Security Bulletin: Vulnerabilities in OpenSSL affect IBM WebSphere MQ Advanced Message Security for IBM i, IBM WebSphere MQ Client for HP-NSS

Summary

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL is used by IBM WebSphere MQ Advanced Message Security for the IBM i platform, IBM WebSphere MQ HP-NSS and IBM WebSphere MQ Paho MQTT clients. IBM WebSphere MQ Advanced Message Security for the IBM i platform and IBM WebSphere MQ HP-NSS client have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0209 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the d2i_ECPrivateKey or EVP_PKCS82PKEY function. An attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0286 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the ASN1_TYPE_cmp function when attempting to compare ASN.1 boolean types. An attacker could exploit this vulnerability to crash any certificate verification operation and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101666 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0289 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle missing outer ContentInfo by the PKCS#7 parsing code. An attacker could exploit this vulnerability using a malformed ASN.1-encoded PKCS#7 blob to trigger a NULL pointer dereference.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101669 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM WebSphere MQ Advanced Message Security for IBM i platform - V8.0.0.2 and earlier

IBM WebSphere MQ Client for HP Integrity NonStop Server - V8.0.0.2 and earlier

IBM Mobile Messaging and M2M Client Pack - Eclipse Paho MQTT C Client libraries for Linux & Windows platforms only

Remediation/Fixes

IBM WebSphere MQ Advanced Message Security for IBM i platform

The fix is provided in fix pack 8.0.0.3. or later.

IBM WebSphere MQ HP-NSS client

The fix is provided in fix pack 8.0.0.3 or later.

Workarounds and Mitigations

Eclipse Paho MQTT C Client (Linux & Windows)
The C client libraries provided by the MA9B SupportPac can also be rebuilt from source and linked against OpenSSL 1.0.1m or later using the following instructions.