7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
There are multiple vulnerabilities in ntp that is used by IBM Flex System Manager.
There are multiple vulnerabilities in ntp that is used by IBM Flex System Manager.
Vulnerability Details:
CVE-ID: CVE-2014-9293
Description: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the improper generation of a key by the config_auth function when an auth key is not configured. A remote attacker could exploit this vulnerability using brute force techniques to guess the generated key.
CVSS Base Score: 5.00
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99576> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-9294
Description: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the use of a weak RNG seed by ntp-keygen.c. A remote attacker could exploit this vulnerability using brute force techniques to defeat cryptographic protection mechanisms.
CVSS Base Score: 5.00
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99577> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-9297
Description: Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system.
CVSS Base Score: 5.00
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/100004> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-9298
Description: Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to obtain sensitive information, caused by the improper validation of the length value in extension field pointers. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.00
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/100005 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Product | VRMF | APAR | Remediation |
---|---|---|---|
Flex System Manager | 1.3.4.x | IT07949 | fsmfix1.3.4.0_IT06254_IT06272_IT07949_IT10916 |
Flex System Manager | 1.3.3.x | IT07949 | fsmfix_1.3.3.0_IT06254_IT07949 |
Flex System Manager | 1.3.2.x | IT07949 | fsmfix_1.3.2.0_IT06254_IT07949 |
Flex System Manager | 1.3.1.x | IT07949 | fsmfix_1.3.1.0_IT06254_IT07949 |
Warning: This release contains other unfixed vulnerabilities. IBM recommends upgrading to FSM 1.3.4.0 and following the appropriate remediation for all vulnerabilities. | |||
Flex System Manager | 1.3.0.x | IT07949 | fsmfix_1.3.0.0_IT06254_IT07949 |
Warning: This release contains other unfixed vulnerabilities. IBM recommends upgrading to FSM 1.3.4.0 and following the appropriate remediation for all vulnerabilities. | |||
Flex System Manager | 1.2.1.x | IT07949 | IBM is no longer providing code updates for this release, upgrade to FSM 1.3.4.0 and follow the appropriate remediation for all vulnerabilities. |
Flex System Manager | 1.2.0.x | IT07949 | IBM is no longer providing code updates for this release, upgrade to FSM 1.3.4.0 and follow the appropriate remediation for all vulnerabilities. |
None.
Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None.
Change History
06 April 2015: Original Copy Published
01 October 2015: Updated for version 1.3.3
12 October 2015: Updated for version 1.3.4
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.