IBM8C189A4A1E730005F1F6728800F9EEB4D76D43743AEC3B91CE47044F6F13EBE4Security Bulletin: Vulnerabilities in SSLv3 and GNU C library (glibc) affect multiple products shipped with Intelligent Cluster (CVE-2014-3566, CVE-2015-0235)
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Summary
Information about security vulnerabilities affecting multiple products shipped as components of Intelligent Cluster has been published in security bulletins. The SSLv3 vulnerability (CVE-2014-3566) is referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. The GNU C library (glibc) vulnerability CVE-2014-3566 is referred to as GHOST.
Vulnerability Details
Summary
Information about security vulnerabilities affecting multiple products shipped as components of Intelligent Cluster has been published in security bulletins. The SSLv3 vulnerability (CVE-2014-3566) is referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. The GNU C library (glibc) vulnerability CVE-2014-3566 is referred to as GHOST.
Vulnerability Details
CVE-ID: CVE-2014-3566
Description: Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97013> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2015-0235
Description: The gethostbyname functions of the GNU C Library (glibc) are vulnerable to a buffer overflow. By sending a specially crafted, but valid hostname argument, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the targeted process or cause the process to crash. The impact of an attack depends on the implementation details of the targeted application or operating system. This issue is being referred to as the “Ghost” vulnerability.
CVSS Base Score: 7.6
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/100386> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Please consult the security bulletins below for vulnerability details and information about fixes.
- IBM BladeCenter AMM
- IBM System x Integrated Management Module (IMM)
- IBM Flex System Integrated Management Module (IMM)
- IBM Flex System Chassis Management Module (CMM)
- IBM RackSwitch G8264
- IBM RackSwitch G8264T
- IBM Flex System FC5022 16Gb SAN Switch
- IBM Flex System FC3171 8Gb SAN Switch & Passthru
- IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch
- IBM GCM16-GCM32 KVM
- IBM SAN24B-4 Series Switches
- Brocade 8Gb SAN Switch Module for IBM BladeCenter
- Brocade 10Gb SAN Switch Module for IBM BladeCenter
- Brocade 4Gb SAN Switch Module for IBM BladeCenter
- IBM Converged Switch B32
- Intel Xeon Phi PCIe adapters
- DDN SFA12000 and SFA7700
- Cisco Nexus 5596UP (Ghost Poodle)
- Storwize V3700
- Intel True Scale 12000 Series Switches
- Juniper EX Series Switches
- Mellanox SX65XX, SX6036, SX1036 and SX6036G
Note: Not all supported products have a corresponding security bulletin.
Affected products and versions
| Affected Supporting Product | Fix Version | Intelligent Cluster Best Recipe |
|---|---|---|
| IBM BladeCenter AMM | 3.66N | 15B (07/2015) |
| IBM System x Integrated Management Module | 4.97 (1AOO66M) | 15B (07/2015) |
| IBM Flex System Integrated Management Module | 4.90 (1AOO66O) | 15B (07/2015) |
| IBM Flex System Chassis Management Module (CMM) | 2.5.3T (2PET12T) | 15B (07/2015) |
| IBM RackSwitch G8264 | 7.9.12.0 | 15B (07/2015) |
| IBM RackSwitch G8264T | 7.9.12.0 | 15B (07/2015) |
| IBM Flex System FC3171 | 9.1.5.02.00 | 15B (07/2015) |
| IBM Flex System FC5022 16Gb SAN Switch | 7.3.1 | 15B (07/2015) |
| IBM Flex System EN6131 40 Gb Ethernet / IB6131 40Gb Infiniband Switch | 9.1.5.02.00 | 15B (07/2015) |
| IBM GCM16-GCM32 KVM | 1.26.1.23978 | 15B (07/2015) |
| IBM SAN24B Series Switches | 6.2.2g | |
| 7.2.1d | 15B (07/2015) | |
| Brocade 8Gb SAN Switch Module for IBM BladeCenter | 7.2.1d | 15B (07/2015) |
| Brocade 10Gb SAN Switch Module for IBM BladeCenter | 6.4.3_dcb3 | 15B (07/2015) |
| Brocade 4Gb SAN Switch Module for IBM BladeCenter | 7.2.1d | |
| 7.3.0c | 15B (07/2015) | |
| IBM Converged Switch B32 | 6.4.3_dcb3 | 15B (07/2015) |
| Intel Xeon Phi PCIe adapters | 3.4.3 | 15B (07/2015) |
| DDN SFA12000 and SFA7700 | 2.3.0.3-23217 | 15B (07/2015) |
| Cisco Nexus 5596UP | 5.2(1)N1(9) | 15B (07/2015) |
| Storwize V3700 | 7.4.0.4 | 15B (07/2015) |
| Intel True Scale Fabric Switches 12000 Series | 7.3.1.0.10 | 15B (07/2015) |
| Juniper EX Series Switches | 12.3R9 | 15B (07/2015) |
| Mellanox SX65XX, SX6036, SX1036 and SX6036G | 3.4.2008 | 15B (07/2015) |
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Intelligent Cluster Security Bulletin Readme
Change History
06 August 2015: Original Copy Published
Related
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%