Lucene search

K
ibmIBMACF676405BBB5AE27485D9F48AD72AC6E8FE2D60EE0D4B0D45374459BCE07DA3
HistoryJun 17, 2018 - 10:33 p.m.

Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation

2018-06-1722:33:35
www.ibm.com
43

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Summary

OpenSSL vulnerabilities were disclosed on Dec 16, 2016 by the OpenSSL Project. OpenSSL is used by IBM Worklight and IBM MobileFirst Platform Foundation. IBM Worklight and IBM MobileFirst Platform Foundation have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2017-3730DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending specially crafted parameters for a DHE or ECDHE key exchange, a remote attacker could exploit this vulnerability to cause the application to crash.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121311 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3731DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121312 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3732DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a propagation error in the BN_mod_exp() function. An attacker could exploit this vulnerability to obtain information about the private key.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-7055DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in a Broadwell-specific Montgomery multiplication procedure. By sending specially crafted data, a remote attacker could exploit this vulnerability to trigger errors in public-key operations in configurations where multiple remote clients select an affected EC algorithm and cause a denial of service.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118748 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM MobileFirst Platform Foundation 8.0.0.0
IBM MobileFirst Platform Foundation 7.1.0.0
IBM MobileFirst Platform Foundation 7.0.0.0
IBM MobileFirst Platform Foundation 6.3.0.0
IBM Worklight Enterprise Edition 6.2.0.1
IBM Worklight Enterprise Edition 6.1.0.2

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM Worklight| 6.x| PI86907| Download the latest iFix for IBM Worklight Enterprise Edition on FixCentral
Download the latest iFix for IBM Worklight Consumer Edition on FixCentral
IBM Mobile Foundation| 6.x| Download the latest iFix for IBM Mobile Foundation Enterprise Edition on FixCentral
Download the latest iFix for IBM Mobile Foundation Consumer Edition on FixCentral
IBM MobileFirst Platform Foundation| 6.x and 7.x| Download the latest iFix for IBM MobileFirst Platform Foundation on FixCentral
IBM MobileFirst Platform Foundation| 8.0| PI86907| Download the latest iFix for IBM MobileFirst Platform Foundation on FixCentral

Note: CVE-2017-3730 does not affect OpenSSL version 1.0.2. Please refer link below for further details –
<https://www.openssl.org/news/secadv/20170126.txt&gt;

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P