Security Bulletin: IBM SmartCloud Orchestrator is affected by a vulnerability in OpenSSL (CVE-2014-0160)

Summary

A security vulnerability has been discovered in OpenSSL.

Vulnerability Details

CVE-ID:CVE-2014-0160

**DESCRIPTION:**OpenSSL might allow a remote attacker to obtain sensitive information, which is caused by an error in the TLS/DTLS heartbeat functionality. An attacker might exploit this vulnerability to expose 64K of private memory and retrieve secret keys. An attacker can repeatedly expose additional 64K chunks of memory. This vulnerability can be remotely exploited. Authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not the integrity or availability.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92322&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment might be more serious than it is indicated by the CVSS score.

Affected Products and Versions

IBM SmartCloud Orchestrator V2.3 and IBM SmartCloud Orchestrator 2.3 Fix Pack 1

Remediation/Fixes

The vulnerability affects the Image Construction and Composition Tool bundle, which is named “Enablement Bundle for Virtual Application and System Plugins in Windows.” This bundle is not added, by default, to images.

A fixed version of the “Enablement Bundle for Virtual Application and System Plugins in Windows” software bundle is available with IBM SmartCloud Orchestrator Version 2.3.0 Fix Pack 1 Interim Fix 1.

If you added to your image templates to the aforementioned bundle, complete the following actions to fix them:

1. Use the Image Construction and Composition Tool to identify the images that contain the bundle.

2. Identify the base image from which they were extended (Extends Image field).

3. Extend the base image again and add the fixed bundle to it.

4. Synchronize and capture the image.

5. Delete the images that you identified in step 1.

6. Register the newly created image in the IBM SmartCloud Orchestrator user interface.

7. Use the IBM SmartCloud Orchestrator user interface and identify the virtual system patterns and application patterns that are using any of the images that are mentioned in step 1.

8. Replace the vulnerable image in each of these patterns with the newly created image.

After you complete these steps, all of the new instances started contain a non-vulnerable version of OpenSSL.

If you have instances deployed from vulnerable images, complete the following steps:

1. Remove the vulnerable version of OpenSSL, which exists in C:\OpenSSL-Win64\bin\Win64OpenSSL-*.exe, and replace it with the non-vulnerable version that you can extract from the aforementioned software bundle.

2. After you apply the fix, complete the following steps for CVE-2014-0160:
   1. Replace your SSL certificates.
   You need to revoke existing SSL certificates and reissue new certificates. Make sure that you do not generate the new certificates using the old private key. Create a new private key, for example using openssl genrsa and use that new private key to create the new certificate signing request (CSR).
   2. Reset user credentials.
   Users of network-facing applications that are protected by a vulnerable version of OpenSSL should be forced to reset their passwords. They should revoke any authentication or session-related cookies that were set prior to the time OpenSSL was upgraded. They should force the user to re-authenticate.

Warning: Your environment might require additional fixes for other products, including non-IBM products. Replace the SSL certificates and reset the user credentials after applying the necessary fixes to your environment.

Workarounds and Mitigations

None