Lucene search

K
ibmIBM9AEB4E6EBFCC01D0F5C53AE00812289D64830B0A115A88A46143F24D28162F0C
HistoryJun 18, 2018 - 1:32 a.m.

Security Bulletin: IBM Flex System Manager (FSM) is affected by a curl vulnerability (CVE-2016-0755)

2018-06-1801:32:46
www.ibm.com
2

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

Summary

A security vulnerability has been discovered in curl that is embedded in the IBM FSM. This bulletin addresses the vulnerability.

Vulnerability Details

CVEID: CVE-2016-0755**
DESCRIPTION:** Libcurl could allow a remote attacker to bypass security restrictions, caused by the failure to check NTLM-authenticated proxy connections for reuse. An attacker could exploit this vulnerability to use a proxy connection for a different authenticated client username.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110290 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Flex System Manager 1.3.4.x
Flex System Manager 1.3.3.x
Flex System Manager 1.3.2.x

Remediation/Fixes

IBM recommends updating the FSM using the instructions referenced in this table.

Product |

VRMF |

APAR |

Remediation
—|—|—|—
Flex System Manager|

1.3.4.x |

IT15536

| Verify that Java updates have been installed, then install fsmfix1.3.4.0_IT15533_IT15534_IT15535_IT15536_IT16023.

Instructions for installing and verifying installation of Java updates can be found in Technote 761981453
Flex System Manager|

1.3.3.x |

IT15536

| Verify that Java updates have been installed, then install fsmfix1.3.3.0_IT15533_IT15534_IT15535_IT15536_IT16023.

Instructions for installing and verifying installation of Java updates can be found in Technote 736218441
Flex System Manager|

1.3.2.x |

IT15536

| Verify that Java updates have been installed, then install fsmfix1.3.2.0_IT15533_IT15534_IT15535_IT15536_IT16023.

Instructions for installing and verifying installation of Java updates can be found in Technote 736218441
For 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product.

You should verify applying this fix does not cause any compatibility issues. The fix disables MD5 signature hash by default. IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions.

Workarounds and Mitigations

None

CPENameOperatorVersion
flex system manager nodeeqany

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

Related for 9AEB4E6EBFCC01D0F5C53AE00812289D64830B0A115A88A46143F24D28162F0C