Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293)

2021-06-0822:18:27

www.ibm.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.956 High

EPSS

Percentile

99.1%

JSON

Summary

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. IBM DataPower Gateway has addressed the corresponding applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0287 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0289 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle missing outer ContentInfo by the PKCS#7 parsing code. An attacker could exploit this vulnerability using a malformed ASN.1-encoded PKCS#7 blob to trigger a NULL pointer dereference.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101669 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0292 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error when processing base64 encoded data. An attacker could exploit this vulnerability using specially-crafted base 64 data to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101670 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0293 DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending a specially-crafted SSLv2 CLIENT-MASTER-KEY message, a remote attacker could exploit this vulnerability to trigger an assertion.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101671 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Note that the following vulnerabilities disclosed on the same day do not impact DataPower appliances: CVEID:CVE-2015-0291 CVEID:CVE-2015-0207 CVEID:CVE-2015-0208 CVEID:CVE-2015-0209 CVEID:CVE-2015-0285 CVEID:CVE-2015-0286 CVEID:CVE-2015-0288 CVEID:CVE-2015-0290 CVEID: CVE-2015-1787

Affected Products and Versions

IBM DataPower Gateway appliances all versions through 6.0.0.13, 6.0.1.9, 7.0.0.6, and 7.1.0.4

Remediation/Fixes

Fix is available in versions 6.0.0.14, 6.0.1.10, 7.0.0.7. Refer to _APAR _IT07854 for URLs to download the fix.

This bulletin will be updated when a fix is made available for DataPower 7.1.x version.

For customers on DataPower 5.x versions, IBM recommends upgrading to a fixed, supported version of the product

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm datapower gatewayeq5.0.0
ibm datapower gatewayeq6.0.0
ibm datapower gatewayeq6.0.1
ibm datapower gatewayeq7.0.0
ibm datapower gatewayeq7.1