DATABASE RESOURCES PRICING ABOUT US

{"id": "DEAFA2DB54593AA80919E191E6F6089E8FC07DD6414224DF7420DF6F55DF4BC8", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server in IBM Cloud", "description": "## Summary\n\nThere are multiple security vulnerabilities that affect IBM WebSphere Application Server in IBM Cloud.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-1743](<https://vulners.com/cve/CVE-2017-1743>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper handling of Administrative Console panel fields. When exploited an attacker could browse the file system. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134933> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1553](<https://vulners.com/cve/CVE-2018-1553>) \n**DESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by mishandling of exceptions by the SAML Web SSO feature. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2012-5783](<https://vulners.com/cve/CVE-2012-5783>) \n**DESCRIPTION:** Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79984> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92889> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [CVE-2012-1007](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73052> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \nLiberty \nVersion 9.0 \nVersion 8.5\n\n## Remediation/Fixes\n\nTo patch an existing service instance refer to the IBM WebSphere Application Server bulletins listed below:\n\n1\\. [Security Bulletin: Information Disclosure in WebSphere Application Server (CVE-2017-1743)](<http://www-01.ibm.com/support/docview.wss?uid=swg22013601>)\n\n2\\. [Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>)\n\n3\\. [ Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>)\n\n4\\. [Security Bulletin: Information disclosure in WebSphere Application Server Liberty (CVE-2018-1553)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016218>)\n\n5\\. [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>)\n\n6\\. [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>)\n\n7\\. [Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>)\n\nAlternatively, delete the vulnerable service instance and create a new instance. \n\n\n## Workarounds and Mitigations\n\nnone.\n\n## Monitor IBM Cloud Status for Future Security Bulletins\n\nMonitor the [security notifications](<https://cloud.ibm.com/status?selected=security>) on the IBM Cloud Status page to be advised of future security bulletins.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n20 July 2018: original document published \n28 January 2019: Added CVE-2016-0702 to vulnerability details\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Product\":{\"code\":\"SSKKCK\",\"label\":\"IBM WebSphere Application Server in IBM Cloud\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB36\",\"label\":\"IBM Automation\"}}]", "published": "2019-01-28T14:05:02", "modified": "2019-01-28T14:05:02", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://www.ibm.com/support/pages/node/717691", "reporter": "IBM", "references": [], "cvelist": ["CVE-2012-1007", "CVE-2012-5783", "CVE-2014-0114", "CVE-2015-0899", "CVE-2016-0702", "CVE-2016-1181", "CVE-2016-1182", "CVE-2017-1743", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447", "CVE-2018-1553"], "immutableFields": [], "lastseen": "2023-02-21T21:44:42", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "aix", "idList": ["ITDS_ADVISORY2.ASC", "OPENSSL_ADVISORY18.ASC"]}, {"type": "altlinux", "idList": ["B7D1FE39355177AD5293458DFFC43DC1"]}, {"type": "amazon", "idList": ["ALAS-2013-169", "ALAS-2014-410", "ALAS-2016-661", "ALAS-2018-1016", "ALAS2-2018-1004"]}, {"type": "apple", "idList": ["APPLE:B767E2D26FA517686D44D7106CA489EB", "APPLE:E110ECBEC1B5F4EBE4C6799FF1A4F4E0", "APPLE:HT207268", "APPLE:HT209139"]}, {"type": "archlinux", "idList": ["ASA-201603-2", "ASA-201603-3", "ASA-201701-36", "ASA-201701-37", "ASA-201711-14", "ASA-201711-15", "ASA-201712-11", "ASA-201712-9"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CWD-4355", "ATLASSIAN:FE-7345", "CWD-4355", "FE-7345"]}, {"type": "centos", "idList": ["CESA-2013:0270", "CESA-2014:0474", "CESA-2016:0301", "CESA-2018:0998"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2014-1480", "CPAI-2014-1535", "CPAI-2017-1082"]}, {"type": "cisco", "idList": ["CISCO-SA-20160302-OPENSSL", "CISCO-SA-20170130-OPENSSL"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:0BAC6640342E1B3D4E55BA7644915045", "CFOUNDRY:387B2BBB51760E1FFD4562D4008446F7", "CFOUNDRY:9243E8457D02CBA7A3505CB1E0E03739"]}, {"type": "cve", "idList": ["CVE-2012-1007", "CVE-2012-5783", "CVE-2012-6153", "CVE-2014-0114", "CVE-2014-3540", "CVE-2014-3893", "CVE-2015-0899", "CVE-2016-0702", "CVE-2016-1181", "CVE-2016-1182", "CVE-2017-1743", "CVE-2017-3732", "CVE-2017-3736", "CVE-2017-3738", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447", "CVE-2018-1553", "CVE-2019-3834"]}, {"type": "debian", "idList": ["DEBIAN:DLA-222-1:38FAF", "DEBIAN:DLA-57-1:29ABF", "DEBIAN:DLA-57-1:6DE0E", "DEBIAN:DSA-2940-1:494C4", "DEBIAN:DSA-3500-1:1A27F", "DEBIAN:DSA-3536-1:6274C", "DEBIAN:DSA-3536-1:EEC30", "DEBIAN:DSA-4017-1:88D36", "DEBIAN:DSA-4017-1:AEF53", "DEBIAN:DSA-4018-1:01441", "DEBIAN:DSA-4018-1:DD3DF"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2012-5783", "DEBIANCVE:CVE-2012-6153", "DEBIANCVE:CVE-2014-0114", "DEBIANCVE:CVE-2016-0702", "DEBIANCVE:CVE-2017-3732", "DEBIANCVE:CVE-2017-3736", "DEBIANCVE:CVE-2017-3738"]}, {"type": "f5", "idList": ["F5:K04403302", "F5:K14363514", "F5:K15364328", "F5:K34681653", "F5:K40444230", "F5:K44512851", "F5:K79215841", "SOL04403302", "SOL15282", "SOL15364328", "SOL15741", "SOL16444", "SOL40444230", "SOL79215841"]}, {"type": "fedora", "idList": ["FEDORA:25F4A2151F", "FEDORA:38DE2220D8", "FEDORA:3ED26601CEE3", "FEDORA:4B961604A720", "FEDORA:50818233B7", "FEDORA:5279262222BE", "FEDORA:5B904214E6", "FEDORA:5D10B2170F", "FEDORA:6D641613A08A", "FEDORA:821736164C16", "FEDORA:845CB6087671", "FEDORA:8830E6049DEB", "FEDORA:98315602F10D", "FEDORA:AB2DD6067A04", "FEDORA:AEECE6075DBF", "FEDORA:B803860875BB", "FEDORA:DEA206060997", "FEDORA:EE17520E26"]}, {"type": "fortinet", "idList": ["FG-IR-17-019"]}, {"type": "freebsd", "idList": ["6D33B3E5-EA03-11E5-85BE-14DAE9D210B8", "7B1A4A27-600A-11E6-A6C3-14DAE9D210B8", "9442A811-DAB3-11E7-B5AF-A4BADB2F4699", "D455708A-E3D3-11E6-9940-B499BAEBFEAF", "F40F07AA-C00F-11E7-AC58-B499BAEBFEAF"]}, {"type": "freebsd_advisory", "idList": ["FREEBSD_ADVISORY:FREEBSD-SA-16:12.OPENSSL", "FREEBSD_ADVISORY:FREEBSD-SA-17:02.OPENSSL", "FREEBSD_ADVISORY:FREEBSD-SA-17:11.OPENSSL"]}, {"type": "gentoo", "idList": ["GLSA-201603-15", "GLSA-201607-09", "GLSA-201702-07", "GLSA-201712-03", "GLSA-201802-04"]}, {"type": "github", "idList": ["GHSA-2X83-R56G-CV47", "GHSA-3832-9276-X7GF", "GHSA-5GGR-MPGW-3MGX", "GHSA-7JW3-5Q4W-89QG", "GHSA-9848-V244-962P", "GHSA-CVVX-R33M-V7PQ", "GHSA-P66X-2CV9-QQ3V"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170503-01-OPENSSL"]}, {"type": "ibm", "idList": ["00420FAFAA8875EA075916FF1CAC2CE1CD7DEB3C678E654BFE5E525386DC980C", "0078AFCAC0E5D1EE980B02F0F8AD278010F1BF26277A61376CC0325DB5869A54", "015CED4DD111438880FFDB361B30E09A12892E262FEEA8F7178F7A49BBE7D4D2", "01764744F3D133F6A406DDADD971524E1850F63B21A5DDA13C2F94BDDF69A2CA", "0194CC3AD0882E63750B21484BE25BE0A53CE17F2AD6A4F51CC4B6143D86CC18", "019F23A3AAFAD4919B6106A6E7DC0182EE72C7EC2EF686F12146B41D4C9DC04A", "01CFF49A8E945385D7DAF195723AF2400A442375CCE77F93B4CF72774A757E1D", "0241AD14444530836D909285432DE0EF409B9993A9D61A28514B61A052400B84", "025E2CD6F9F010517E9E17E8AC66A53012D7F2D3765B567272ACF4ED02426647", "0309A53D35EF827194465C9C10BC98B7D4795038C7221686EE2E7A4669562BD7", "031AB80137983FA206B8FD452A65FA0ADD155D250DA679ADC4DC628C2E106C7E", "03BBDC7050471C64169EF3EC23FC2B3C55CC822FFA0D98F53466C52354E175A2", "048AA308C625A32EC6DB549874FC81F6B800BA0EA59A9091A547DCEA6B0243B0", "04BDE105BC07DA303E0942A7116D2831ECC8B7F85541F074A291D4A4155564F6", "050C4CD191E772BBB89D37433656A4CF140CE5C30F03D9CE4A5D8081AA772A03", "06852EEA8CD7CA7F8840D2FC93096A4DD156B248C6D17CEEEBA4095B19D215B6", "068E4774F9835C8E080EE324144DDF1D362B4CFF31E92E6F3B859DDEBD2C9E8C", "06FAF3AD79C8BAC8455C602C3F4C354C0CD9450DE060FB4D831ED000993782B4", "072EBEFE4EF574F4A87AC95BEA1237C43CF6D39DDD94C6BD9B965A322BB8CD15", "0805E7A2C6036D7FEBAF075EE767AB91B73C933992CD43256425DCE028EA66B7", "08ECBCA670F0B3F435801B7A34A3A7C7EF6315794FDF864