Lucene search

K
ibmIBMD4D42F15E592E98F112EFA53B5158D86EA79E4A7294251AB7991615DF7CA6494
HistoryMar 29, 2023 - 1:48 a.m.

Security Bulletin: OpenSSL vulnerability in IBM SAN Volume Controller and Storwize Family (CVE-2014-0224)

2023-03-2901:48:02
www.ibm.com
15

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.9%

Summary

Security vulnerability in OpenSSL

Vulnerability Details

**CVEID:**CVE-2014-0224

DESCRIPTION: SSL/TLS MITM vulnerability

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. SVC and Storwize systems use OpenSSL server functionality and some versions are vulnerable (see below).

CVE-2014-0224
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM SAN Volume Controller
IBM Storwize V7000
IBM Storwize V5000
IBM Storwize V3700
IBM Storwize V3500

All products are affected when running code releases 6.4, 7.1, 7.2 and 7.3 except for versions 6.4.1.10, 7.1.0.10, 7.2.0.7 or 7.3.0.3 and above.

Remediation/Fixes

For IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, install the following code levels or higher:

7.1.0.10
7.2.0.7
7.3.0.3

Latest SAN Volume Controller Code
Latest Storwize V7000 Code
Latest Storwize V5000 Code
Latest Storwize V3700 Code
Latest Storwize V3500 Code

Workarounds and Mitigations

Ensure that all users who have access to the system are authenticated by another security system such as a firewall.

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.9%

Related for D4D42F15E592E98F112EFA53B5158D86EA79E4A7294251AB7991615DF7CA6494