Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702)

Summary

Vulnerabilities in OpenSSL were disclosed on Mar 1, 2016 by openssl.org. OpenSSL, used by IBM Tivoli Composite Application Manager for Transactions, has addressed these vulnerabilities.

Vulnerability Details

CVE-ID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2016-0798 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in SRP servers. An attacker could exploit this vulnerability using a specially crafted username value to cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See_ https://exchange.xforce.ibmcloud.com/vulnerabilities/111141_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2016-0797 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the BN_hex2bn/BN_dec2bn() function. An attacker could exploit this vulnerability using specially crafted data to cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2016-0799 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory error in the BIO_printf() functions. An attacker could exploit this vulnerability using specially crafted data to trigger an out-of-bounds read.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111143 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2016-0702 DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Tivoli Composite Application Manager (ITCAM) for Transactions is affected. ITCAM for Transactions contains multiple sub components (Agents). Only the Internet Service Monitoring component (ISM – Agent code ‘IS’) is affected.

Versions:
· 7.4 – Affected by CVEs (CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702)
· 7.3 – Affected by CVEs (CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702)

Remediation/Fixes

Remediation/Fixes

For older versions of IBM Tivoli Composite Application manager for Transactions (eg 7.1 & 7.2), IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None known