Lucene search

K
ibmIBMD454B083C2F6C01D5FB789AAD7FBA7EC3275CE75337FDA7E432D981B6497D940
HistoryJul 24, 2020 - 10:49 p.m.

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for UNIX (CVE-2018-0734 and CVE-2018-5407)

2020-07-2422:49:37
www.ibm.com
15

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Summary

OpenSSL vulnerabilities were disclosed on October 30, 2018 (CVE-2018-0734) and November 02, 2018 (CVE-2018-5407) by the OpenSSL Project. OpenSSL is used by Sterling Connect:Express for UNIX. Sterling Connect:Express for UNIX has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2018-0734 **DESCRIPTION: **The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Reported by Samuel Weiser.

At the time of publishing this security bulletin the vulnerability score is still undergoing analysis. Visit https://nvd.nist.gov/vuln/detail/CVE-2018-0734 for an updated status.

CVSS v3.0 Base Score: 5.1
CVSS v3.0 Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085&gt; for the current score
CVSS v3.0 Environmental Score*: Undefined
CVSS v3.0 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2018-5407 **DESCRIPTION: **OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri.

CVSS v3.0 Base Score: 4.7
CVSS v3.0 Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484&gt; for the current score
CVSS v3.0 Environmental Score*: Undefined
CVSS v3.0 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products and Versions

IBM Sterling Connect:Express for UNIX 1.5.0.15

All versions prior to and including 1.5.0.15 iFix 150-1509

Remediation/Fixes

Apply the OpenSSL 1.0.2q updater for Connect:Express for Unix available on Fix Central .

Workarounds and Mitigations

No workaround, applying the fix is the recommended mitigation.

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N