Lucene search

K
ibmIBMBEA0DEA8581DC561B3E0FB6213C2324D0764CB41F471CBFCCD4404F07F203E7F
HistoryJul 24, 2020 - 11:08 p.m.

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for OpenVMS (CVE-2016-2183)

2020-07-2423:08:59
www.ibm.com
14

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

OpenSSL is used by IBM Sterling Connect:Direct for OpenVMS. IBM Sterling Connect:Direct for OpenVMS has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-2183**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct for OpenVMS 3.6.0

Remediation/Fixes

The recommended solution is to apply the fix as soon as practical. Please see below for information about the available fixes.

VRMF APAR Remediation/First Fix
3.6.0 IT22551 Apply Fix Pack 3.6.0.5, available on Fix Central

Workarounds and Mitigations

In versions of IBM Sterling Connect:Direct for OpenVMS older than 3.6.0.5, deselect the Triple-DES (3DES) cipher suite if it is specified in the Secure+ configuration. To avoid production outages when switching to another cipher, coordinate the configuration change to an agreed cipher with the security administrator of each remote node with which you use Secure+. The recommended cipher suite is AES128-SHA or AES256-SHA.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for BEA0DEA8581DC561B3E0FB6213C2324D0764CB41F471CBFCCD4404F07F203E7F