3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, IBM SDK Java Technology Edition, Version 6, and IBM SDK Java 2 Technology Edition, Version 5 that are used by IBM Virtualization Engine TS7700. These issues were disclosed as part of the IBM Java SDK updates in October 2014 and January 2015. This bulletin also addresses the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability.
CVEID: CVE-2014-6512 DESCRIPTION: An unspecified vulnerability related to the Libraries component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6457 DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-6558 DESCRIPTION: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)** **
CVEID: CVE-2015-0410**
DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3566**
DESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6593**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2015-0138**
DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.
All versions of microcode for the IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB) prior to release R2.1 are affected. In addition, microcode versions of releases R2.1, R3.0, R3.1 and R3.2 prior to and including the following are also affected:
Release
| Version
—|—
R3.2| 8.32.0.88
R3.1| 8.31.0.92
R3.0| 8.30.3.4
R2.1| 8.21.0.178
Contact IBM Service at 1-800-IBM-SERV to arrange an upgrade to the latest microcode level followed by the installation of vtd_exec.202, vtd_exec.213, vtd_exec.214 and vtd_exec.215 as needed. Minimum microcode levels are shown below:
Release
| Fix
—|—
R3.2| 8.32.0.88 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215
- OR -
8.32.1.8 + vtd_exec.202
R3.1| 8.31.0.92 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215
R3.0| 8.30.3.4 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214
R2.1| 8.21.0.178 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215
Older Releases| 8.21.0.178 + vtd_exec.202 + vtd_exec.213 + vtd_exec.214 + vtd_exec.215
Please note that vtd_exec packages carry their own internal version numbers. For the vulnerabilities reported in this Security Bulletin, the minimum required vtd_exec versions are as follows: Package | Version |
---|---|
vtd_exec.202 | 1.5 |
vtd_exec.213 | 1.03 |
vtd_exec.214 | 1.03 |
vtd_exec.215 | 1.03 |
Although IBM recommends that you upgrade to the fixes identified above, you can mitigate, but not eliminate the risk of these vulnerabilities by restricting physical and network access to the TS7700 to authorized users and IBM Service Personnel only.
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P