Lucene search

K
ibmIBM82A5F2C9706BD66C797BC6A7F8BACE57F9828B34609CF0365037187895397090
HistoryMar 28, 2019 - 7:00 a.m.

Security Bulletin: Security vulnerabilities identified in OpenSSL affect Rational Build Forge (CVE-2018-0734, CVE-2018-5407 and CVE-2019-1559)

2019-03-2807:00:01
www.ibm.com
4

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Summary

OpenSSL has security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.

Vulnerability Details

This section includes the vulnerability details that affects the Rational Build Forge.

CVEID: CVE-2018-0734
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the DSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key. CVSS Base Score: 3.7 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085&gt; for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-5407
DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architecture’s parallel thread running capabilities to leak encrypted data from the CPU’s internal processes.

NOTE: This vulnerability is known as PortSmash.

CVSS Base Score: 5.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484&gt; for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE-ID:CVE-2019-1559
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic. **CVSS Base Score:**5.8 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/157514&gt; for more information *CVSS Environmental Score: **Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions

IBM Rational Build Forge from 8.0.0.10.

Remediation/Fixes

You must download the Fix pack specified in the following table and apply it.

Affected Supporting Product

|

Remediation/Fix

—|—

IBM Rational Build Forge 8.0.0.10

| Rational Build Forge 8.0.0.11 Download .

Workarounds and Mitigations

None.

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Related for 82A5F2C9706BD66C797BC6A7F8BACE57F9828B34609CF0365037187895397090