Security Bulletin: Multiple vulnerabilities in OpenSSL affect ProtecTIER

Summary

OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by ProtecTIER. ProtecTIER has addressed the applicable CVEs including the “DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability.

Vulnerability Details

CVEID: CVE-2016-0800 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions. By using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle, an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers. This vulnerability is also known as the DROWN attack.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111139&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2016-0797 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the BN_hex2bn/BN_dec2bn() function. An attacker could exploit this vulnerability using specially crafted data to cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

These products are affected by this vulnerability:

· ProtecTIER Enterprise Edition (PID 5639-PTA) - TS7650G
· ProtecTIER Appliance Edition (PID 5639-PTB) - TS7650AP1
· ProtecTIER Entry Edition (PID 5639-PTC) - TS7610 / TS7620
· ProtecTIER Gateway for System Z (PID 5639-FPA)

The code versions impacted are 1.2.x, 2.4.x, 2.5.x, 3.1.x, 3.2.x, 3.3.x and 3.4.x

Remediation/Fixes

<Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
ProtecTIER Enterprise Edition (PID 5639-PTA) - TS7650G| 3.3.x,
3.4.x|
| https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Tape%2Bvirtualization&product=ibm/Storage_Tape/TS7650G+with+ProtecTIER&release=All&platform=All&function=fixId&fixids=PT_MD5_DROWN_PSIRT_V3.3.99.Drown.x86_64&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true
ProtecTIER Enterprise Edition (PID 5639-PTA) - TS7650G| 2.4.x, 2.5.x, 3.1.x, 3.2.x|
| Contact support
ProtecTIER Appliance Edition (PID 5639-PTB) - TS7650AP1| 3.3.x,|
| https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Tape%2Bvirtualization&product=ibm/Storage_Tape/TS7650G+with+ProtecTIER&release=All&platform=All&function=fixId&fixids=PT_MD5_DROWN_PSIRT_V3.3.99.Drown.x86_64&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true
ProtecTIER Appliance Edition (PID 5639-PTB) - TS7650AP1| 2.4.x, 2.5.x, 3.1.x 3.2.x|
| Contact support
ProtecTIER Entry Edition (PID 5639-PTC) | 3.3.x,
3.4.x|
| https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Tape%2Bvirtualization&product=ibm/Storage_Tape/TS7650G+with+ProtecTIER&release=All&platform=All&function=fixId&fixids=PT_MD5_DROWN_PSIRT_V3.3.99.Drown.x86_64&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true
ProtecTIER Entry Edition (PID 5639-PTC) | 2.4.x, 2.5.x, 3.1.x, 3.2.x|
| Contact support
ProtecTIER Gateway for System Z ( PID 5639-FPA) | 1.2.x|
| Contact Support

_For the releases 1.2.x, 2.4.x, 2.5.x and 3.1.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. _Customers running release 3.2 must contact support in order to get a fix.

IBM recommends that the same certificate should ONLY be shared with identical server configuration and software.
If the same certificate were shared with different server(s) configuration or software, IBM recommends replacing the different server(s) with unique certificates to protect against the DROWN exposure.

Workarounds and Mitigations

None