Lucene search

K
ibmIBMD454B083C2F6C01D5FB789AAD7FBA7EC3275CE75337FDA7E432D981B6497D940
HistoryJul 24, 2020 - 10:49 p.m.

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for UNIX (CVE-2018-0734 and CVE-2018-5407)

2020-07-2422:49:37
www.ibm.com
24
openssl
sterling connect:express
cve-2018-0734
cve-2018-5407
vulnerabilities
unix
ibm
remediation
mitigations

EPSS

0.003

Percentile

71.6%

Summary

OpenSSL vulnerabilities were disclosed on October 30, 2018 (CVE-2018-0734) and November 02, 2018 (CVE-2018-5407) by the OpenSSL Project. OpenSSL is used by Sterling Connect:Express for UNIX. Sterling Connect:Express for UNIX has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2018-0734 **DESCRIPTION: **The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Reported by Samuel Weiser.

At the time of publishing this security bulletin the vulnerability score is still undergoing analysis. Visit https://nvd.nist.gov/vuln/detail/CVE-2018-0734 for an updated status.

CVSS v3.0 Base Score: 5.1
CVSS v3.0 Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085&gt; for the current score
CVSS v3.0 Environmental Score*: Undefined
CVSS v3.0 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2018-5407 **DESCRIPTION: **OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri.

CVSS v3.0 Base Score: 4.7
CVSS v3.0 Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484&gt; for the current score
CVSS v3.0 Environmental Score*: Undefined
CVSS v3.0 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products and Versions

IBM Sterling Connect:Express for UNIX 1.5.0.15

All versions prior to and including 1.5.0.15 iFix 150-1509

Remediation/Fixes

Apply the OpenSSL 1.0.2q updater for Connect:Express for Unix available on Fix Central .

Workarounds and Mitigations

No workaround, applying the fix is the recommended mitigation.