IBMBE9A67BD9BDD24F3FA830A98F5DC10D0C03A55261ED483855170AC3FF8B34B20Security Bulletin: IBM Smart Analytics System 7600, 7700, and 7710 are affected by vulnerabilities in OpenSSL (CVE-2013-0166, CVE-2013-0169)
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Abstract
A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software included with the vulnerable systems.
Content
VULNERABILITY DETAILS
CVE IDs:
**** CVE-2013-0166, CVE-2013-0169
DESCRIPTION:
The IBM Smart Analytics System 7600, IBM Smart Analytics System 7700, and IBM Smart Analytics System 7710 are shipped with the IBM AIX operating system. Two security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software. See the references section for links to the description of each individual vulnerability.
CVE-2013-0166
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81904> for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2013-0169****
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PRODUCTS AND VERSIONS:
IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710
REMEDIATION:
FIXES:
Find your product in the table below and use the link in the Download Link column to find the fix provided by IBM. Previously supported Balanced Warehouse environments not listed below require additional investigation to determine vulnerability and the appropriate remediation. Access to the patches on the IBM site is restricted and requires a valid IBM registration ID. Access to the fix packs on the IBM site requires both a valid IBM registration ID and the correct product entitlement in Passport Advantage.
For more information about IBM registration IDs, see: IBM Registration FAQ.
| Product | Operating System | Patch/Fix Pack | Version | Download Link |
|---|---|---|---|---|
| IBM Smart Analytics System 7600 |
| AIX 6.1| OpenSSL patch
OpenSSH patch| OpenSSL: 0.9.8.2500
OpenSSH: 6.0.0.6101| Download the AIX fixes and install using the update instructions.
IBM Smart Analytics System 7700| AIX 6.1| IBM Smart Analytics System 7700 Fix Pack 2.1.1.0
Note: When you install this fix pack, you will update other components in addition to OpenSSL and OpenSSH.| OpenSSL: 0.9.8.2500
OpenSSH: 6.0.0.6101| Download 7700 Fix Pack 2.1.1.0 (2.1.2.0-IM-ISAS7700) and install using the fix pack installation instructions.
IBM Smart Analytics System 7710| AIX 6.1| IBM Smart Analytics System 7710 Fix Pack 2.1.1.0
Note: When you install this fix pack, you will update other components in addition to OpenSSL and OpenSSH.| OpenSSL: 0.9.8.2500
OpenSSH: 6.0.0.6101| Download 7710 Fix Pack 2.1.1.0 (2.1.2.0-IM-ISAS7710) and install using the fix pack installation instructions.
WORKAROUND(S):
None.
MITIGATION(S):
None.
REFERENCES:
- Complete CVSS Guide
- On-line Calculator V2
- CVE-2013-0166
- X-Force Database: http://xforce.iss.net/xforce/xfdb/81904
- <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory5.asc>
- CVE-2013-0169
- X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>
- <http://aix.software.ibm.com/aix/efixes/security/openssl_advisory5.asc>
RELATED INFORMATION:
_IBM Secure Engineering Web Portal __
_IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT:
None.
CHANGE HISTORY:
31-May-2013:
- Original version published.
7-Jun-2013:
- Updated CVSS score and vector for CVE-2013-1069.
- Added 7700 and 7710 remediation details.
_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _
_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an āindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.ā IBM PROVIDES THE CVSS SCORES āAS ISā WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{āProductā:{ācodeā:āSSKT3Dā,ālabelā:āIBM Smart Analytics Systemā},āBusiness Unitā:{ācodeā:āBU050ā,ālabelā:āBU NOT IDENTIFIEDā},āComponentā:āNot Applicableā,āPlatformā:[{ācodeā:āPF002ā,ālabelā:āAIXā}],āVersionā:ā9.5;9.7ā,āEditionā:āā,āLine of Businessā:{ācodeā:āā,ālabelā:āā}},{āProductā:{ācodeā:āSSKT3Dā,ālabelā:āIBM Smart Analytics Systemā},āBusiness Unitā:{ācodeā:āBU050ā,ālabelā:āBU NOT IDENTIFIEDā},āComponentā:āIBM Smart Analytics System 7600ā,āPlatformā:[{ācodeā:āā,ālabelā:āā}],āVersionā:āā,āEditionā:āā,āLine of Businessā:{ācodeā:āā,ālabelā:āā}},{āProductā:{ācodeā:āSSKT3Dā,ālabelā:āIBM Smart Analytics Systemā},āBusiness Unitā:{ācodeā:āBU050ā,ālabelā:āBU NOT IDENTIFIEDā},āComponentā:āIBM Smart Analytics System 7700ā,āPlatformā:[{ācodeā:āā,ālabelā:āā}],āVersionā:āā,āEditionā:āā,āLine of Businessā:{ācodeā:āā,ālabelā:āā}},{āProductā:{ācodeā:āSSKT3Dā,ālabelā:āIBM Smart Analytics Systemā},āBusiness Unitā:{ācodeā:āBU050ā,ālabelā:āBU NOT IDENTIFIEDā},āComponentā:āIBM Smart Analytics System 7710ā,āPlatformā:[{ācodeā:āā,ālabelā:āā}],āVersionā:āā,āEditionā:āā,āLine of Businessā:{ācodeā:āā,ālabelā:āā}}]
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P