F61E57E02C2E3EFDD", "0976C176E97A39F9A89AE40E674AFB87A89A5DB439E2A1C90351D75E792A52BF", "09C0C603EECE682CFFD6D5C27B3EAA66D128B79E9D89A33E4AF2314E9BF9995F", "0A018131C7D1A39C9D2717C5F314BB8222C3AEF81C435194A7607FC0D35BC538", "0A2242182FF9C6E616AD12CDAF12C0AD6141133E4FF262F6CC0FA251C0F7DD9F", "0ACDC7CDDEE06F34F2256DD048A556D53156ACF793ADBE3C9ED53FEEE712EF49", "0AEC3ABCCFB562437ED4141670F5C7C6E096FEFB11D3045A28046C82B784AD9E", "0C0756C600D4B428F9DDC7547681FF909EA01654FA2BE7931EB24F307960FE26", "0D7A334726D7F8214BDF965C6B0ED351221CB7A9A083042878EB2C3CB193A50A", "0DCB9190AD49CA4A44EED134393F472D4D903648111D70599B707F22E81A5F5B", "0DF9253AF727D8388F8FCD3B325345C60991967B703210EE89018A164DCFC156", "0E703A42B01F9DF3E0FEC04EEA4F7733F5A313C86865501C0F8A79378E425C34", "0F254BE920E96D803CA1A391E1B8A3B0C658E51C8C31B0AC0F95FEDD45279D52", "0F4490A26A7A5960275AF6437143D350A19CD931C617E64E2575EA3E557FDA61", "0F73246124CA58D05064BB5D07082DCA6F2A1D48630CAAC82BCFFB4A71F45CA7", "0F76E12B5BAAB0162DAE617C343507D017DAEA0A7546017A6DA4F13518778837", "0F8C9B43069C04EF8D42F75FA8D42A5837D2A01F1B45F132DD6CE116C7562B83", "104BE807C8577FF816DF414B5A588FABB581711BB54758F6F49C7CAC17CD68BE", "107B029DD56A2199A3A87E51461350D452A0422C3E3D25CE9E1B91F71C36131B", "11452E38010E945A0FE01EFC4554F3798D8F99A1582985B386C674085821DFEE", "120FC7D8C2D6504C05B7406BAA4280E35A324B682513765C374D6393B0000A38", "12780044E1A62D25F913723FBCBD5B926E91CC9AC8CA8FAA1DCE18D02D152689", "133D2E1F625AACE103F22B7B5E3C3339B9F2C53C60EAFEE5F0248F495246C85B", "140E90DD98ED4CC1A8C413867579B2EF4F8885020D8C9B221D7DC0EFA3D20518", "144E2FDA5818BEDF6E97DA8F56942108258B6778FA9472BE0FB6E286C871A08B", "150C26A4B23CEB9D10D6B5FB3E82060606745E070EDD31CF3D53C5969B98B0BF", "1740062504D40B6B7E85EB234532E04BEED93B486BB09A52896F8DA4F13ECC6F", "17D596185D561DCE6905EA53CBBA8B380AC6AC3B72A48A7CFB6A0E43372C6F05", "1807EADF7EBF2384517F3DB77ADDC9D63E9DD27A36B822C92526AF1341782404", "1815BD265DEB0EE550962E1526DA1FE75BACA3823A20A4BCDA8ED078F9EC9C8D", "185CA7A92837C359609A198BF638BED42D46EC58A2CC11C01C5142B98CF7B593", "19663A6693672015D5E48ABEE9A76AB50A1C71EE9CF0548228C739933A353C88", "19836CFD4B17D54261C87EA5080CE00A6A0B8431CD9312140526446DBADCF9AE", "19F9B2D3F02CD12E95CAA102CAFF73CF1ACA08B82792F23CACA7A607695B6F33", "1A977E1D46AE4CB4B7068DB341125931FAD75C28D6703503973FFF9BE917887F", "1AA4689F61391429998123661409491C7FFF90C591FBB12E8BE2CA2BE514C7C6", "1AE1A5453DE71F54F721615E0361AC5AFC9F69B537244D4EE71AADDF1666ED92", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "1C3B18793ACB5388E3C647E0D111B2CBA7FB3EDD55E25DF15A8B98FC47CA05B3", "1CC43C4A66365486759EFB8BF9ACE86934571B8459B6E66D63A5190659B18DB4", "1D17AF388979A4680B7C566D64B28C89A5848CEAA9BD357FA3DB1B666908BC13", "1E014E7185ECE2676B9171118053A4D1DDB9F759CD3863CCB79D1B3DBD175B95", "1E5AE139B10CF500092EA776D2FBEC36F6F4E6FA4F54A5E7D26647544F0BCEDC", "1E645674D777924BC329B3C0A175ED89181CFB788B28FF3FF2391773A332B20F", "1EBC77DA43FD0C2AC1B3FBFCD06096623AB926F98B7AC6367589E5222F2115BC", "1EC9D814A44355A00FF42F8C8587C9E7C452415354E28A889935185CB4613BD7", "1F7A45CD4D73686FA6C9591207830D1B405EB9704E1C5F2BE5F439A0FE018D74", "2043A5155256050F160330C3A6F88A4EF47A0C2DE48EA69299E3599EEF5985A0", "20A1457D0A44CAE0D66A55AE5F1FA680ADC3132D57B764AB4658E5D959F48B5E", "21FB4E6484CD2C557315381AFCF80B167506D975B8CF95E078BEB82443AF7256", "229A4B43FE77515F8665EB39BE40365AEA78A7E6905A77143AA0029AE91AE79C", "235A36D9CC1BA1B9BEC5F6CAD35060A5EF1602254ADE78302EA78955288ACDFE", "23A720A90CF448C433FEE4C61907CCD7A3A1D318DCEB5A1658D14151AE3F7202", "23BA9E1A95485FDA5113C5A985FFBA48AD2E78665BA734F9E465CCC361105BD6", "23E0854DA6601EECDAEE0594F591A86488CF01BE66C9986367D644B338C9D2A6", "23F8C1E67922626C0589CA86ED9B40D441D494E8B56CD8FF4A2EF76F18E6861F", "2614071BF8D5B0482694D82BE1651280FCE95089D3BF507FE1CD1ED3591D2446", "269ED09DF8DEC59D6D5C76BBBEC1A3E9EB81FC2A6B977AF71E1341BCCE84CE32", "286378C830B748E29DFAEAB7AC19693EE4565D1CAB6189EAA20A975B835DFAD6", "29036B6FEB00571E2FBC00E867150134E5DF9C08AD44F9670B7C8B0109F99570", "2BB93AE1C7A3B73A6491F3A66D7F39AEF96849CFFB0026B650053C816A375F8C", "2C50142AFAF98D1A6DAAE0DCF60AF9902BA861EACEB35AD2405F8E31A1B54456", "2DBF1F351E212B797DD777A77C1B888CB40B32F410166C989AF3EB5CA0DED36F", "2DD38E427DB50FDA5C4D07F52BDC62BA35206BA44BC185595E39ACAE88DD41C5", "2E19D972A14CB4AE18D1D3049AD4D29ACEDD60246AD00A27129F07D4EE8606F7", "2E9BC1AFBA9F34E20E313BA5B8B5B6C1AEEC0E8F6EC0B353125AA17460789A62", "2EB8A3A34F13FAA08E22E3997DB0F3D1575349656D6F141EC72ED1BF89C93546", "2EF8388620407232F812EBC366D8543486CC14695D3E2D5F57B7682923E80949", "2F4353DF684AD6726CB9491220A703D4AD06D4406D7B35BEBCB2D4EE11863E10", "30015D3FC7D21C469D5C563C8EEB6988F26B5F676BFCC6457A944A8011875CA0", "308A05F5B1028A741D58EC30AC13C7A0A2B660380B87E8811177772F0014DA1B", "30F31D61B76815116E40D478A4FF3D7F4375DE5C3DE9AF0D9789BB84723A1B12", "31066745C5F3A1400280F9DC71A8F83272987B4B260AC9B56A741D16CEE2CC3E", "3165A2AA157F1B9BD1D78DE6275BFF661B98BF29C82399B7216463D7581B8060", "3230B5C261EC75BE3334755D51C9AB2E3BF3C718B1D0EB81405BE610E871641B", "32C5F3A427C23B34350EBCA676883F18871AA834AA2E92920588454B1810F4E9", "3309187D4E18CA64FBA2802831081F87C606EFBA57F3B4C747B9B13ECD265CE1", "332EB7C24BEDDB6A08EB1D2E56168DBF8FB7B8EE1E89939D477827DEB2BC62FA", "337FE81701E122B57D5B807D9DD29B275871ED342DCA672F6C7FBAB14680351F", "340A46633C57BC64A513C7574F7A78D6AB2EB22FC581AFEB2E64A95AF1A94932", "341A93FC1A45E72ADD48241188A719F3789D0F8084730D93C2ACFB474C42ABB1", "345F51EBDC4B614107E623B2D5435B6EE46DAFBE316CB6F79143A9BB38DCD9B2", "3530DF8DA972875E9B1FD6F767CF9BCE12DD28AEEAAF4F127105D1281DCB6CC5", "35774A12657731256610BEB1ACB2AE99C105060354AA560F82DED28AE65A8B24", "3582AA92271267A0985635BDFBC8FC9F24691B1A4D1B420CDED32DF204F71D26", "362CA001FD00553BE7174C03BCCCBF89F5AB1348C42B438F71C6E4CFB81D7E56", "366FA55EE0B09B40AABB041DB433F5E49FC0E42F7988440387EBE3EED9DBAE91", "3672170404F5307E55342FF12D5BC161435454EED56F454B31FB530876413785", "374411ADB66A6B6C60B3EE4DE9977ADF2AE7482BB4DDC9927957858BCCD39B02", "376BF79A42FDC2B79EA0ACE3299D7D2BC084C5F6732575256A96FE46F43D836F", "37E84D76257762D12F144C420A6FA36A16C6055B49D7AE073144BE16FFF7F0A0", "38CCAB39CAFB6C2CE3724A92B67DF0EB31883A90C9A3CCC11561802DAE51A944", "3950A1BC0426AE4D016159E4D2CAF54A8DB5C777E8AD57B2F2EABA89B5BA76DB", "399718E68B1AC921F1F63310793CB30CE98BCB15C409BBB99985FB5BE97A027F", "39D4A3024CD82E0AB1412C8F0B7DE6C9C896CC59E99FBAB7A5A61175586A3211", "39FB3D1F38AC89BD19681FEACE87FB4DAA9E420720F8827CC4AA35F63756931E", "3B659ECA0A3490E43A993E28F17C28259C30674E3C1D43656C4A5B37F135FF29", "3B826EAB18C1A518F8D22E8F7FFF55C00DF82EA52E88F8876C57FD51DE324D2D", "3C34CA137D675C01FA30FF52E4840DE4F8835BDD73CFE7BE14C18869DE46A7B2", "3C630E87CC8A98E980FC5838CF94096C676B99FA65014F79A0F1057053EEB9E0", "3C85B3C7443FFDE0DF64A3D0D4869686417DA52714135E90BD49D23E0331CD9E", "3CE0DEF06FC9CE41C148F15E374E35024D02AFF49A540400F0AD056CB1C2A1C4", "3CFF13ADA1D4912594BB3AC9D0D9ACB17881A208B1AD8998A1E8BD64DD6C5268", "3D737E91C4B3785D05EA6B518DF81A98A3D897F7446C9E2969F3A9E22A7F3BF4", "3D8540513E9389E52505EF4CCF99C1FC5DC8928BFA49128170D48087D1264725", "3DAB255772B5C0465CD2A50FC27BF93D482025FE8D7247F3C147E19AC9F9AFD2", "3DF4EFFCBD4398CD9D2C6995C59DEC9020B7665B1A75D2B23F0CFA94C34BBB8A", "3E24178C007E709BA47FFA90778DD34D7B8EB78DA65A804C849ACB792DBEEBB8", "3E3AF8AC7BA63076BEE8FFB670B3A3F27E0903C83526E54496E50EB2DF74B875", "3E4520A9DDDBF10F6B94F393C5ACDA44738184D5CB46AB64AABDC963283BECFE", "3EA2C45E4F9382C2531F88095D1BC135577CA607AD54B9DD5A62C3E8C85EF769", "3ED9EC3F8407924DA03D3ABC905C0426524C3277480EB60950F0B1E4F641977E", "3F50B90AA067D7B221DE01833CF094A0A4B8DFCEFA2F20192B47FCC636918D02", "3F69F1D0D10816FD8495E0C83E350D2B9E6780C77327A103789FDAA73BA20599", "3F87B04299510DB46305863338E9A0F1914960F422CD52BBCEFC7A8547CEF17D", "3FF8FCFFF09A565008FEE8326F4D0C6F26E88F2E412A67694FA1AB9A832529EC", "4045CCD240F2B35A8601219CE94DB09C4D73D63425EC22F9B94DF9CFAD2D1890", "40489FD654D3490738C1405EBC8608A52B0A582682D7CE46247662E1E7EB57A4", "40E960C4B69B3BC0992DCA14B0685310C0D6431B403E0338B65A7084D0D82E69", "411DE209066A00259E38D292C22264C2EDA3B961B523920D589433F42FB534BC", "4160090963BD22FB3E2BF953A7E6327E4E16C4C773EE12DB809E8330B23F1E41", "41CB9666A88AE67D4A0558674B8CFDA62F160B6DDCBA3C10576515447887CF12", "423AFAE9FC7C08F3F5D13BAE5029A5B524704674E8286442D7AAA6868D054858", "42B553A5257DBCE0553E09359217D9B58850595C4F83DD12BEB3762A7D09FF2D", "4337F9AE4A5A2285A37D88E12A5DAC941