Lucene search

K
ibm
IBM8F73A6D9460746098942CDD034332E627DD5C59C903F65333D90F95100657ED8
HistorySep 25, 2022 - 8:45 p.m.

Security Bulletin: IBM Smart Analytics System 7600, 7700, and 7710 are affected by vulnerabilities in OpenSSL

2022-09-2520:45:36
www.ibm.com
11

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Abstract

A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software included with the vulnerable systems.

Content

VULNERABILITY DETAILS

CVE IDs:
**** **CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108, ** **CVE-2011-4576, ****CVE-2011-4619,****CVE-2011-0014,**CVE-2010-3864, CVE-2011-4109, CVE-2012-1165, CVE-2012-2333, CVE-2010-4180

DESCRIPTION:

The IBM Smart Analytics System 7600, IBM Smart Analytics System 7700, and IBM Smart Analytics System 7710 are shipped with the AIX operating system. A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software. See the references section for links to the description of each individual vulnerability.

CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/75099&gt; for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt; for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73916&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt;) for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72458&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt;) for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72128&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt;) for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72130&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt;) for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72132&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt;) for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/68221&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt;) for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/63293&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/74926&gt;) for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2011-4109
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72129&gt; for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2012-1165
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/74100&gt; for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2012-2333
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/75525&gt; for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)

CVE-2010-4180
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/63635&gt; for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:

IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710

REMEDIATION:

FIXES:

Find your product in the table below and use the link in the third column to find the patch provided by IBM. Previously supported Balanced Warehouse environments not listed below require additional investigation to determine vulnerability and the appropriate remediation. Access to the patches on the IBM site is restricted and requires a valid IBM registration ID. For more information about IBM registration IDs, see <https://www.ibm.com/account/profile/us?page=regfaqhelp&gt;.

Product Operating System Patch Link
IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710
AIX 6.1 https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US

Downloading and installing the patches

1. Log in to the IBM site to obtain the patches. You will need to download a patch for OpenSSL and a patch for OpenSSH.

a. Navigate to the following URL:
https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US

b. Log in using your IBM registration ID and password.

2. Download the patch for OpenSSL 0.9.8.x.

a. Select the OpenSSL version 0.9.8xradio button and click Continue.

b. In the Download using Download Directortab, identify the Open SSL image with the label “openssl-0.9…8.2400 (OpenSSL 0.9.8.x) for AIX 5.3, AIX 6.1 & 7.1”.

c. Select the OpenSSL Image**(openssl-0.9.8.2400.tar.Z)checkbox and theReadme (Readme-0.9.8.2400.txt) checkbox and clickDownload now**.

The Download Director will download the files to a temporary directory.

3. Download the patch for OpenSSH Version 6.0.

a. Select the OpenSSH Version 6.0 radio button and clickContinue.

b. Select the OpenSSH Image(OpenSSH__6.0.0.6101.tar.Z)****checkbox and the Readme(Readme-6.0.0.6101.txt)****checkbox and clickDownload now.

The Download Director will download the files to a temporary directory.

4. Copy the patches to the management host in the system and uncompress the files.

a. Log in to the management host as the root user.

b. Copy the OpenSSL and the OpenSSH patch files to the following directory on the management host:

/BCU_share/securitypatch

c. On the management host, issue the following commands to uncompress the OpenSSL and OpenSSH patch files:

cd /BCU_share/securitypatch
zcat openssl-0.9.8.2400.tar.Z | tar -xvf -
zcat OpenSSH_6.0.0.6101.tar.Z | tar -xvf -

5. Install the patches on each AIX host in the system. Install these fixes during a maintenance window because you will need to reboot each AIX host in the system after the patches are installed.

a. Back up the /etc/ssh directory on each AIX host in the system.

b. Verify that you can log in to the remote console for each AIX host through the Hardware Management Console (HMC).

c. Create a mksysb backup image of each host. Verify that the backup image is both bootable and readable.

d. On each AIX host, run the following commands to preview the OpenSSL package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch.

cd /BCU_share/securitypatch/openssl-0.9.8.2400
installp -apYd . openssl

e. On each AIX host, run the following command to install the OpenSSL package:

installp -aXYd . openssl

f. On each AIX host, run the following commands to preview the OpenSSH package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch.

cd /BCU_share/securitypatch/OpenSSH_6.0.0.6101
installp -apYd . openssh

g. On each AIX host, run the following command to install the OpenSSH package:

installp -aXYd . openssh

h. Reboot each AIX host.

WORKAROUND(S):

None.

MITIGATION(S):

None.

REFERENCES:


RELATED INFORMATION:

_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT:

None.

CHANGE HISTORY:
February 04, 2013: Document created.

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

Note:_ According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._

[{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 7700”,“Platform”:[{“code”:“PF002”,“label”:“AIX”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 7600”,“Platform”:[{“code”:“”,“label”:“”}],“Version”:“”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 7710”,“Platform”:[{“code”:“”,“label”:“”}],“Version”:“”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}}]

How to protect your server from attacks?

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Related for 8F73A6D9460746098942CDD034332E627DD5C59C903F65333D90F95100657ED8