3.50.xC9W3 or later
IBM Informix ClientSDK 3.70 — upgrade to CSDK 3.70.xC7 or later_
_

Workaround(s): None known.

Mitigation(s): None known.

REFERENCES:

• Complete CVSS Guide
• On-line Calculator V2
• CVE-2012-2190_ _
• CVE-2012-2191_ _
• CVE-2012-2203
• _<https://exchange.xforce.ibmcloud.com/vulnerabilities/75994&gt;__ _
• _<https://exchange.xforce.ibmcloud.com/vulnerabilities/75996&gt;_
• _<https://exchange.xforce.ibmcloud.com/vulnerabilities/77280&gt;_

RELATED INFORMATION:

• IBM Secure Engineering Web Portal
• IBM Product Security Incident Response Blog

CHANGE HISTORY: 2013-04-12 Original version published.

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSGU8G”,“label”:“Informix Servers”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud \u0026 Data Platform”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF022”,“label”:“OS X”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“11.7;11.70”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}}]