D106D987FD93F7005C756BEB07720F5", "437063148C0599A3C3F1CECB075FB83EAFC46606410F01E39088624674767E08", "43DA4697F34CF5D5A6799540E74541895D58CA735AF6018C2189B56DA5C5FD59", "43F04716E6B0E2BF698B22EF7A50C437F4D7B8FF87A1F35A7A342FA2BFEC87F6", "440F021094DE35C6A13F9FADEA7C56D6B4093B16EFDEAEC496EC398C5AC7A327", "444F37A66B1439774408C55A7653314698A2FD83CFE39018661304845BACFC46", "456C529F31DA6640A3957D0434060FC5A0B534D5248ACDC94996B73B3F544122", "459B6360820E0C329482DFFF91ADF8BDBC42F3EF5330A278A31EA7FECB6A0C12", "45EE862A886525741A09CA53CB36F782AC0F17020C63C71E3DF1B5FD95DE8F34", "4695FA8F517C9073437AB3503CAEBE8F17E0386BCB5FA7CF2B4627643F254646", "46D4B9F92B3C18E29E5C7BBEC13D92B5ECA31B1A6E3BE57749375938FC2B3CBC", "470FB53E20DCF01D3FF4FB7251C5868A5D215FF7480131C88B1F5C06E159D01A", "4777F5C1553B23793B9C264645B77DC8564BD5ADDE40E26C0417DA938016C274", "477FA479BE9054E0CC164D5CBC36573276E31ED55FA3953E006E3951AC5D4153", "4829928E4C7715561CB19AF103394931A0114E34E269A614FDFFC77D2F61D9C7", "48F32F0BE81F12977F3F77EC7A1B784BEEE2CB897C3A11E48967C396BAD27436", "4B7EBAB09AB01A6A2993819DB2589A79B0751770B2E5A63287320AA02BEF3420", "4C800D760232A012AE25AED7F8AFCFF9E3EF3D9D48D3614E764CC6588F221519", "4C98F5463E3FBB67682E7F864F699DD4A99514832D6E44999F6672401F35C8B0", "4D4083B3DCF76307CD159ABFA977289BFD623C088D7406C26A2EE54773F4845C", "4E95B5EB959CBE5490B90287812FD445A690A3158E83D37882EADCE4A7BCD44F", "503EC4AA08C4E3F9F50CED9EDFCA26510533FF79DA3DFB2BC8C3BFF7248C164E", "50C63CAB6CE7C82879629075DBEC583B457D2B0B2841FC0D9A8D67A25B64EB25", "50D29823D1F18CC1FB9A002BD0994315DDFA79FE8E446748A193B22689C93A82", "50E6A01BD478DEED9D4635F64814BCBD9DE715353A82634EA217E4D53F3DC5D2", "50F17354A0A89B52C1E061D02F78509C6F34AF2860DC46D6DFC82469E2AB6C29", "5248B9256CAD1F8D158CE63A6D338882538AB4CB774063A0FD1F9D65202CEB84", "5276D07236F09D5D4E1A38B4E304BC335E677F2639AAB1A09809E9794F9A17E1", "52CCE9C9DF1CABCE9FBD611F2F7371FCD808107B0670CF19453AF816601CCFDF", "539FD5A344951CB3146EC1C6256AC3A91344217924BD86DB5242BF2BD9D82C91", "544D090170B9F688E773EF8FC8B1618EED0EE7044F85992CF2BF1A4A2190E145", "55C6EB16408836E84C4255320770BC4F60934779CE325008D25B4951C20115C1", "5641564DE1A4B9249AC0EED2F265EE204961C428F093EC99321D93DA0AA23C3E", "564B0C92712ABFAA4A166163C3C3E90C2F818E128F44887E3BB0DF5116EC9118", "5711509DD871227FC9F7CD530DA0E06F21DDA1D522E7B1C76AC95D3AD5F6BC07", "57A11B587849D0E11C412236D22F7BCF16F25A1EFBAC8A9A8B6F2723A64C8C41", "57D2B44B0BDBE18665618368148AA52E4651641C5FADC62DDCBB1A51F9CF8997", "58C9C23A20C5D55610ECFF1953DA7C91CDE42118EE0F8DBDBF1D696C4A948D37", "58E33C1549EB4DBC850E6823A153E89AA2B58543688B7109103E107A7E7D2EBE", "591E98996DBAEC8DA2E30D3261AADF9BF750C358714362A5B9B9F30A1AC23AB8", "5A5125564C5E6100B8631DC69D64BB29F15CFE14C3E6A31A6DF6AD6E3808314A", "5B0D973A3FED1AF2D6DC61C906D27DFB052F1D42B4263EA8695D5ECC3E5F9F09", "5B26FD90EB9E8DE2F0D408077305F80DFAAE07C63D10D4B5F66A6C16421AE7DF", "5B4C19B2CA9D2714AEF1546FC810D709406148AD04288568A5EFCF5FDEF9B2D5", "5B61A8C776F5DB5A9AF0C13607CB60BA8EAB34C3208154E6FCEAAD0857CCDCEA", "5B64BCE3EE0E68F7C1E61B0134954FDB115D5AD76AD549C8F967018D7BA777A6", "5EE17E6FA7B2E867293769D2B457CC1C902CEA1D9C6F97B78C2166BEB5DBD8E2", "615E4369D0B07E7BA358AF447BD05A3ACC0720A255109ADB57E2A2080DB3607A", "621A492536FD0DFBA370A0EA8352863C92C02102E2A7C979D3E6F2DB59F56A53", "62B157899AFDFE3350565CDE520C60FAE6A0521AAFEE76BE82BBF76A02C1B3E6", "6303DBADEE057709C654DF5F5232AAB673061979F73C5434D17C7C2EE4FC8C78", "637F608901EF8B9FD34455682320A8EBC1B665D4F6B5C7F53F3E57AE66C9AAAA", "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "63C0B2B3226E3E98449887AA89E81C9B35F422CFE5D67FF9577B4EC869D9F5EB", "63FB87BD963C802AE05248A5B91A820121637B32C6439BE3685C2E1E04098097", "64718A406CCFAE5D2AF591487FDFB0A189E939DF11D8C72E30AAF07C12098478", "64ED9589C1E5946B109687F790BF28B004D107A0751658576B78487573777400", "651C24F34D9700DADF4A8C9CF4EE2178DB2856227FC5B92BA72BC73B0C050A56", "654F3603785F612FCB89C4655C367EC60F72994A083FCDAAF1A7F63C68137F21", "65D1ECC08FD39D88FB4523EE69BA16CC5E59614513C98F70FC4306624777C11C", "65DC12D6E8E0D53E6ED0AF1F356647C749F500509AAE6E4435FC95F00517F01C", "67AFADBAEB2E411CA50084190A35F4DAB8E622125BE85851D741B447BE13A2CF", "67EAB74129C18C510D45A8BE4796FB10CA7307ED79A3F5B643D86F3CC71C8995", "6858032AD0022691AF88FEDCEF29BB4CEA50172EAD995CAB6463B91C16637C1C", "68E7DB3D7E398B2706226213F9B1A94ACD374A065EE9538BCE2CF140B065CB08", "691466DAEE06683E49687F1AD61B1DE274EE44CA9F6E86B9BF8D7D76D6346999", "69C147CB642B39AA3250947FC1868ED542CC9C2C3BED4BA821CAD9BA0F178E84", "6A3D77C5871370931B8EF09D751C43CB7D88D1F4949B0388D3B5C4A8EB90C83D", "6AB5B24B612744A794E7F28CC88F04C811F4BB9710FE31917EFCB65EDDDF7C9A", "6CDA9CBBD4E668C70A53BD4F7D7CDE00CF73C49E1D8C5300C858682BFBB02BCB", "6D1266D7512253D04698EC2DEB85B8BF906B1F2E64F7EABD217D462B19E8EBEC", "6DB274E6F7EB4D6F538135EC07CF4443980A5C2FC8C1652E16833E39D5F430D2", "6F2C088BF5D78FB804760981ACFE38C9CC104BC5F9390812E5D324682512AD45", "704897FEF5CE3D4AA35FF51AE237FF23A83A38E10F9597332BAF89DF648929A5", "71A0E260D835E4FB784163408D486ADEA9933D2BF29E0D594920C0DE72D440F2", "71A473993D401FAFDA20A063C958EB3785E06B0F2833BBEB5FA0B1E2E3123139", "73288A84B49A641505C576DEDC995F44E69001C227078E86112664767072BDA2", "73613052C113EE53CC4E1916471E2FCF495F0A7CAD286D9F9DD528B4EA3EB491", "73A4E74D4C42B6050D535B368ACF1258DE6B4062962BECFDF4315D89AF7480F7", "73AC0A21A1C1C6C3987AD6559B838B31C02E7FC2112C00D32E18ABA3B130AC8F", "74157F70C55D5699B45F201DD61EDF5C806443EF31D766424E8A6EA6B97CD461", "7545FC6960BC08536BD63AD777890D26CE8FBACF18C55DCC74C636085DAC612B", "757B616252D9C5ECF905DFAC8032FBD7AB4A8DAEFD48C0BADFE2734A2E87D1AE", "76415522829E96D2199B1D5D63817545B42CAE7C008B9902D48D11CAEE020C66", "765EE754DDB2AFC25A4F81B453619E8DE782835F4B2ACED4DF8CE43B5D4C10B8", "773B648DDD169BE7B3B19B2A3EE2F643C3F7AB2B1C9642B655A39AA249D945DF", "77C6BF921A5EE4D83AAD3E81B0714C7F02AA72F5A80BC01802CC6F1440DE7948", "78B5CDD949B0594AC0F181656CB6536E0B075D4B064576C915C9BFAF10028314", "78F585E499684A44D21982BB07C498E010C527FBE1866DD676965E7AAD25664A", "790AEE8158E5072311EE0B1D8C1CACC2CAE27CA8C7B75F39AD990B40790CFB8C", "7911EC80C28F7BE157F66EC6B3E35B2999E41F97F4299CD83723DE004A5C5CC2", "796F2C51B8319B8F5B27C4E255E73CC0426625F1153FF80E70B99CD9664E6699", "79C9308A38227EABEE316B0407CBC46021561F829AEBF9659F93085D4FC63547", "7A11753B338C15D55DF3A1597718181B984266B89FF9EDD1CD2752B056D40E36", "7A811732B34C1BAA3F2209EA69EE01FCACF762E53C22EAE8A8FB7A45B4E7164D", "7AEFC9814578EA5DC2EFFAE9F289D2307A840D9868EE8B6CED3F1E668F7010FC", "7B815188E16C52B322DD4246EBAB0FC7BA3EDE14D3D566E6B024A1EA3CA43349", "7BD03C97D3450FEAE4EB4F8F33140691B9F85B4915C83AFD5212FE881A12ADDA", "7BE38BC9D9063F34BE9B8AEC73F5518E1D7B0EC8F35109DB2E64EBA48061A6DB", "7C371350C79C6F7596054D8B19A4BAAD069A8ADE699FB847B44E70E03F3D6988", "7C3AD4D2486D337092B50829947EAB274AB1C4ABD4F3B9D2F3037EB5536ABD59", "7C630DEEF9C025461097DE30AF143B45E948D8E848AEF027D365F38629529B0E", "7CF53FE09C7D25161BFAD59060E2F4269BC90C0B892337805721A0FE0A9BDA22", "7D46658778E442AD0D43B74E767B5638C73A3147A2AD662C6A1BAB31343A96D2", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E4E851053AF5C2BFADF66AC8494971BF986538EB9E1BEE4C5D8B83D2DB1BBB0", "7F000C8114EB2435F6F84C08F8823ADFC04F58942C5BAD8B27FFD4BF1D5AB155", "7FE72ED4C858FD4F010CC95764D03AAC86CD4C73FE6C4B388FE981C9E76DD0F6", "80489411CAB04FBDC8043529670BEC2C45004C175864AC8845B7DAE26D981661", "8078EA88692BF4900E790A17FB7CF06990296407B47D1C202B6465CDF769F1DE", "81D5F6F41E5617EDA7FF694BBE43496FC48B7577BB4C9C238127ECCCB1D40118", "820B1DD869225ABFDEEE5645C1D3A0F396BA3FC9E77C88E3D91F1C4FC0D9B8E3", "8215E02FB88590F4B93468E9B3C6A2785DF30F06545A788005F8AA267BB66470", "829888007050D9C11A7557C40DBAAED034B1097EC4A906EEC0D336ABDA0D0B50", "8325E2E8632F22E10CD653162D8EFC2BD56BD809EC2298B08EF585D287E1CFA8", "839F371B87C6C1B7E2DCD5C3A8BD19F178D93671B15DBD8A4ECC452EA553DF43", "83B53506562CBF4BC038C2AD61252657D2E636B6245E599AFEFEB3EB3FCFBF2B", "83DE818C5932FD800E5449ABA82FA7FDCAC7A0E2B41C5C07CC9E5CC56A3B9296", "8451DCEAC7362310C8EAA923574AFEAD09CA58D139A870AE0ED1E3D11764573B", "846E81FF4990A08DFA959515469A4B0D4FB24662001CDD3E69ECFD4D9BDC5746", "8491CF1F3DD8116411BD720BFCBC2272BEB04446394152CADFC6BA73F4D21149", "8585A81D2C6357431DB37ADDF4189DBBFAC913BE555A9B6483BF16E8E8705C85", "858896131EA815FB74E9BDD335996EEADB31086755EBD223F4051866A0275C41", "85C244F40F078C64D61F63F2C6CB1A6851B539CC7B4530BE8884CFAD733EEA2C", "85FAE0BB34F321A6840CE338BBEAE7F3FA