Lucene search

IBMD0436708E17AE06481C5D812D4085089BCF7263B197EC4C10E8312B7221AB351

HistoryFeb 22, 2022 - 7:50 p.m.

Security Bulletin: Sweet32 vulnerability affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-2183)

2022-02-2219:50:07

www.ibm.com

125

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.8%

JSON

Summary

Sweet32 vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center). IBM Spectrum Control and Tivoli Storage Productivity Center have addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2016-2183**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Spectrum Control 5.2.8 through 5.2.13
Tivoli Storage Productivity Center 5.2.0 through 5.2.7.1
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.14

The versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.

Remediation/Fixes

The solution is to apply an appropriate IBM Spectrum Control (Tivoli Storage Productivity Center) fix maintenance for each named product. Follow the link below, select the correct product version. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable.

Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control.

Note: It is always recommended to have a current backup before applying any update procedure.

IBM Spectrum Control 5.2.x and Tivoli Storage Productivity Center V5.1.x

Release	First Fixing VRM Level	Link to Fix/Fix Availability Target
5.2.x	5.2.14	<http://www.ibm.com/support/docview.wss?uid=swg21320822>
5.1.x	5.1.1.15	<http://www.ibm.com/support/docview.wss?uid=swg21320822>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm spectrum controleq5.2.8
ibm spectrum controleq5.2.9
ibm spectrum controleq5.2.10
ibm spectrum controleq5.2.11
ibm spectrum controleq5.2.12
ibm spectrum controleq5.2.13
ibm spectrum controleq5.1
ibm spectrum controleq5.1.1
ibm spectrum controleq5.2
ibm spectrum controleq5.2.1

Name	Operator	Version
ibm spectrum control	eq	5.2.8
ibm spectrum control	eq	5.2.9
ibm spectrum control	eq	5.2.10
ibm spectrum control	eq	5.2.11
ibm spectrum control	eq	5.2.12
ibm spectrum control	eq	5.2.13
ibm spectrum control	eq	5.1
ibm spectrum control	eq	5.1.1
ibm spectrum control	eq	5.2
ibm spectrum control	eq	5.2.1