Lucene search

IBMCC7E9F5BD3D20273CC222979077E4B7F3A894A6B5AB18E1BACEA50775762946B

HistoryJun 29, 2018 - 1:21 p.m.

Security Bulletin: Security vulnerabilities in OpenSSL used by IBM PureApplication Systems ( CVE-2017-3737 CVE-2017-3738)

2018-06-2913:21:03

www.ibm.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Summary

OpenSSL, used by the IBM PureApplication System, has security vulnerabilities were disclosed by OpenSSL project. The following vulnerabilities have been addressed.

Vulnerability Details

CVEID: CVE-2017-3737 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136077 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-3738 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136078 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2
IBM PureApplication System V2.2.4.0
IBM PureApplication System V2.2.5.0
IBM PureApplication System V2.2.5.1

Remediation/Fixes

The solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication System V2.2.5.2

IBM recommends upgrading to a fixed version of the product. Contact IBM for assistance.

Link to download:

https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.2&platform=All&function=fixId&fixids=openssl_patch_Apr2018-sys&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>

Workarounds and Mitigations

None

CPENameOperatorVersion
pureapplication systemeq2.2.5.1
pureapplication systemeq2.2.5.0
pureapplication systemeq2.2.4.0
pureapplication systemeq2.2.3.2
pureapplication systemeq2.2.3.1
pureapplication systemeq2.2.3.0

Name	Operator	Version
pureapplication system	eq	2.2.5.1
pureapplication system	eq	2.2.5.0
pureapplication system	eq	2.2.4.0
pureapplication system	eq	2.2.3.2
pureapplication system	eq	2.2.3.1
pureapplication system	eq	2.2.3.0