6E0913F565911915CA6784F42254CF", "867D9ECEAB40B111EE25A99AD07419623F566D5212284F0A2C5C9E2D13C72DF2", "8731F85B75BA77CC3784CD784E98484D53CD189EA60F1F57A3A4EE351FF62B39", "87B26C2B63AF8A971A79B4CB2207EC51AF74A57FD839002466AFD594F7918F65", "880C8CCFEF3637D915CD2A945EAB6F29F1CFADA9041654A93101F51058EC852E", "88D4396F5AFD082566BDD5FF95312101BB6F94623E716D993F113380B02DC7D4", "88E396C29AABC664ACC3D5B0A3797EDDA0587772D5D9F452A2E356E7CC5BCD5D", "8A242C548ADF3E615FE6BA32C7E6F5B2DB8B1FA250ABF2329DC20A0FB32D3700", "8A273EC5B4E0D267BF1325C598530568659C444C274158543E88B980E7356184", "8A3C4FBF20635DD01A5B58269ABD76FF6451A13FCBB437C76C92D2484A5C9ECA", "8A4B8F016E20BE062D275D1D7DA531E398846FA5F653F9077E943F8758AD58E1", "8A621D7EC29CDC30D62E006392BDC867B806D0CB2AC163E36A955BF3F53C7DDA", "8AECCBE0CD244EF2C1818D4560A2112EBDDE17CF922BC7869D4367156735AD72", "8B65B2D389AC6D4B8DDABDC2C07AD570BA3BE907EA6FA4F956423A3FB683FF0C", "8C13A93038AC136772B2598C633467116BF44538BBB507D836B65485D5AA47D7", "8C5F9E00411BC48544E09C07DE0A9332CE9F2162272F1C9EE415D926FE3F077D", "8D964A6D85AB92A093A54D98B52835DA52D646F29F4FB8F77B0F37827E6FEFB1", "8E4DBE94121ABE32EB52144CFDD57FDF0D6884516B0DEA8E9B75FEDC0CA31C5C", "8EB2C9E7DB5013AD05B30490E2989C17EE64FBE9B0024B1E76805B1F1B95B816", "8EFB8A654D3536DD4481500A7680D75E0B2A04D2F63C829CAE130B12A35D7ED3", "8F7E9BC38CC1D5886DD8998C93E683C9367649830B463A9A5032011B60846A4C", "8F879C06D40BC6329D80ABEDCA5D3CC554195FEF26DACD9AA387DFFD5A8AC21F", "901520ED3B63C38B455DA03903E8FB69728EE34716DE39E40F928C1105397252", "91C2C4E11969518B70A8C8F53536E1FA71DEC6EC24848AC3C98F5843AFBFD45E", "9214CE38F1DD3B6CCA3C0A0D3903A565EF865C916F6409B27D0CB5862470E985", "9287DC96C9B40D0A7179453A5EC2D0BE55F127E7E426072F9E2EA5EEE0F66E7E", "939CF579A3478DA004C0DC63764E80A5A7E567E4CDC2FE8D1D3D9C5336892035", "96172B0289A3157617DE620C9610D6DE694BCA12DD20D67BEB2C4BE5720F1E6F", "96AA6E96C459B552487D37879C1210BD7926BC641E7FD69543382941733FFB5F", "96B854658FB25B1C41C7953D07DFA40702863F7DF3DA2149F3BC57ED6B4B5CAA", "96E4D95F15652DD6FBDFAE305505663BA2700F82CB47BFE477129F5E3D0B258D", "972701C7DC1452FBCF01B7BFE4A7289076C9DC38C28E80665321248205EAAF12", "9765CC2CD4E8CF43C86EE7859F7012EB2A38E6A4A80E55865CD6E4E883D3188A", "9872D764206750F6FD9C7F555D6B4C23926B755B4AE368CDD8485546CDEBC462", "98C2299E82C81E1CC3EFB8629E8262393014376C64F3F09018090397A1EA00AE", "995931660D65097007B0B8A21C31623CB9BFF9691BF4F7FB03896FA680B6BF33", "9965EF8B6018290DE095C95E2389EC362AEDAB25007DF9F656D93E932B0910F4", "99D003017B71F5B75E9C95B642A3DAAE40B18DC20129E9E9FCED6FC086965F81", "9B29E95933D7FC3EBCF270BA84DE60106B20376EEAFD5D4DF4DCD949178CB0AB", "9C1D1FE90E2F187821C270EFC3B5F3A57AF88428D8DB76F072CD050048739C9F", "9C6F1EFD064B98941F8B42A32A91BAB15206AC55CF09BF3BAAA5925A1B9B55C9", "9CC98367A213309185EDA7DC75FCDBBA5D5754142F33E0C8ED1B454D10CF416E", "9CCEB90B89301ED91DF7A501EF3103FD54D3AD611D342CF6E4B19E5105E84E35", "9D892AD714895E9B8DA3E59547784D03B32EADD3AC421AB0003E3191C1AE27AD", "9DCFEAFF697FCF94479FCBE5C14EBBC104B8E6B915283028D66CAE23113C0146", "9DDD0F190508F2E7A5678CB2D1EED7DBB6DDCF4E86557DF2759A163E2BE27792", "9E3B1F6158EF5703EF54F7C3064A7EB99BF9523B8A6CCF05475346791179C879", "A04FE2EEFC21C3A9305B1CF7463C731D28C17EB5521A8E54F5F564939C5E91E2", "A09274BA1A31537EA391724E8C52797113E094AE9E4EAA66FB5A50D995921587", "A10E7A45BAB7A017FB419F00D57064F9A2482F36ECDBC49D11E209F1CC8D8A4C", "A117FD05762925D936B7D3C2CDFC14E84E601A00B488EED04331F22B9C452C5F", "A380C4CD3FFEF0D1AD28C9019320AF0085267A1FC55FD33D40E61A6A71DFDFF1", "A38279E551792BA29F1FA34034CD64E94266819C4862EDC7B206E7A748D269FD", "A3EF30F3955AAED701BF16ABF8B0431F9C71951ABDCCC4904BB0F9587583D895", "A407F07EA080215A379F54A886C2CC18F7ABDCF4D0832BA9997ACABE1836FABA", "A4167E89DAF98623836F64826EDC7413C8B06B29A2E76A886419750438EAEA04", "A49F8E92510CDD96D8127764BC310529CF44A60596DB14352FF329575652A707", "A4FDFC527D8A765D6247DDB806EE98612DA0FE7BCB4E133A742D7FA9A06E39DC", "A71AFA4E20A54B2503C4A5DE40ED960DD9AFC34A35D94A0AF40474FE8CB4047A", "A758A1B10E085A8CCD4CD2CBBF9F9F41944540C517465DB005FDFD0DC4569590", "A78040AE5CC586449162ADC8068F3B4D767037DFE1D376F0562F9B1D726E247B", "A7B2D28F1E3492E411A234E996E861936D426FE8647F79D09D85E4989FFB0C19", "A8174D7A22C3240122D23595B6377AE1B153B9EAA6EF1EC848B75B89DAC79F3F", "A8A1B567F944BADF2C3904883B086755440DF569158EEB6B0C8C2202276A6F6E", "A940972EE8C6FDFEAA789156E684C0D5729686CEDFD51FCF6C875BE8FF25FBF6", "A965468AD7FD6E0FC84AAD8198928B8ABF25FC38D0638161A79D59279C9E678D", "A9B608450EE2B2505174F8F497D891A822A15EB84A1C302BA28DE13FA45B34D4", "AAC24A1DC4CC424B974BAE4B8C5E46B80DE2B79BE9622BA91AF2FC02770A13C7", "AAE50909D8058934D5CCB989B4CEA17B72CABD2BC4CF08576581EC909FE087A7", "AAFF9E87667B35D62A52D77B8E5C3A000AE2419974F7C14545C23704BDDC171B", "AB7A6BDEA1287F21671750002FDC1D99576DE24C70ED532EF4618EDC40B49BC8", "AB9BF82645A26195B7E3A2A88C35E5D4BA1E45784589233A145CB109453CED5E", "ABF8825C48969D423E885B7CCB57BDB86E27F87DD082837A7884ABA77320FDB1", "AC5DE01326AFA37CBA7F799502684F57AF3D9271EC49734648DB7797522AF2E8", "ACB1BEB9F23F8E2951B24CB2F49DBE6E43DA9F3C9311028237E3DCFF917143EE", "ACF676405BBB5AE27485D9F48AD72AC6E8FE2D60EE0D4B0D45374459BCE07DA3", "AD4ECEAE4A1A859F7973542989D756EF157892493578480BA674AEFB27995763", "ADD0F839178755FA4DD912718C067188513D949DB4F98877C9A6309ED84FA4C9", "AEC0722767EA21CDE0F10129C001F976425E48E7F302D7C24108AFF251D12D6D", "AF3CBD718F3297D87FDA4616011F4CD425D9EBE3BB2880108811A5CAEF018EB6", "AF4D67785B405FD4CE05E65DA8AEDE27779ED1B9C1320F323563935E9D271801", "AFD98C07066836FDE436D8FC9341B85789AD4AD9ABDCEFC7DBA79EA2B454FB9A", "AFFB8AFABDDD081CEAC397241D3C1451E9FB874F8ECFE541E10D86D499996547", "AFFD92BCC12500CEBD2822FB64DCF1EF589EA350A991DE5C09421D24BFAFD713", "B0A86AE748A5FEB5B28098C199E3AE109F5F415CD018723CC5E174C68579E28F", "B14802EE857CDC0D56AA5D6E41F9A60ACB2D2D9EC4C0DCA472BDF964DF05E984", "B244A2BC0A7BD8241EA857E58CB786A72E25AF80B5B87BE5B86DB2539034F07D", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "B31E32800EE5EE61C586F8B5DFC333D6C5CABA4C612EEFBF461514D702869E07", "B36A668C28C4D760F6B565A18CA1708BA647B0486720FF7FEE833AC59F8D4800", "B4BA991763253D738BCAA9AB61AE50E1AA4C20D6F3366D5551C3051C29FEADB2", "B5FF3A0A4BEBE5C4947ADA43EB1B39C0645EF9ABEBE4A315AFFAEB9638C6CB41", "B61307CAECBB5590BF8837472BAB9C85B9153B31B334257C484DD1ADD641B9ED", "B62A0DF1BA325616E310706F59A3DD07DD7DC7356D343963E6F99C6D89411ED3", "B6D98686FB4CE3794F12AA810C56116765161F3CB64E9212B301423AF70BBA48", "B7714F51B8CFAA4234497F491ECC215FC91BAB3D7CF96F228B974B661D0E0297", "B776730BEF8B1AFBA479AE066C7AA9E78D065164B1F25B7C0DA6D8B9B59FC44F", "B7FF1129A02D2738AED73A8C157F3D6D872B530527C875906B3678301D70ECBB", "B84251E3C31E8FAF9BA0B73449F8A92CA84F7B802070A7A5FB283B62300DC251", "B8C124EE4E419DE7F41A9CB0246E9FF21300C4C9A2734EF999830B9906B65133", "B8E199CFC7A9C8DCF033928312B9AE0E344AB91916C93723350723B89FCB619A", "BA224C929D509ADDCB0F46007C0E0FACD292F79987D47E9F02DEFD7F67D0990C", "BAFE1432B61D78F2B29438C3606D2D46643F4DA3DFC6DD0FB0C4962ECD44C150", "BB06E8BD028B2DF581C4E507E45CF66921EDD872018812A67B8FFD9CD3141ABF", "BC2283C42C5754BA56D4B137D9299A766BC1E54917CDB4BD5C57BE600AAD1E60", "BC7F561FAB80D5D0A48021AB45201595C02030C9CECEBEB548DFB50B6376384A", "BDB0F371072DD759BDC908105E59960089A47593F2EC0613182245AA4BB15948", "BE28B80282A36EB5AE12EA4346DFDEB6572CBBFD3F23A4A31E09F4406B8F71BD", "BE523D88E9070A2DC41C20554C070BC6A203CA40E3C999CC7B9D52C82AF77DEF", "BEE85EA4B02F35EECF6CE37CE78C7636AEB79F838318A268C9A4BAB017A9617C", "BF241965E218490C5786B115CB2639A8CA788DC4170BC648A82E9FCC5A5AEBA4", "BFFC97D9B867396253756A09ED28B13F581A2B14A0637B4684951D9BD6071488", "C0501217B805DB60B66BE6BAE92316B764C51679EEA5027CB07C6E657F8181A2", "C0FDB3F4B7A171D3937E45DFD9D337DEA2512F2ECDE945CC40691DDEB5689DA3", "C11C390B971E777914D85592C69C15B80ABB389FD00D2D905C82AF5F4B729A91", "C138C333E90DCA6AA63BD629BDB1BDDA88BA738775F97FDCB002A66BEFF89FDD", "C18E4772030D674D152D69B21575B31602E8081D2A7D63F34DF5712FA898D8EA", "C1DE62607E696F3135AA44A9ED964385998509307175EDF6F47BDAEC9E4F6C06", "C1F769D030FC2C40F30870B89602B6E37C63D9738974975088F5749826F8EED3", "C2172119C7EA3C8DAF5775654958C15FAD557D43BF30EBA7616F82FFB6EA31E2", "C235B7972D174C17991D3BE9FF207399C75D26A49FEBB53A9E3365E459B41F62", "C24D4FCC97FD95E90382A4216040099F16203ABF61AF30281EF1C2E136253A42", "C270008C47088F4AB45570D101436BB116E08F304CC36AF51E0823C68AFCAAE8", "C2E8B6DDE464206AEDDA1C71AA033CD48E5CBB40D6C71D0239B45AA056C35190", "C31436DA6C1FDD78E2ECB68688AFD20C432119CDF718A53729D0F429AE0174AA", "C33C75D536D0395D907267D197964636B4CA8C5DFB52755A5682CF70BF8C7FB6", "C362DA3FCC19527A119FED83D0B6DA4D945A28BE02C6CEB71702ED777D4D16EF", "C3B05CDEF184BFD293F7EDCB8C5A430A32B9D04DDF8336E289D0609D021B85C2", "C3B567818F0068A4E76BF412FA5CD0354D004804480FA49A2095407B12E1C65E", "C43E517FC1D421455EF67F2FD82801991F21C6CCB13D090F2A6AA3849E516DE3", "C515FD20BC2695FC3C0589AB6AE6E7CE97DCEAE65F501498E887BA5060DFDA89", "C5BECC1FF633D3A61CC27E6C697004609D2D53037AA1A203924F83717DF01AC2", "C6BBE3C7D8F1A4114CC3A6D26A802803EE96825BC127B999958A9E91356B1633", "C6D76168198B9EF24D77F1D04BA06E30D33B0C7D71C8457114E69E1A43BB68AD", "C7752951E8085C186BF5D89E852FCD41F36C211BD9364B8CA87F6E4FF8AFF924", "C7AE65EB0D706F20B5B2D3D4E72252697ECA6AA7917A58A2DD40B4293B199DC0", "C86C7381D2D32D7EA62124AD0E4A0FB3506B1210CDCB9EEDF71404F35072FB54", "C8B10EBB1C04E885A0F46598D7359140F659737A3C1249FEE363B6A29D7355AA", "C9594147E388237928595F1CF759F8EC355015BE6AC29A030A2FA3207D9B6DE4", "C976F3FB2440651533AB7414A4F76FC3C66CAF49895BE704575E993E6B5F6D48", "C9910CDDA6BD1803639BE684F9A37EF94B2F22D12A9574F6C8F6A248CF66DAC1", "C9B215C2E990733679984F0C6E86DB20EA1ED143683D79CFE88293360577ED49", "C9D56908C5941D51F8B700D0AEB133B65A72D4A5D3A7FAA2D989A477B71C954D", "C9F19ED2C7A03593AC283C0067CD2FD24938ADA7B16D8ADE6C80795C2BDA0405", "CA8D24C78D501345DB856FF9B53F4B1D8B088BAC6269D5682DAE4D83FBA4E3DC", "CBAD9A5D72D7476363185541BD693344F4EEB28C6708F8A48B2849B3FD618351", "CC714D6CB93526CA67C3B1AF953783F7648CF4A4936616886992C0290C5D5B18", "CD1271F65919F0A27ABAC5D2FB90AF847030089BEFBA36FA40622E14F85284D4", "CD1AEA82D347BCF45C817F297F91F17B63798AE3055B653759D8342B9405F1E0", "CD8271F1E3A620207AA3EAC35F944E1453EFEBC4728A88B9C3D9D0DA7F511F56", "CDA078FD942764EA41F1C78F1E4090E3DC312088E0AA78FD554EB0AF9C8BDD0C", "CEB12B4664C1D9045CE6A2D526284519816A08ABA9E1E6F54060B27C0BB3429D", "CEF20F8B2F76F34D20A1332E089A276B62CD83365A66024B5AB7A6CB1887883E", "CEF23955780B797D3E4DFF7B2586F5C1F6FE284FDC236FD6F838681B4A03628B", "CF8080897BA997E374072C563D7B6C6088F56DDA07F407BD98DF25411FE5E09C", "D073E08AD140CB6620590BE3498F8D2736D636AB608813B1FECA6FBC21280451", "D222C68A9F9279A22A6D872628487DC4677D4BD829C33171CED7B9CDFF159C1B", "D25F96BF8FFC89967E930C42C71D7208B95B880B834BD2A42F60151967CC51D1", "D2B2FB96AF0019F5D16504AF39E442889BB4C2D53F4CBF95B8FEF864EC1390C8", "D2D5149393E3685E522A36577BA7E6546613561DF51EBB5EE5CD9ED0441804EB", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D4F9AE28EA501CF2A176391E0E920E7B7FC3A2D7D8CE5319FAE6CA44DF5B1E04", "D5006110BB901C8B28332845E7232D26FD36B1609362E9BF8C8B8705EFBF33D5", "D5AA5A836C6CC887766560D5C0DEA7A00ECE08E7210420C4B9BBFF45EA1FF9F6", "D66B903250F05C7E6F628063E46BB788B758ACF5470BDBDCE9A7DDCF98ED3362", "D69CAB0B695FDB3F4A13D03095C9000050A31CA1EEA0F9ED3CBD01DC6FA43F1A", "D70C0CFD2132EBB5AAF3CF53E301E73B5E5845FB7B0FC143B5DBE6CBAF3A884B", "D711E8839F9CEAF79F79AAE8CD01BDCDBF7DCD4C0649106ABCD18E8CADF832B2", "D75C787D719F6B509B47AAA92C0EBBE969DDCD2CD7BAA1800C224FD759790609", "D833E20E555B781CCC2E63B4F1D72EF91246AA6A740DF25F5ACB992A26997A68", "D892DD5C990B614DA948DE68E989E267BD3A28B3A74D493758EE59946ED0A7FB", "D8ADEA08E50DD31A13D004FE5B304A9912C83527BE3756B66F2A397CF3660771", "D9149FF2A022C428AB36BCF4F88460112AF3AF085E6C6FD75CD50D2B242C721F", "D94A48AE9F580A6366D29978F998319ED852FD8F689952FC78B6758E2D5F53F1", "D9F3546932BD432766323A6E9A562D656E3EAC77AAB6EE3AAADFF6008E59BC30", "DA52C8AAC8E49FE83875D8FD83693222E58D6D178EBC1C00B564B8EB59727C9C", "DAB6CB181424781D3CAEADDD031227EAB5B67EECC36B24ACF558ADBC524F2D57", "DABD6B8B6CBB73960C386B67EE3DE8B0C30A20314AB64DAA185068214240C464", "DBEBF5B229C8DE6CB3D8A210AACEF003D3ABB0F69D7078FE103C643B2D8909C5", "DC3F9DC6E60E7791FEC4335A8C7FB9E85C847042EB357C7AEFE055E589B8FF69", "DC6CFA97AFC11ECA8AC903B07B25377D9849F6E270CE2A8494F78E7B651A0389", "DD39895C911A5C66806CAC2BEC6807CD3385FF346B2B24AD293C4587ABBC8D42", "DD5BF5116E5741EB672335643731F4B54ACDBD92F34C019A128C14DD0EF87E44", "DDAC6B14B8934B2E6C225A197BD36CA0AC38FD8684F572F5702537FFE8240DAB", "DDBD4BDAEE1412B8C8199BA8BCDE15F2A42D1C2982D2BFF3B062BFCD642CDD23", "DE6FC785FAEA5CDC22FA3DD95C1113BD7CE8E4668A2B0686DFF968822706AA72", "DED899C681C4F01F658F5349E77058BDF8C51E88FADBC17AC63AAD856B4CADE5", "DF4E8F31FE043E3CFA77E41A2F0CE2691BCEBF5ACB3B2A8B13BD91911951419D", "DFBA0A507CBA73A53666A3E5C741F70C7CFC57D7ECE64BB957B938A6262C5882", "E0CAD87D2D58A2FEE5B2191470CEB1BAD189DB6A091A60BC28E6B8904753BA45", "E173DCA0E65F1BC893DFC386A3859828D95897C2E9C3CB8AB66C9F1FCD79D6C7", "E1B7D6427453A97A89D313E5B6D80A1D5816398FEFB18163F49201D6FAD9E0C8", "E1DDF2752E86E32A93B778F4A62DA348D20B60DBDD915C1F9931C70D2553973C", "E1E9EC92F2FB001C2C7B6AF116D3E1F63E360CF61602F853CB4A691D77495BBD", "E25638A7A2F0BFECDF5955E6E54DE8AB27F7391A7AD2B9572BD485B609D9B748", "E298AFAE6C10545EEFE2EDCB1E58ACEB81769C82FC173BB89206A046496B5501", "E339AD68FEF83E1C654B3EA486C97706F998CD0D324C363879653C8B1DA397AF", "E3568DD61685E3822320F8933DF5388035A7B92A8090A0E2FE74EEBAE4E16799", "E3BD856982B27C3FE93EC13A76D5806B5BB18B95DD328F70706B73BE68D790ED", "E4483DF34E757AA349E718966444A52461C215D7119618553F0FE496E455849C", "E65542FCA90363D7C8577C507B17D1281192264CD6153EAD3B4C7E698CCB802B", "E662216536D352189553CACDED94197C05EB014BBDF76DD13702DFEF9445466A", "E733C17408E04FE220509E0551DBC620A986294A215F7DD00365914286AF7F92", "E77EC6F45B7D6E8BB278E220AB25F28DDD520313254120E5AA95ABE42DD9D030", "E8A312ECF86D6A1C6D9722B8D51FDE987A400AF0C6568E0E843C6327878D3511", "E9402FC09A28106AF2485DB38FE701AD9E89189CD8A1924DECD9BC2BFC341007", "EA4BC9A6E1BC28B39AE0C360DA599139777EC05EDFDC5120E91AC3051300D3E7", "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "EC68A07B2C3DAE1C815890F259C28E42A77D5A3444423C6A6324A3D881B16265", "EDB34CD93CDAF5921CF795AC72A6405C79962D06DE79535AF74133F2884DA4EB", "EECB46191A50ABE7ADCA847BCC2E56EFA818E34071C0444ED5C1844898B25E4A", "EF2B4F4110ACF96FDC34CF6D7B916C577277400859F5F464947088E0CE635995", "EF8F0A9CABE55A98975A5E586449578AFBE0581CC3BBC4848706891FDC02ED1D", "EF9B6C270DCF82283BF13AFE4BD6A359C1D124B7D4895440A36E199964CDEF36", "EFC96C84FC6627E09277E1FB61859CD2CA1859DFD91107C5D299A533D68503BF", "F06557E676BEE33840ABDCBC8B63800AEF257D21E96813D19608264A0DF5ED04", "F0757274DB5D8329D95D7A6D4A3997DE0A00111E7975DD730038A4C7F5615F5B", "F0864C914EFB62F7C48822F52BDF423B57466738327736DD211AEFBE34B7C109", "F09AD94B48DEE6804F3C9AEE48EB9BA274CE6A40FCE684B18CF3D4B1944D4CCE", "F0D32D5C13A35680F4A8DA40436818493D9FB1B131B9211509D89B4ADDE8B956", "F10B278BFBFA868C361722B3DE18CDFFBEA415174A88751DEB4AB93FA4D5705C", "F1D303774ACA9A5AD0E510C3DF5F1397009E7D6FD2FDAFAC4642501D873381FE", "F2A538AF2ED1CAABCF5F0891DB02363ECADA659FE7F2989D3CCD7668E4585622", "F43AC4AD74C202F4FEB76EA0BC3429642A773A92CA519668F55C67ABFA59AEB0", "F4932CF9A6DF6019039777F8BF85489BFC89241D25FC01B2C3F4B8B464F93B5C", "F4BDACE4C2BD969BE014F58FD96BAC012DCB9FD40640A048ED223245FEA36AB5", "F542A12C495D85C0CEB4091F4CA805B6D3F211CCA410B1C97964AA4680E716F4", "F590F9B8CCE606C3A8B1868747618F53738AF0A967C71C872865E6F97E3E2A42", "F5BAF336C0FFA1A9715652B899383A9C6D730D8ADE9E07CAD68C90971C7F8249", "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4", "F7297DEE78789012F7802C00A7D437B06424929237D39542808A1D9905687922", "F779442F0B4B159B647211B27C52485C40EF8D77079FB564145C112408507200", "F7862E3AFF4165C1E96904B0CC478B568FD7C29638F30D7255C5D201546C0450", "F7A4C910A4DF2E02493D2FF5F34AA0A704BD3D1EDF63E2A05589FEA9676846E6", "F862AA8C70B0343452BE1F88AAFBC22FF6D70527EFA74872A5EBBA9DE943691D", "F86E0E99774B2ACA66C56C88E0F579364353B9D005771FFCBD70A09340339179", "F8BE2A1BD7CC2236086BE1E13F72021EA00650A5D0F96ED1829270ED6BC006C1", "F8E02A025FA5ACE2428844DB097B873AC8FD7FFFB8F539D14EC622F3C22BFF91", "F90FD904FE2AD66DEF4FDDFD5D99DDE1F5E9A79893EE2F3ADB1619E2F648B6FC", "F936FE55F38C08867ADBDA8E6F3802EAC3CA57726D86C3FDB2C0BC8583619B6F", "F95EBD98E9A5D3DF63EAB50F84D4F4AFCE6503ECAE843BAF39C5BAD571A148F5", "F976E6D48149579C30755509014967F1B6A7163FEAAB9453EBE9572696C3DDDD", "F9A935F07F0C2592550406829A333AA17FFA9DE5B312BF55A008E03FEAC4C43E", "F9C3BC218F02B41A1EE998B0C9BACBCBA2A26044AA17D86E90806B1B4853903B", "F9ED99C3F4B2D868A3826BA34135EFCC7EF1978329C535488F23E6CF98DA913D", "FC0AB5A04DEDCCA9B4FEE010F6A33E94AF0B79A3828E6659C5AB9764C36C13F8", "FC2BEDDC9B0A20E14CE30F6B90D14256565AADCC69A534CA0557D8F35594D108", "FD74E0AE08FC38A79D02E489040AD416032197314C1D45C0F17D939CC73962C5", "FE0CD9D782041746DBFBA9DFD5A169