Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Master Data Management ( CVE-2014-3513, CVE-2014-3567)

Summary

OpenSSL vulnerabilities along with SSL 3 Fallback protection (TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by IBM InfoSphere Master Data Management. IBM InfoSphere Master Data Management has addressed the applicable CVEs and included the SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) provided by OpenSSL.

Vulnerability Details

CVE-ID: CVE-2014-3513

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97035 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3567

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97036 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

These vulnerabilities are known to affect the following offerings:

·IBM Initiate Master Data Service versions 8.5, 9.0, 9.2, 9.5, 9.7, 10.0, 10.1 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)

·IBM Initiate Master Data Service Patient Hub versions 9.5, 9.7 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)

·IBM Initiate Master Data Service Provider Hub versions 9.5, 9.7 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)

·IBM InfoSphere Master Data Management Patient Hub version 10.0 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)

·IBM InfoSphere Master Data Management Provider Hub version 10.0 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkit component)

· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.0 (impacts Message Brokers component and Enterprise Integrator Toolkit component)

· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.3 (impacts Message Brokers component)

· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.4 (impacts Message Brokers component)

Remediation/Fixes

_For IBM Initiate Master Data Service V8.5: _
· Apply Fix 8.5.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix central.

_For IBM Initiate Master Data Service V9.0: _
· Apply Fix 9.0.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix central.

_For IBM Initiate Master Data Service V9.2: _
· Apply_ Fix 9.2.0.111414_IM_ Initiate_MasterDataService_ALL_ifix__ from fix central._

_For IBM Initiate Master Data Service V9.5: _
· Apply Fix 9.5.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.

_For IBM Initiate Master Data Service Patient Hub V9.5: _
· Apply Fix 9.5.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

_For IBM Initiate Master Data Service Provider Hub V9.5: _
· _Apply Fix 9.5.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central. **

For IBM Initiate Master Data Service V9.7: _**
· Apply Fix 9.7.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.

_For IBM Initiate Master Data Service Patient Hub V9.7: _
· Apply Fix 9.7.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

_For IBM Initiate Master Data Service Provider Hub V9.7: _
· _Apply Fix 9.7.103114_IM_Initiate_Provider_ALL_RefreshPack from _fix central.

_For IBM Initiate Master Data Service V10.0: _
· Apply Fix 10.0.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.

_For IBM InfoSphere Master Data Management Patient Hub V10.0: _
· Apply Fix 10.0.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

_For IBM InfoSphere Master Data Management Provider Hub V10.0: _
· _Apply Fix 10.0.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central. **

For IBM Initiate Master Data Service V10.1: _**
· _Apply Fix 10.1.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central. **

For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.0: _**
· Apply Fix 11.0.0.2-MDM-SE-AE-FP02IF000_FC from fix central**.**

_For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.3: _
· Apply Fix 11.3.0.1-MDM-SE-AE-FP01IF000_FC from fix central**.**

_For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.4: _
· Apply Fix 11.4.0.0-MDM-IF001 fromfix central.

Workarounds and Mitigations

None known