Lucene search

IBMDDE11A6EB73BE3F98B37D85D58288FC1BB387A976FF07E231F2FC766E2B956AB

HistoryApr 24, 2023 - 2:14 p.m.

Security Bulletin: IBM Safer Payments is vulnerable to multiple OpenSSL vulnerabilities (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

2023-04-2414:14:49

www.ibm.com

ibm safer payments

openssl vulnerabilities

version update

cve-2021-23839

cve-2021-23840

cve-2021-23841

sslv2

denial of service

integer overflow

null pointer dereference

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.008 Low

EPSS

Percentile

82.3%

JSON

Summary

IBM Safer Payments uses OpenSSL. These OpenSSL vulnerabilities are addressed in IBM Safer Payments.

Vulnerability Details

CVEID:CVE-2021-23839
**DESCRIPTION:**OpenSSL could provide weaker than expected security, caused by incorrect SSLv2 rollback protection that allows for the inversion of the logic during a padding check. If the server is configured for SSLv2 support at compile time, configured for SSLv2 support at runtime or configured for SSLv2 ciphersuites, it will accept a connection if a version rollback attack has occurred and erroneously reject a connection if a normal SSLv2 connection attempt is made.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2021-23840
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23841
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the X509_issuer_and_serial_hash() function. By parsing the issuer field, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196847 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s): IBM Safer Payments

Version(s): 5.7.0.00 - 5.7.0.12, 6.0.0.00 - 6.0.0.09, 6.1.0.00 - 6.1.0.07, and 6.2.0.00 - 6.2.1.02

Remediation/Fixes

Update IBM Safer Payments to version 5.7.0.13, 6.0.0.10, 6.1.0.08, 6.2.1.03 or higher.

Refer to the IBM Safer Payments documentation to download the updates.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsafer_paymentsMatch5.7

ibmsafer_paymentsMatch6.0

ibmsafer_paymentsMatch6.1

ibmsafer_paymentsMatch6.2

CPENameOperatorVersion
ibm safer paymentseq5.7
ibm safer paymentseq6.0
ibm safer paymentseq6.1
ibm safer paymentseq6.2

Name	Operator	Version
ibm safer payments	eq	5.7
ibm safer payments	eq	6.0
ibm safer payments	eq	6.1
ibm safer payments	eq	6.2

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.008 Low

EPSS

Percentile

82.3%

JSON

Related for DDE11A6EB73BE3F98B37D85D58288FC1BB387A976FF07E231F2FC766E2B956AB