7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
An OpenSSL vulnerability disclosed by the OpenSSL Project affects GSKit. IBM Sterling Connect:Direct for UNIX uses GSKit and therefore is also vulnerable. This vulnerability is known as the SWEET32 Birthday attack.
CVEID: CVE-2016-2183**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
IBM Sterling Connect:Direct for Unix 4.2.0.0 through 4.2.0.4.iFix035
IBM recommends that you review your entire environment to identify areas that enable DES/3DES cipher suites and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling DES/3DES cipher suites. You should verify disabling DES/3DES cipher suites does not cause any compatibility issues.
Apply and enable the following fix when you cannot disable DES/3DES cipher suites in your environment.
V.R.M.F | APAR | Remediation/First Fix |
---|---|---|
4.2.0 | IT19347 | Apply 4.2.0.4.iFix036, available on Fix Central |
The fix adds the ability to engage a GSKit remediation for this vulnerability via a system environment variable named CD_GSK_OPTIONS. To enable the remediation, set the value of this system environment variable to GSK_ENFORCE_TDEA_RESTRICTION. Then cycle (stop and restart) Sterling Connect:Direct.
Caution: The effect of this remediation is to arbitrarily break a session after 32 GB of data have been transmitted.
In addition to the GSKit remediation, CD Secure+ Admin Tool (SPAdmin) and CD Secure+ CLI (SPCli) have been enhanced to display warnings when deprecated cipher suites or protocols have been configured, which include all cipher suites using an RC4, DES/3DES or no encryption algorithm and the SSLv3 protocol at this time.
Note: Deprecated cipher suites and protocols may be disabled in a future update.
Disable DES/3DES cipher suites.
CPE | Name | Operator | Version |
---|---|---|---|
ibm sterling connect:direct for unix | eq | 4.2 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N