logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM Smart Analytics System 7600, 7700, and 7710 are affected by vulnerabilities in OpenSSL

Description

## Abstract A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software included with the vulnerable systems. ## Content **VULNERABILITY DETAILS** **CVE IDs: ** ** ** **CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108, ** **CVE-2011-4576, ****CVE-2011-4619, ****CVE-2011-0014, ****CVE-2010-3864, CVE-2011-4109, CVE-2012-1165, CVE-2012-2333, CVE-2010-4180** **DESCRIPTION:** The IBM Smart Analytics System 7600, IBM Smart Analytics System 7700, and IBM Smart Analytics System 7710 are shipped with the AIX operating system. A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software. See the references section for links to the description of each individual vulnerability. **CVE-2012-2131 ** CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/75099> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) **CVE-2012-2110 ** CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/74926> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) **CVE-2012-0884 ** CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73916>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVE-2012-0050 ** CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72458>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) **CVE-2011-4108 ** CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72128>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) **CVE-2011-4576 ** CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72130>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVE-2011-4619 ** CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72132>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) **CVE-2011-0014 ** CVSS Base Score: 5.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/68221>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) **CVE-2010-3864 ** CVSS Base Score: 6.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/63293>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) **CVE-2011-4109 ** CVSS Base Score: 4.3 CVSS Temporal Score: See [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/63293>)[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/72129> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) **CVE-2012-1165 ** CVSS Base Score: 5 CVSS Temporal Score: See [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/63293>)[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/74100> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVE-2012-2333 ** CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/75525> for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P) **CVE-2010-4180 ** CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/63635> for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **AFFECTED PRODUCTS AND VERSIONS**: IBM Smart Analytics System 7600 IBM Smart Analytics System 7700 IBM Smart Analytics System 7710 **REMEDIATION:** **FIXES:** Find your product in the table below and use the link in the third column to find the patch provided by IBM. Previously supported Balanced Warehouse environments not listed below require additional investigation to determine vulnerability and the appropriate remediation. Access to the patches on the IBM site is restricted and requires a valid IBM registration ID. For more information about IBM registration IDs, see <https://www.ibm.com/account/profile/us?page=regfaqhelp>. **Product**| **Operating System**| **Patch Link** ---|---|--- IBM Smart Analytics System 7600 IBM Smart Analytics System 7700 IBM Smart Analytics System 7710 | AIX 6.1| [https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US](<https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US>) **Downloading and installing the patches** 1\. Log in to the IBM site to obtain the patches. You will need to download a patch for OpenSSL and a patch for OpenSSH. a. Navigate to the following URL: [](<https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US>) [https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US](<https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US>) b. Log in using your IBM registration ID and password. 2\. Download the patch for OpenSSL 0.9.8.x. a. Select the **OpenSSL version 0.9.8x **radio button and click **Continue**. b. In the **Download using Download Director **tab, identify the Open SSL image with the label "openssl-0.9..8.2400 (OpenSSL 0.9.8.x) for AIX 5.3, AIX 6.1 & 7.1". c. Select the **OpenSSL Image** **(openssl-0.9.8.2400.tar.Z)** checkbox and the **Readme (Readme-0.9.8.2400.txt) **checkbox and click **Download now**. The Download Director will download the files to a temporary directory. 3\. Download the patch for OpenSSH Version 6.0. a. Select the **OpenSSH Version 6.0** radio button and click **Continue**. b. Select the **OpenSSH Image**`(OpenSSH__6.0.0.6101.tar.Z)`** **checkbox and the **Readme **`(Readme-6.0.0.6101.txt)`** **checkbox and click **Download now**. The Download Director will download the files to a temporary directory. 4\. Copy the patches to the management host in the system and uncompress the files. a. Log in to the management host as the `root` user. b. Copy the OpenSSL and the OpenSSH patch files to the following directory on the management host: `/BCU_share/securitypatch` c. On the management host, issue the following commands to uncompress the OpenSSL and OpenSSH patch files: `cd /BCU_share/securitypatch` `zcat openssl-0.9.8.2400.tar.Z | tar -xvf -` `zcat OpenSSH_6.0.0.6101.tar.Z | tar -xvf -` 5\. Install the patches on each AIX host in the system. Install these fixes during a maintenance window because you will need to reboot each AIX host in the system after the patches are installed. a. Back up the `/etc/ssh` directory on each AIX host in the system. b. Verify that you can log in to the remote console for each AIX host through the Hardware Management Console (HMC). c. Create a mksysb backup image of each host. Verify that the backup image is both bootable and readable. d. On each AIX host, run the following commands to preview the OpenSSL package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch. `cd /BCU_share/securitypatch/openssl-0.9.8.2400` `installp -apYd . openssl` e. On each AIX host, run the following command to install the OpenSSL package: `installp -aXYd . openssl` f. On each AIX host, run the following commands to preview the OpenSSH package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch. `cd /BCU_share/securitypatch/OpenSSH_6.0.0.6101` `installp -apYd . openssh` g. On each AIX host, run the following command to install the OpenSSH package: `installp -aXYd . openssh` h. Reboot each AIX host. **WORKAROUND(S): ** None. **MITIGATION(S):** None. **REFERENCES:** * [Complete CVSS Guide](<http://www.first.org/cvss/v2/guide>) * [On-line Calculator V2 ](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) * [CVE-2012-2131](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2131>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/75099> * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc> * [CVE-2012-2110 ](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/74926> * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc> * [CVE-2012-0884](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884>)** ** * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/73916>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc> * [CVE-2012-0050](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/72458>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc> * [CVE-2011-4108](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/72128>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc> * [CVE-2011-4576 ](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/72130>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc> * [CVE-2011-4619](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619>)** ** * X-Force Database:[ https://exchange.xforce.ibmcloud.com/vulnerabilities/72132](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72132>)[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc> * [CVE-2011-0014](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/68221>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc> * [CVE-2010-3864](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864>) * X-Force Database: h[ttp://xforce.iss.net/xforce/xfdb/63293](<https://exchange.xforce.ibmcloud.com/vulnerabilities/63293>)[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74926>) * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc> * [CVE-2011-4109](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/72129> * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc> * [CVE-2012-1165](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/74100> * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc> * [CVE-2012-2333](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/75525> * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc> * [CVE-2010-4180](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180>) * X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/63635> * <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc> * * * * * * * * * **RELATED INFORMATION:** [_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) [_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) **ACKNOWLEDGEMENT:** None. **CHANGE HISTORY:** February 04, 2013: Document created. _*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _ **_Note:_**_ According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._ [{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 7700","Platform":[{"code":"PF002","label":"AIX"}],"Version":"9.7","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 7600","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 7710","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]


Affected Software


CPE Name Name Version
ibm smart analytics system 9.7
ibm smart analytics system any
ibm smart analytics system any

Related