Lucene search

K
ibmIBM8AD3371B44D7ADBB4D07C11C71F4D7936BA847B275560A957AE1E42342ED2618
HistoryJun 18, 2018 - 1:42 a.m.

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Systems Director Platform Agent .

2018-06-1801:42:22
www.ibm.com
3

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

Summary

There are multiple vulnerabilities in OpenSSL that is used by IBM Systems Director(ISD) Platform Agent. These OpenSSL vulnerabilities were disclosed in August 2017 and December 2017 by the OpenSSL Project.

Vulnerability Details

CVEID: CVE-2017-3735**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-3736**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-3737**
DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the "error state" mechanism when directly calling SSL_read() or SSL_write() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136077 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-3738**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136078 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Systems Director:

  • 6.3.5.0
  • 6.3.6.0
  • 6.3.7.0

Remediation/Fixes

To determine the ISD level installed, enter smcli lsver on a command line. IBM Systems Director versions pre-6.3.5 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product.

Please follow the instructions provided to apply fixes on the below releases.

  • 6.3.5.0
  • 6.3.6.0
  • 6.3.7.0

1. Open the below link to download the fix:

_
__http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FDirector%2FSystemsDirector&fixids=SysDir6_3_5_0_6_3_6_0_6_3_7_0_IT23969_IT23970_IT23971_IT24320 _

2. Select the below fix package that includes fixes for all the supported platforms:

SysDir6_3_5_0_6_3_6_0_6_3_7_0_IT23969_IT23970_IT23971_IT24320.zip

3. Follow the Instructions in the table for your desired platform

Product VRMF Associated Technote
IBM Systems Director and IBM Systems Director Platform Agent Xlinux Platform Agent 6.3.5 to 6.3.7 847016899

Go to <http://www-01.ibm.com/support/us/search/&gt; and search for the technote number.

IBM Systems Director and IBM Systems Director Platform Agent| Windows Platform Agent 6.3.5 to 6.3.7| 847024529

Go to <http://www-01.ibm.com/support/us/search/&gt; and search for the technote number.

IBM Systems Director and IBM Systems Director Platform Agent| Power Linux Platform Agent 6.3.5 to 6.3.7| 847063638
Go to <http://www-01.ibm.com/support/us/search/&gt; and search for the technote number.
IBM Systems Director and
IBM Systems Director Platform Agent| Zlinux Platform Agent 6.3.5 to 6.3.7| 847025689
Go to <http://www-01.ibm.com/support/us/search/&gt; and search for the technote number.
IBM Systems Director and
IBM Systems Director Platform Agent| AIX Platform Agent 6.3.5 to 6.3.7| 84701391
Go to <http://www-01.ibm.com/support/us/search/&gt; and search for the technote number.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm systems directoreqany

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

Related for 8AD3371B44D7ADBB4D07C11C71F4D7936BA847B275560A957AE1E42342ED2618