C98E21DF40D5DB566AD15D9898EFE9D6E4", "FE1A5F48B76C5334BF101155CB3D3648FE9D3937D955460DAC3C613ECF9B4A0E", "FE252D131D8F7560832F857A2E94C6660B4590940855E6B811C5BA4036C7A5C4", "FFDECCBDD313E9342C393F1E62DE99BA5101EBCD557CF9759B8E67601461305B", "FFF1402575E7BE1F32E231DF470BEDA94544D3C346FFE024F98E6A628264A23E"]}, {"type": "ics", "idList": ["ICSMA-20-184-01"]}, {"type": "jvn", "idList": ["JVN:03188560", "JVN:19118282", "JVN:30962312", "JVN:65044642", "JVN:86448949", "JVN:91383083"]}, {"type": "kaspersky", "idList": ["KLA11179"]}, {"type": "mageia", "idList": ["MGASA-2013-0199", "MGASA-2014-0219", "MGASA-2015-0351", "MGASA-2016-0093", "MGASA-2016-0244", "MGASA-2017-0042", "MGASA-2017-0390", "MGASA-2017-0405", "MGASA-2017-0453", "MGASA-2018-0101"]}, {"type": "nessus", "idList": ["700518.PRM", "801963.PRM", "9128.PRM", "9699.PRM", "9933.PRM", "9934.PRM", "ACTIVEMQ_5_15_5.NASL", "AIX_OPENSSL_ADVISORY18.NASL", "AL2_ALAS-2018-1004.NASL", "ALA_ALAS-2013-169.NASL", "ALA_ALAS-2014-410.NASL", "ALA_ALAS-2016-661.NASL", "ALA_ALAS-2018-1016.NASL", "CENTOS_RHSA-2013-0270.NASL", "CENTOS_RHSA-2014-0474.NASL", "CENTOS_RHSA-2016-0301.NASL", "CENTOS_RHSA-2018-0998.NASL", "DEBIAN_DLA-222.NASL", "DEBIAN_DLA-57.NASL", "DEBIAN_DSA-2940.NASL", "DEBIAN_DSA-3500.NASL", "DEBIAN_DSA-3536.NASL", "DEBIAN_DSA-4017.NASL", "DEBIAN_DSA-4018.NASL", "EULEROS_SA-2018-1115.NASL", "EULEROS_SA-2018-1179.NASL", "EULEROS_SA-2018-1339.NASL", "EULEROS_SA-2019-1547.NASL", "F5_BIGIP_SOL14363514.NASL", "F5_BIGIP_SOL44512851.NASL", "F5_BIGIP_SOL79215841.NASL", "FEDORA_2013-1189.NASL", "FEDORA_2013-1203.NASL", "FEDORA_2013-1289.NASL", "FEDORA_2014-9380.NASL", "FEDORA_2014-9539.NASL", "FEDORA_2014-9581.NASL", "FEDORA_2015-14237.NASL", "FEDORA_2016-21BD6A33AF.NASL", "FEDORA_2016-2802690366.NASL", "FEDORA_2016-D717FDCF74.NASL", "FEDORA_2016-E6807B3394.NASL", "FEDORA_2017-3451DBEC48.NASL", "FEDORA_2017-E853B4144F.NASL", "FREEBSD_PKG_6D33B3E5EA0311E585BE14DAE9D210B8.NASL", "FREEBSD_PKG_7B1A4A27600A11E6A6C314DAE9D210B8.NASL", "FREEBSD_PKG_9442A811DAB311E7B5AFA4BADB2F4699.NASL", "FREEBSD_PKG_D455708AE3D311E69940B499BAEBFEAF.NASL", "FREEBSD_PKG_F40F07AAC00F11E7AC58B499BAEBFEAF.NASL", "GENTOO_GLSA-201603-15.NASL", "GENTOO_GLSA-201607-09.NASL", "GENTOO_GLSA-201702-07.NASL", "GENTOO_GLSA-201712-03.NASL", "GENTOO_GLSA-201802-04.NASL", "IBM_HTTP_SERVER_569301.NASL", "IBM_JAVA_2018_08_01.NASL", "JUNIPER_JSA10759.NASL", "JUNIPER_JSA10775.NASL", "JUNIPER_NSM_JSA10851.NASL", "MACOSX_XCODE_81.NASL", "MACOS_10_14.NASL", "MANDRIVA_MDVSA-2014-095.NASL", "MYSQL_5_6_30.NASL", "MYSQL_5_6_30_RPM.NASL", "MYSQL_5_6_36.NASL", "MYSQL_5_6_36_RPM.NASL", "MYSQL_5_7_12.NASL", "MYSQL_5_7_12_RPM.NASL", "MYSQL_5_7_18.NASL", "MYSQL_5_7_18_RPM.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "MYSQL_ENTERPRISE_MONITOR_4_0_2_5168.NASL", "NEWSTART_CGSL_NS-SA-2019-0033_OPENSSL.NASL", "OPENSSL_1_0_1S.NASL", "OPENSSL_1_0_2G.NASL", "OPENSSL_1_0_2K.NASL", "OPENSSL_1_0_2M.NASL", "OPENSSL_1_1_0D.NASL", "OPENSSL_1_1_0G.NASL", "OPENSUSE-2013-161.NASL", "OPENSUSE-2013-304.NASL", "OPENSUSE-2013-305.NASL", "OPENSUSE-2016-288.NASL", "OPENSUSE-2016-289.NASL", "OPENSUSE-2016-292.NASL", "OPENSUSE-2016-327.NASL", "OPENSUSE-2016-563.NASL", "OPENSUSE-2016-565.NASL", "OPENSUSE-2016-575.NASL", "OPENSUSE-2016-715.NASL", "OPENSUSE-2017-1324.NASL", "OPENSUSE-2017-1381.NASL", "OPENSUSE-2017-256.NASL", "OPENSUSE-2017-284.NASL", "OPENSUSE-2017-442.NASL", "OPENSUSE-2017-560.NASL", "OPENSUSE-2017-561.NASL", "OPENSUSE-2017-866.NASL", "OPENSUSE-2018-116.NASL", "OPENSUSE-2018-168.NASL", "OPENSUSE-2018-5.NASL", "ORACLELINUX_ELSA-2013-0270.NASL", "ORACLELINUX_ELSA-2014-0474.NASL", "ORACLELINUX_ELSA-2016-0301.NASL", "ORACLELINUX_ELSA-2018-0998.NASL", "ORACLEVM_OVMSA-2016-0031.NASL", "ORACLEVM_OVMSA-2016-0049.NASL", "ORACLE_ACCESS_MANAGER_CPU_JAN_2018.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2018.NASL", "ORACLE_EDQ_OCT_2014_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_JAN_2019_CPU.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_OCT_2014.NASL", "ORACLE_MYSQL_CONNECTORS_CPU_JAN_2018.NASL", "ORACLE_OAAM_CPU_OCT_2014.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2017_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JUL_2016_CPU.NASL", "ORACLE_TUXEDO_CPU_APR_2018.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_JAN_2018.NBIN", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2014.NBIN", "PFSENSE_SA-16_02.NASL", "PFSENSE_SA-17_07.NASL", "PHOTONOS_PHSA-2017-0042.NASL", "PHOTONOS_PHSA-2017-0042_OPENSSL.NASL", "PHOTONOS_PHSA-2020-3_0-0141_COMMONS.NASL", "REDHAT-RHSA-2013-0270.NASL", "REDHAT-RHSA-2013-0680.NASL", "REDHAT-RHSA-2014-0224.NASL", "REDHAT-RHSA-2014-0474.NASL", "REDHAT-RHSA-2014-0500.NASL", "REDHAT-RHSA-2014-1162.NASL", "REDHAT-RHSA-2014-1320.NASL", "REDHAT-RHSA-2014-1321.NASL", "REDHAT-RHSA-2016-0301.NASL", "REDHAT-RHSA-2016-0379.NASL", "REDHAT-RHSA-2018-0998.NASL", "REDHAT-RHSA-2018-2185.NASL", "REDHAT-RHSA-2018-2186.NASL", "REDHAT-RHSA-2018-2568.NASL", "REDHAT-RHSA-2018-2575.NASL", "REDHAT-RHSA-2018-2713.NASL", "SECURITYCENTER_5_4_3_TNS_2017_04.NASL", "SECURITYCENTER_OPENSSL_1_0_2K.NASL", "SECURITYCENTER_OPENSSL_1_0_2M.NASL", "SLACKWARE_SSA_2016-062-02.NASL", "SLACKWARE_SSA_2017-041-02.NASL", "SLACKWARE_SSA_2017-306-02.NASL", "SL_20130219_JAKARTA_COMMONS_HTTPCLIENT_ON_SL5_X.NASL", "SL_20140507_STRUTS_ON_SL5_X.NASL", "SL_20160301_OPENSSL_ON_SL6_X.NASL", "SL_20180410_OPENSSL_ON_SL7_X.NASL", "SPLUNK_6334.NASL", "STRUTS_CLASSLOADER_MANIPULATION.NASL", "STRUTS_COOKBOOK_XSS.NASL", "STRUTS_EXAMPLES_XSS.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE_SU-2016-0617-1.NASL", "SUSE_SU-2016-0620-1.NASL", "SUSE_SU-2016-0624-1.NASL", "SUSE_SU-2016-0631-1.NASL", "SUSE_SU-2016-0641-1.NASL", "SUSE_SU-2016-1267-1.NASL", "SUSE_SU-2016-1290-1.NASL", "SUSE_SU-2016-1360-1.NASL", "SUSE_SU-2017-0431-1.NASL", "SUSE_SU-2017-0441-1.NASL", "SUSE_SU-2017-0855-1.NASL", "SUSE_SU-2017-3169-1.NASL", "SUSE_SU-2017-3343-1.NASL", "SUSE_SU-2018-0002-1.NASL", "SUSE_SU-2018-0053-1.NASL", "SUSE_SU-2018-0293-1.NASL", "SUSE_SU-2018-2839-1.NASL", "SUSE_SU-2018-2839-2.NASL", "SUSE_SU-2018-3082-1.NASL", "UBUNTU_USN-2769-1.NASL", "UBUNTU_USN-2914-1.NASL", "UBUNTU_USN-3181-1.NASL", "UBUNTU_USN-3475-1.NASL", "VIRTUALBOX_5_2_6.NASL", "VMWARE_ESXI_6_0_BUILD_5485776_REMOTE.NASL", "VMWARE_VCENTER_VMSA-2014-0008.NASL", "VMWARE_VMSA-2014-0008.NASL", "WEBSPHERE_304545.NASL", "WEBSPHERE_6453091.NASL", "WEBSPHERE_711779.NASL", "WEBSPHERE_711865.NASL", "WEBSPHERE_711867.NASL", "WEBSPHERE_7_0_0_33.NASL", "WEBSPHERE_PORTAL_7_0_0_2_CF29.NASL", "WEBSPHERE_PORTAL_8_5_0_0_CF02.NASL", "WEBSPHERE_PORTAL_CVE-2014-0114.NASL"]}, {"type": "nodejsblog", "idList": ["NODEJSBLOG:OPENSSL-JANUARY-2017", "NODEJSBLOG:OPENSSL-NOVEMBER-2017"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2016-0702", "OPENSSL:CVE-2017-3732", "OPENSSL:CVE-2017-3736", "OPENSSL:CVE-2017-3738"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105086", "OPENVAS:1361412562310105087", "OPENVAS:1361412562310105088", "OPENVAS:1361412562310106354", "OPENVAS:1361412562310106949", "OPENVAS:1361412562310107203", "OPENVAS:1361412562310107204", "OPENVAS:1361412562310120079", "OPENVAS:1361412562310120384", "OPENVAS:1361412562310120651", "OPENVAS:1361412562310121457", "OPENVAS:1361412562310122888", "OPENVAS:1361412562310122890", "OPENVAS:1361412562310123417", "OPENVAS:1361412562310123724", "OPENVAS:1361412562310130036", "OPENVAS:1361412562310131244", "OPENVAS:1361412562310140019", "OPENVAS:1361412562310140168", "OPENVAS:1361412562310143949", "OPENVAS:1361412562310702940", "OPENVAS:1361412562310703500", "OPENVAS:1361412562310703536", "OPENVAS:1361412562310704017", "OPENVAS:1361412562310704018", "OPENVAS:1361412562310802423", "OPENVAS:1361412562310807097", "OPENVAS:1361412562310807098", "OPENVAS:1361412562310807460", "OPENVAS:1361412562310808523", "OPENVAS:1361412562310808530", "OPENVAS:1361412562310808538", "OPENVAS:1361412562310809478", "OPENVAS:1361412562310810542", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811440", "OPENVAS:1361412562310811441", "OPENVAS:1361412562310842488", "OPENVAS:1361412562310842671", "OPENVAS:1361412562310843029", "OPENVAS:1361412562310843360", "OPENVAS:1361412562310851219", "OPENVAS:1361412562310851220", "OPENVAS:1361412562310851221", "OPENVAS:1361412562310851222", "OPENVAS:1361412562310851224", "OPENVAS:1361412562310851228", "OPENVAS:1361412562310851296", "OPENVAS:1361412562310851