Lucene search

K
ibmIBMC98742B877B2C201166B837BC2C23F231BE604BF071711015BA45A10D5709CDE
HistoryJun 18, 2018 - 12:09 a.m.

Security Bulletin:Vulnerabilities in Open Source OpenSSL affects the IBM FlashSystem V9000 (CVE-2015-1788, CVE-2015-1789, CVE-2015-1791, and CVE-2015-3216)

2018-06-1800:09:58
www.ibm.com
7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Summary

There are vulnerabilities in the Open Source OpenSSL version that is used by the IBM® FlashSystem™ V9000. An exploit of these vulnerabilities could result in a denial of service. One vulnerability can result in a race condition, the result of which is of unknown impact.

Vulnerability Details

CVEID: CVE-2015-1788 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/103778 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-1789 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read in X509_cmp_time. An attacker could exploit this vulnerability using a specially crafted certificate or CRL to trigger a segmentation fault.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/103779 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-1791 DESCRIPTION: A double-free memory error in OpenSSL in the ssl3_get_new_session_ticket() function has an unknown impact. By returning a specially crafted NewSessionTicket message, an attacker could cause the client to reuse a previous ticket resulting in a race condition.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/103609 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-3216 DESCRIPTION: OpenSSL shipped with Red Hat Enterprise Linux is vulnerable to a denial of service, caused by an out-of-bounds memory read error in ssleay_rand_bytes() function. By sending specially crafted data, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103915
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

FlashSystem V9000 including machine type and models (MTMs) for all available code levels. MTMs affected include 9846-AC2 and 9848-AC2.

Remediation/Fixes

You should verify that applying this fix does not cause any compatibility issues.

Product VRMF APAR Remediation/First Fix
V9000 MTMs:
9846-AE2,
9848-AE2,
9846-AC2,
9848-AC2 A code fix is now available, the VRMF of this code level is 7.5.1.0 (or later) for both the storage enclosure nodes (-AEx) and the control nodes (-ACx) _ _N/A No workarounds or mitigations, other than applying this code fix, are known for this vulnerability

7.5.1.0 is available @ IBM’s Fix Central**:**V9000 fixes, download 7.5.1.0 or later

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm flashsystem v9000eqany

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P