OpenSSL vulnerabilities were disclosed on October 30, 2018 (CVE-2018-0734) and November 02, 2018 (CVE-2018-5407) by the OpenSSL Project. OpenSSL is used by Sterling Connect:Express for UNIX. Sterling Connect:Express for UNIX has addressed the applicable CVEs.
CVEID: CVE-2018-0734 **DESCRIPTION: **The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Reported by Samuel Weiser.
At the time of publishing this security bulletin the vulnerability score is still undergoing analysis. Visit https://nvd.nist.gov/vuln/detail/CVE-2018-0734 for an updated status.
CVSS v3.0 Base Score: 5.1
CVSS v3.0 Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085> for the current score
CVSS v3.0 Environmental Score*: Undefined
CVSS v3.0 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEID: CVE-2018-5407 **DESCRIPTION: **OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri.
CVSS v3.0 Base Score: 4.7
CVSS v3.0 Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484> for the current score
CVSS v3.0 Environmental Score*: Undefined
CVSS v3.0 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
IBM Sterling Connect:Express for UNIX 1.5.0.15
All versions prior to and including 1.5.0.15 iFix 150-1509
Apply the OpenSSL 1.0.2q updater for Connect:Express for Unix available on Fix Central .
No workaround, applying the fix is the recommended mitigation.