298", "OPENVAS:1361412562310851308", "OPENVAS:1361412562310851309", "OPENVAS:1361412562310851337", "OPENVAS:1361412562310851665", "OPENVAS:1361412562310851703", "OPENVAS:1361412562310865277", "OPENVAS:1361412562310865280", "OPENVAS:1361412562310865298", "OPENVAS:1361412562310868112", "OPENVAS:1361412562310868129", "OPENVAS:1361412562310868132", "OPENVAS:1361412562310869914", "OPENVAS:1361412562310870917", "OPENVAS:1361412562310871164", "OPENVAS:1361412562310871564", "OPENVAS:1361412562310872342", "OPENVAS:1361412562310872359", "OPENVAS:1361412562310873627", "OPENVAS:1361412562310873748", "OPENVAS:1361412562310873785", "OPENVAS:1361412562310873829", "OPENVAS:1361412562310873837", "OPENVAS:1361412562310881604", "OPENVAS:1361412562310881933", "OPENVAS:1361412562310882404", "OPENVAS:1361412562310882405", "OPENVAS:1361412562311220181115", "OPENVAS:1361412562311220181179", "OPENVAS:1361412562311220181339", "OPENVAS:1361412562311220191547", "OPENVAS:702940", "OPENVAS:703500", "OPENVAS:703536", "OPENVAS:802423", "OPENVAS:865277", "OPENVAS:865280", "OPENVAS:865298", "OPENVAS:870917", "OPENVAS:871164", "OPENVAS:881604", "OPENVAS:881933"]}, {"type": "openwrt", "idList": ["OPENWRT-SA-000009"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2016V3", "ORACLE:CPUAPR2017", "ORACLE:CPUAPR2018", "ORACLE:CPUAPR2019", "ORACLE:CPUJAN2015", "ORACLE:CPUJAN2017", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2020", "ORACLE:CPUJUL2014-1972956", "ORACLE:CPUJUL2016", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2014-1972960", "ORACLE:CPUOCT2016", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0270", "ELSA-2014-0474", "ELSA-2016-0301", "ELSA-2016-0996", "ELSA-2016-3523", "ELSA-2016-3556", "ELSA-2016-3621", "ELSA-2018-0998", "ELSA-2018-4077", "ELSA-2019-4581", "ELSA-2019-4747", "ELSA-2020-0194", "ELSA-2021-9150"]}, {"type": "osv", "idList": ["OSV:DLA-222-1", "OSV:DLA-292-1", "OSV:DLA-57-1", "OSV:DSA-2940-1", "OSV:DSA-3500-1", "OSV:DSA-3536-1", "OSV:DSA-4017-1", "OSV:DSA-4018-1", "OSV:GHSA-2X83-R56G-CV47", "OSV:GHSA-3832-9276-X7GF", "OSV:GHSA-5GGR-MPGW-3MGX", "OSV:GHSA-7JW3-5Q4W-89QG", "OSV:GHSA-9848-V244-962P", "OSV:GHSA-CVVX-R33M-V7PQ", "OSV:GHSA-P66X-2CV9-QQ3V"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143369", "PACKETSTORM:149050"]}, {"type": "photon", "idList": ["PHSA-2020-0141", "PHSA-2020-3.0-0141"]}, {"type": "redhat", "idList": ["RHSA-2013:0270", "RHSA-2013:0679", "RHSA-2013:0680", "RHSA-2013:0682", "RHSA-2013:1006", "RHSA-2013:1853", "RHSA-2014:0224", "RHSA-2014:0474", "RHSA-2014:0497", "RHSA-2014:0498", "RHSA-2014:0500", "RHSA-2014:0511", "RHSA-2014:1162", "RHSA-2014:1320", "RHSA-2014:1321", "RHSA-2014:1904", "RHSA-2015:0234", "RHSA-2015:0235", "RHSA-2015:0675", "RHSA-2015:0720", "RHSA-2015:0765", "RHSA-2015:0850", "RHSA-2015:0851", "RHSA-2016:0301", "RHSA-2016:0379", "RHSA-2016:2957", "RHSA-2017:0868", "RHSA-2018:0998", "RHSA-2018:2185", "RHSA-2018:2186", "RHSA-2018:2187", "RHSA-2018:2568", "RHSA-2018:2575", "RHSA-2018:2669", "RHSA-2018:2713", "RHSA-2019:2995"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-1181", "RH:CVE-2016-1182", "RH:CVE-2017-3736", "RH:CVE-2017-3738", "RH:CVE-2019-3834"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30528", "SECURITYVULNS:DOC:30529", "SECURITYVULNS:DOC:30881", "SECURITYVULNS:DOC:32573", "SECURITYVULNS:VULN:13701", "SECURITYVULNS:VULN:13845", "SECURITYVULNS:VULN:13868", "SECURITYVULNS:VULN:14031", "SECURITYVULNS:VULN:14233"]}, {"type": "slackware", "idList": ["SSA-2016-062-02", "SSA-2017-041-02", "SSA-2017-306-02"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0627-1", "OPENSUSE-SU-2016:0628-1", "OPENSUSE-SU-2016:0637-1", "OPENSUSE-SU-2016:0638-1", "OPENSUSE-SU-2016:0720-1", "OPENSUSE-SU-2016:1239-1", "OPENSUSE-SU-2016:1241-1", "OPENSUSE-SU-2016:1242-1", "OPENSUSE-SU-2016:1273-1", "OPENSUSE-SU-2016:1566-1", "OPENSUSE-SU-2017:3345-1", "OPENSUSE-SU-2018:0458-1", "SUSE-SU-2014:0902-1", "SUSE-SU-2016:0617-1", "SUSE-SU-2016:0620-1", "SUSE-SU-2016:0621-1", "SUSE-SU-2016:0624-1", "SUSE-SU-2016:0631-1", "SUSE-SU-2016:0641-1", "SUSE-SU-2016:0748-1", "SUSE-SU-2016:0778-1", "SUSE-SU-2016:0786-1", "SUSE-SU-2016:1057-1", "SUSE-SU-2016:1267-1", "SUSE-SU-2016:1290-1", "SUSE-SU-2016:1360-1", "SUSE-SU-2017:2701-1", "SUSE-SU-2017:3343-1"]}, {"type": "symantec", "idList": ["SMNTC-1351", "SMNTC-1395", "SMNTC-1423", "SMNTC-91068"]}, {"type": "ubuntu", "idList": ["USN-2769-1", "USN-2914-1", "USN-3181-1", "USN-3475-1", "USN-4766-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-1007", "UB:CVE-2012-5783", "UB:CVE-2012-6153", "UB:CVE-2014-0114", "UB:CVE-2015-0899", "UB:CVE-2016-0702", "UB:CVE-2016-1181", "UB:CVE-2016-1182", "UB:CVE-2017-3732", "UB:CVE-2017-3736", "UB:CVE-2017-3738"]}, {"type": "vmware", "idList": ["VMSA-2014-0008", "VMSA-2014-0008.2"]}, {"type": "zdt", "idList": ["1337DAY-ID-27400"]}]}, "score": {"value": 0.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "aix", "idList": ["OPENSSL_ADVISORY18.ASC"]}, {"type": "amazon", "idList": ["ALAS-2013-169"]}, {"type": "apple", "idList": ["APPLE:E110ECBEC1B5F4EBE4C6799FF1A4F4E0"]}, {"type": "archlinux", "idList": ["ASA-201603-2", "ASA-201603-3"]}, {"type": "atlassian", "idList": ["CWD-4355"]}, {"type": "centos", "idList": ["CESA-2018:0998"]}, {"type": "cisco", "idList": ["CISCO-SA-20170130-OPENSSL"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:9243E8457D02CBA7A3505CB1E0E03739"]}, {"type": "cve", "idList": ["CVE-2012-1007", "CVE-2016-0702", "CVE-2017-1743", "CVE-2018-1447"]}, {"type": "debian", "idList": ["DEBIAN:DLA-57-1:29ABF", "DEBIAN:DLA-57-1:6DE0E", "DEBIAN:DSA-2940-1:494C4", "DEBIAN:DSA-4017-1:88D36", "DEBIAN:DSA-4018-1:01441"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-3736"]}, {"type": "f5", "idList": ["F5:K14363514", "SOL15282", "SOL15741", "SOL16444"]}, {"type": "fedora", "idList": ["FEDORA:3ED26601CEE3", "FEDORA:98315602F10D", "FEDORA:AEECE6075DBF", "FEDORA:B803860875BB", "FEDORA:DEA206060997", "FEDORA:EE17520E26"]}, {"type": "fortinet", "idList": ["FG-IR-17-019"]}, {"type": "freebsd", "idList": ["6D33B3E5-EA03-11E5-85BE-14DAE9D210B8", "9442A811-DAB3-11E7-B5AF-A4BADB2F4699"]}, {"type": "gentoo", "idList": ["GLSA-201712-03"]}, {"type": "github", "idList": ["GHSA-P66X-2CV9-QQ3V"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170503-01-OPENSSL"]}, {"type": "ibm", "idList": ["015CED4DD111438880FFDB361B30E09A12892E262FEEA8F7178F7A49BBE7D4D2", "06FAF3AD79C8BAC8455C602C3F4C354C0CD9450DE060FB4D831ED000993782B4", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "23BA9E1A95485FDA5113C5A985FFBA48AD2E78665BA734F9E465CCC361105BD6", "4777F5C1553B23793B9C264645B77DC8564BD5ADDE40E26C0417DA938016C274", "4C98F5463E3FBB67682E7F864F699DD4A99514832D6E44999F6672401F35C8B0", "539FD5A344951CB3146EC1C6256AC3A91344217924BD86DB5242BF2BD9D82C91", "564B0C92712ABFAA4A166163C3C3E90C2F818E128F44887E3BB0DF5116EC9118", "6F2C088BF5D78FB804760981ACFE38C9CC104BC5F9390812E5D324682512AD45", "7545FC6960BC08536BD63AD777890D26CE8FBACF18C55DCC74C636085DAC612B", "77C6BF921A5EE4D83AAD3E81B0714C7F02AA72F5A80BC01802CC6F1440DE7948", "79C9308A38227EABEE316B0407CBC46021561F829AEBF9659F93085D4FC63547", "7B815188E16C52B322DD4246EBAB0FC7BA3EDE14D3D566E6B024A1EA3CA43349", "7E4E851053AF5C2BFADF66AC8494971BF986538EB9E1BEE4C5D8B83D2DB1BBB0", "8451DCEAC7362310C8EAA923574AFEAD09CA58D139A870AE0ED1E3D11764573B", "901520ED3B63C38B455DA03903E8FB69728EE34716DE39E40F928C1105397252", "9C6F1EFD064B98941F8B42A32A91BAB15206AC55CF09BF3BAAA5925A1B9B55C9", "9CCEB90B89301ED91DF7A501EF3103FD54D3AD611D342CF6E4B19E5105E84E35", "AC5DE01326AFA37CBA7F799502684F57AF3D9271EC49734648DB7797522AF2E8", "C18E4772030D674D152D69B21575B31602E8081D2A7D63F34DF5712FA898D8EA", "DABD6B8B6CBB73960C386B67EE3DE8B0C30A20314AB64DAA185068214240C464", "E1E9EC92F2FB001C2C7B6AF116D3E1F63E360CF61602F853CB4A691D77495BBD", "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "EF2B4F4110ACF96FDC34CF6D7B916C577277400859F5F464947088E0CE635995", "EFC96C84FC6627E09277E1FB61859CD2CA1859DFD91107C5D299A533D68503BF", "F0864C914EFB62F7C48822F52BDF423B57466738327736DD211AEFBE34B7C109", "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4", "F7862E3AFF4165C1E96904B0CC478B568FD7C29638F30D7255C5D201546C0450", "FE0CD9D782041746DBFBA9DFD5A169C98E21DF40D5DB566AD15D9898EFE9D6E4"]}, {"type": "ics", "idList": ["ICSMA-20-184-01"]}, {"type": "jvn", "idList": ["JVN:91383083"]}, {"type": "kaspersky", "idList": ["KLA11179"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/AMAZON_LINUX-CVE-2017-3738/", "MSF:ILITIES/SUSE-CVE-2017-3738/"]}, {"type": "nessus", "idList": ["ALA_ALAS-2013-169.NASL", "CENTOS_RHSA-2016-0301.NASL", "CENTOS_RHSA-2018-0998.NASL", "DEBIAN_DSA-3536.NASL", "EULEROS_SA-2018-1115.NASL", "F5_BIGIP_SOL14363514.NASL", "FEDORA_2016-2802690366.NASL", "FEDORA_2016-E6807B3394.NASL", "FREEBSD_PKG_6D33B3E5EA0311E585BE14DAE9D210B8.NASL", "FREEBSD_PKG_9442A811DAB311E7B5AFA4BADB2F4699.NASL", "GENTOO_GLSA-201712-03.NASL", "MYSQL_ENTERPRISE_MONITOR_4_0_2_5168.NASL", "OPENSUSE-2016-288.NASL", "OPENSUSE-2016-289.NASL", "OPENSUSE-2017-1324.NASL", "OPENSUSE-2018-116.NASL", "OPENSUSE-2018-5.NASL", "ORACLELINUX_ELSA-2018-0998.