Lucene search

K
ibmIBMBD03EE478D44A7C4C899090C9FF328560060F0170A87F64F2E81D7DD96BC3A37
HistoryJun 17, 2018 - 2:48 p.m.

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server and IBM Tivoli Monitoring shipped with IBM Tivoli Network Manager (CVE-2014-3566, CVE-2014-3513, CVE-2014-3567,CVE-2014-3568 and August 6th 2014)

2018-06-1714:48:04
www.ibm.com
15

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

IBM WebSphere Application Server and IBM Tivoli Monitoring are shipped as a component of IBM Tivoli Network Manager IP Edition. Information about a security vulnerability (CVE-2014-3566) affecting IBM WebSphere Application Server and IBM Tivoli Monitoring has been published in a security bulletin.

SSLv3 is enabled in all versions of IBM Tivoli Network Manager IP Edition through the IBM WebSphere Application Server.

Multiple vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4 HTTPS support for Perl Collectors (CVE-2014-3566, CVE-2014-3513, CVE-2014-3567,CVE-2014-3568 and August 6th 2014 advisories).

IBM Tivoli Network Manager IP Edition 3.9 Fixpack 4 added SSLv3 HTTPS support for three Perl Collectors (Alcatel5620SamSoap collector, Alcatel5620SamSoapFindtoFile collector, and Alcatel5529IdmSoap collector) which required the user to install OpenSSL.

By default these three Perl Collector are disabled, so users are not vulnerable if they leave them disabled. The product does not include HTTPs support, the user needs to configure it and add the OpenSSL package.

1. SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. By default, SSLv3 is not enabled in IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4.
CVE-ID:CVE-2014-3566

2. Security vulnerabilities have been discovered in OpenSSL 9.8 package.
CVE-IDs: CVE-2014-3513, CVE-ID:CVE-2014-3567 and CVE-ID:CVE-2014-3568.

3. Security vulnerabilities have been discovered in OpenSSL 9.8 package that were reported on August 6th 2014 by the OpenSSL Project.
CVE-ID: CVE-2014-3512,CVE-ID: CVE-2014-3509,CVE-ID: CVE-2014-3506,
CVE-ID: CVE-2014-3507,CVE-ID: CVE-2014-3511,CVE-ID: CVE-2014-3505
CVE-ID: CVE-2014-3510,CVE-ID: CVE-2014-3508,CVE-ID: CVE-2014-5139

To address recent OpenSSL advisories, these three Perl collectors have been updated to use TLS as the default cryptographic protocol for communicating with the source EMS.

Vulnerability Details

Please consult the security bulletin****IBM WebSphere Application Server and** IBM Tivoli Monitoring**** for vulnerability details and information about fixes for these products.**
**** Tivoli Network Manager IP Edition V3.9 Fix Pack 4 HTTPS support for Perl Collectors vulnerability details: **CVE-ID: CVE-2014-3566
DESCRIPTION: *Product could allow a remote attacker to obtain sensitive information, caused
by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a
man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On
Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of
encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-3513 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97035&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3567 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97036&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3568 DESCRIPTION: OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97037&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2014-3512**
DESCRIPTION**: OpenSSL is vulnerable to a denial of service, caused by an internal buffer overrun. A remote attacker could exploit this vulnerability using invalid SRP parameters sent from a malicious server or client to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95158&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
CVE-ID**: CVE-2014-3509**
DESCRIPTION**: OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded client connects to a malicious server using a resumed session, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95159&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
**
CVE-ID**: CVE-2014-3506 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing DTLS handshake messages. A remote attacker could exploit this vulnerability to consume an overly large amount of memory.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95160&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
CVE-ID**: CVE-2014-3507 DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending specially-crafted DTLS packets, a remote attacker could exploit this vulnerability to leak memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95161 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
CVE-ID**: CVE-2014-3511 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95162&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
**
CVE-ID**: CVE-2014-3505 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when handling DTLS packets. A remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95163&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
CVE-ID**: CVE-2014-3510 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability using a malicious handshake to cause the client to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95164&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
**
CVE-ID**: CVE-2014-3508 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in OBJ_obj2txt. If applications echo pretty printing output, an attacker could exploit this vulnerability to read information from the stack.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95165&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**
CVE-ID**: CVE-2014-5139 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when an SRP ciphersuite is specified without being properly negotiated with the client. A remote attacker could exploit this vulnerability to cause the client to crash.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95166&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

All versions of Tivoli Network Manager IP Edition are affected by IBM WebSphere Application Server and IBM Tivoli Monitoring (CVE-2014-3566) advisories.

Tivoli Network Manager IP Edition V3.9 Fix Pack 4 is only affected by all of the OpenSSL advisories when using HTTPS support for Perl Collectors.

Remediation/Fixes

1. Tivoli Network Manager IP Edition V3.9 Fix Pack 4 HTTPS support for Perl Collectors,

Affected Product and Version Fixed Version Download Fix URL
IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4 (when HTTPS support for Perl Collectors is enabled) IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4 Interim Fix 1. <http://www-01.ibm.com/support/docview.wss?uid=swg24039027&gt;

2. For IBM WebSphere, consult the IBM WebSphere Application Server security bulletin.

Affected Product and Version(s) Product and Version shipped as a component
Tivoli Network Manager 3.8 Bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 5.
Tivoli Network Manager 3.9 Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
Tivoli Network Manager 4.1 Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
Tivoli Network Manager 4.1.1 Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
3. For IBM Tivoli Monitoring, consult the IBM Tivoli Monitoring security bulletin.

Workarounds and Mitigations

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions.

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P