Security Bulletin: IBM MQ Appliance affected by NSS and libgcrypt vulnerabilities (CVE-2018-12404 and CVE-2018-0495)

Summary

IBM MQ Appliance has resolved the following NSS and libgcrypt vulnerabilities.

Vulnerability Details

CVEID:CVE-2018-12404
**DESCRIPTION:**A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155087 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2018-0495
**DESCRIPTION:**Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/144828 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM MQ Appliance version 9.1 LTS

Apply fix pack 9.1.0.4, or later.

IBM MQ Appliance version 9.1 CD

Apply continuous delivery release 9.1.4, or later.

Workarounds and Mitigations

None