Security Bulletin: Vulnerability in Gnu Transport Layer Security (GnuTLS) affects IBM SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance (CVE-2014-3466).

Summary

Vulnerability in Gnu Transport Layer Security (GnuTLS) affects IBM SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance (CVE-2014-3466).

Vulnerability Details

CVE ID: CVE-2014-3466

DESCRIPTION: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. malicious server might use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS. This action then causes the client application to crash or, possibly, execute arbitrary code.

CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93542&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

IBM SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance

Remediation/Fixes

The recommended solution is to download the IBM SmartCloud Provisioning 2.1 Fix Pack 5 for IBM Provided Software Virtual Appliance 2.1.0-TIV-ISCP-FP0005-SVA from Fix Central and apply it as soon as practical.

Workarounds and Mitigations

None