IBM7D226D01806C1C59E6610F664A15F9D27774FD340AD97273C9BC5E1EA774E83ESecurity Bulletin: Vulnerabilities in OpenSSL affect Sterling Connect:Express for UNIX (CVE-2014-3513, CVE-2014-3567, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205 and CVE-2015-0206)
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
Summary
OpenSSL vulnerabilities along with SSL 3 Fallback protection (TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 and January 8, 2015 by the OpenSSL Project. OpenSSL is used by Sterling Connect:Express for UNIX. Sterling Connect:Express for UNIX has addressed the applicable CVEs and included the SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) provided by OpenSSL
Vulnerability Details
CVEID: CVE-2014-3513 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97035> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3567 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97036> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3570 DESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-3572 DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99705> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-8275 DESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 1.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-0204 DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-0205 DESCRIPTION: OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.
CVSS Base Score: 2.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Affected Products and Versions
IBM Sterling Connect:Express for UNIX 1.4.6
- All versions prior to 1.4.6.1 iFix 146-108
IBM Sterling Connect:Express for UNIX 1.5.0.11
- All versions prior to 1.5.0.11 iFix 150-1109
Remediation/Fixes
The recommended solution is to apply the fix as soon as practical. Please see below for information about the available fixes
| VRMF | Remediation |
|---|---|
| 1.4.6 | Please contact your local IBM Remote Technical Support Center to request Connect:Express 1.4.6.1 iFix 146-109 |
| 1.5.0.11 | Apply 1.5.0.11 iFix 150-1110, available on Fix Central |
In addition to the fix installation and in order to protect Connect:Express from the CVE-2015-0204 vulnerability, EXPORT ciphers must be disabled in all SSL server definitions. Refer to the chapter 4 of IBM Sterling Connect:Express for UNIX Option SSL documentation to learn how to specify a cipher list in a SSL server definition. In the cipher list, all EXPORT ciphers must be disabled. Visit https://www.openssl.org/ to learn how to use the OpenSSL cipher list tool.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm sterling connect:express for unix | eq | 1.5 | |
| ibm sterling connect:express for unix | eq | 1.4 |
Related
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C