Security Bulletin: Vulnerability in OpenSSL affects IBM Security Network Active Bypass (CVE-2016-7055)

Summary

An OpenSSL vulnerability was found in IBM Security Network Active Bypass. IBM Security Network Active Bypass has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2016-7055**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error in a Broadwell-specific Montgomery multiplication procedure. By sending specially crafted data, a remote attacker could exploit this vulnerability to trigger errors in public-key operations in configurations where multiple remote clients select an affected EC algorithm and cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118748 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Security 1G Network Active Bypass firmware version 1.X firmware levels 1.0.849 through 3.30.7-23
IBM Security 10G Network Active Bypass firmware versions 1.x firmware levels 1.0.1876 through 3.30.7-23

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Proventia Network Active Bypass| 3.X | Proventia 1G NAB Update 22 (fw 3.30.9-27) IBM Security Proventia Network Active Bypass| 3.X| Proventia 10G NAB Update 19 (fw 3.30.9-27)

For IBM Security Proventia Network Active Bypass products at the following firmware versions:

• IBM Security 1G Network Active Bypass firmware version 1.X firmware levels 1.0.849 through 3.30.4-12, 3.30.5-21, 3.30.7-23
• IBM Security 10G Network Active Bypass firmware versions 1.X firmware levels 1.0.1876 through 3.30.5-21, 3.30.7-23

IBM recommends upgrading to 3.30.9-27, the supported firmware release of the product.

Workarounds and Mitigations

None