Security Bulletin: IBM API Connect is affected by multiple GSKit and OpenSSL vulnerabilities

Summary

IBM API Connect has addressed multiple vulnerabilities in GSKit and OpenSSL.

Vulnerability Details

CVEID: CVE-2016-0705
**DESCRIPTION:*OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3732
**DESCRIPTION:*OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-3736
**DESCRIPTION:*OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1428
**DESCRIPTION:*IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1427
**DESCRIPTION:*IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1426
**DESCRIPTION:*IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2018-1447
**DESCRIPTION:*The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM API Connect 5.0.0.0-5.0.8.4

|

5.0.8.5

|

LI80493

|

Addressed in IBM API Connect V5.0.8.5 fix pack.

Follow this link and find the APIConnect_Management package.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all&source=fc

Workarounds and Mitigations

None