Lucene search

K
ibmIBMBF6ADD5EA2EA3FD40928D5802D8D489B0E359385BE9E5B5FD93833A33C18D060
HistoryJun 17, 2018 - 2:53 p.m.

Security Bulletin: Tivoli Storage Manager is affected by the following OpenSSL vulnerability: CVE-2014-0224

2018-06-1714:53:16
www.ibm.com
5

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

Summary

Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.

This bulletin was updated on 17 Dec 2014. See Change History below for a summary of the changes.

Vulnerability Details

CVE-ID:CVE-2014-0224

**DESCRIPTION:**OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.

CVSS Base Score: 5.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/93586&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Affected Products and Versions

This security exposure affects network connections between the Tivoli Storage Manager client and VMware or NetApp services only and affects the Tivoli Storage Manager Backup-Archive client at these release levels:

  • **7.1:**7.1.0.0 through 7.1.0.x
  • 6.4: 6.4.0.0 through 6.4.2.0
  • 6.3: 6.3.0.0 through 6.3.2.1
  • 6.2: all levels
  • 6.1: all levels. TSM 6.1 is beyond End of Support.

Remediation/Fixes

For VMware, you can apply the VMware patch to your affected ESXi servers as documented in the VMware security advisory (see <http://www.vmware.com/security/advisories/VMSA-2014-0006.html&gt;) which prevents clients from having the security exposure, or you can apply the fixing level indicated in the following table to fix the client.

For NetApp, apply the fixing level indicated in the following table.

TSM Release First Fixing VRMF Level Client Platform APAR Link to first fixing level
7.1 7.1.1.0 AIX
Linux x86
Windows x64 None http://www.ibm.com/support/docview.wss?uid=swg24038141
6.4

| 6.4.2.1

| AIX
Linux x86
Windows x32
Windows x64| None

| http://www.ibm.com/support/docview.wss?uid=swg24038504

6.3| 6.3.2.2| AIX
Linux x86
Windows x32
Windows x64| None| http://www.ibm.com/support/docview.wss?uid=swg24037930
6.2 and 6.1|
|
|
| Upgrade to 6.3 (6.3.2.2 or higher), 6.4 (6.4.2.1 or higher), or 7.1 (7.1.1.0 or higher).

Workarounds and Mitigations

None

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N