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2018.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2018_CPU.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2014.NBIN", "REDHAT-RHSA-2013-0680.NASL", "SECURITYCENTER_5_4_3_TNS_2017_04.NASL", "SLACKWARE_SSA_2016-062-02.NASL", "SL_20180410_OPENSSL_ON_SL7_X.NASL", "SUSE_SU-2017-3169-1.NASL", "SUSE_SU-2018-0053-1.NASL", "UBUNTU_USN-2769-1.NASL", "UBUNTU_USN-2914-1.NASL", "VIRTUALBOX_5_2_6.NASL"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2017-3736"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105087", "OPENVAS:1361412562310120651", "OPENVAS:1361412562310122888", "OPENVAS:1361412562310703536", "OPENVAS:1361412562310851219", "OPENVAS:1361412562310865277", "OPENVAS:1361412562310868112", "OPENVAS:1361412562310871164", "OPENVAS:1361412562310873627", "OPENVAS:1361412562310873748", "OPENVAS:1361412562310873785", "OPENVAS:1361412562310873829", "OPENVAS:1361412562310873837", "OPENVAS:702940", "OPENVAS:802423", "OPENVAS:865277"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2018", "ORACLE:CPUJUL2017"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-0998", "ELSA-2018-4077"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143369"]}, {"type": "photon", "idList": ["PHSA-2020-3.0-0141"]}, {"type": "redhat", "idList": ["RHSA-2013:0270", "RHSA-2013:1853", "RHSA-2014:1162", "RHSA-2018:0998", "RHSA-2018:2568", "RHSA-2018:2575"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-3736"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30528", "SECURITYVULNS:VULN:13701"]}, {"type": "slackware", "idList": ["SSA-2017-306-02"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0627-1", "OPENSUSE-SU-2016:0720-1", "SUSE-SU-2016:1267-1"]}, {"type": "symantec", "idList": ["SMNTC-1395", "SMNTC-1423"]}, {"type": "ubuntu", "idList": ["USN-3475-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-5783", "UB:CVE-2017-3736"]}, {"type": "vmware", "idList": ["VMSA-2014-0008"]}, {"type": "zdt", "idList": ["1337DAY-ID-27400"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "This vulnerability affects the following versions and releases of IBM WebSphere Application Server: Liberty Version 9.0 Version", "version": 8}]}, "epss": [{"cve": "CVE-2012-1007", "epss": "0.002900000", "percentile": "0.641840000", "modified": "2023-03-17"}, {"cve": "CVE-2012-5783", "epss": "0.002380000", "percentile": "0.600970000", "modified": "2023-03-17"}, {"cve": "CVE-2014-0114", "epss": "0.973390000", "percentile": "0.997750000", "modified": "2023-03-17"}, {"cve": "CVE-2015-0899", "epss": "0.949070000", "percentile": "0.987940000", "modified": "2023-03-17"}, {"cve": "CVE-2016-0702", "epss": "0.000990000", "percentile": "0.395130000", "modified": "2023-03-17"}, {"cve": "CVE-2016-1181", "epss": "0.022080000", "percentile": "0.876950000", "modified": "2023-03-17"}, {"cve": "CVE-2016-1182", "epss": "0.334130000", "percentile": "0.963580000", "modified": "2023-03-17"}, {"cve": "CVE-2017-1743", "epss": "0.001960000", "percentile": "0.557620000", "modified": "2023-03-18"}, {"cve": "CVE-2017-3732", "epss": "0.008180000", "percentile": "0.792380000", "modified": "2023-03-18"}, {"cve": "CVE-2017-3736", "epss": "0.002810000", "percentile": "0.635250000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1426", "epss": "0.004700000", "percentile": "0.717660000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1427", "epss": "0.000420000", "percentile": "0.056370000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1447", "epss": "0.002710000", "percentile": "0.628020000", "modified": "2023-03-18"}, {"cve": "CVE-2018-1553", "epss": "0.002420000", "percentile": "0.604120000", "modified": "2023-03-18"}], "vulnersScore": 0.9}, "_state": {"dependencies": 1677016046, "score": 1684013037, "affected_software_major_version": 1677355290, "epss": 1679165106}, "_internal": {"score_hash": "fd4f457d07f6bb4eb16fdc8ace134081"}, "affectedSoftware": [{"version": "any", "operator": "eq", "name": "ibm websphere application server in ibm cloud"}]}

{"nessus": [{"lastseen": "2023-05-18T15:23:49", "description": "The IBM WebSphere Application Server running on the remote host is version 7.0.0.x through 7.0.0.45, 8.0.0.x through 8.0.0.15, 8.5.0.x prior to 8.5.5.14 or 9.0.x prior to 9.0.0.9. It is, therefore, affected by multiple vulnerabilities related to Apache Struts, including the following:\n\n - Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to manipulate the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. (CVE-2014-0114)\n\n - ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. (CVE-2016-1181)\n\n - ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. (CVE-2016-1182)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.14 / 9.0.x <= 9.0.0.9 Multiple Vulnerabilities (711865)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_711865.NASL", "href": "https://www.tenable.com/plugins/nessus/141566", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141566);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2012-1007\",\n \"CVE-2014-0114\",\n \"CVE-2016-1181\",\n \"CVE-2016-1182\"\n );\n\n script_name(english:\"IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.14 / 9.0.x <= 9.0.0.9 Multiple Vulnerabilities (711865)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The IBM WebSphere Application Server running on the remote host is version 7.0.0.x through 7.0.0.45, 8.0.0.x through\n8.0.0.15, 8.5.0.x prior to 8.5.5.14 or 9.0.x prior to 9.0.0.9. It is, therefore, affected by multiple vulnerabilities\nrelated to Apache Struts, including the following:\n\n - Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through\n 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class\n property, which allows remote attackers to manipulate the ClassLoader and execute arbitrary code via the\n class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm\n object in Struts 1. (CVE-2014-0114)\n\n - ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm\n instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected\n memory access) via a multipart request, a related issue to CVE-2015-0899. (CVE-2016-1181)\n\n - ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator\n configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a\n denial of service via crafted input, a related issue to CVE-2015-0899. (CVE-2016-1182)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/711865\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM WebSphere Application Server 8.5.5.14, 9.0.0.9, or later. Alternatively, upgrade to the minimal fix pack\nlevels required by the interim fix and then apply Interim Fix PI97162.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0114\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2016-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/20\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\", \"ibm_enum_products.nbin\", \"ibm_websphere_application_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Application Server\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\n# Only vulnerable when using the optiona UDDI.ear\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\napp = 'IBM WebSphere Application Server';\nfix = 'Interim Fix PI97162';\n\napp_info = vcf::combined_get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\n# If the detection is only remote, Source will be set, and we should require paranoia\nif (!empty_or_null(app_info['Source']) && app_info['Source'] != 'unknown' && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nif ('PI97162' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n {'min_version':'7.0.0.0', 'max_version':'7.0.0.45', 'fixed_version':fix},\n {'min_version':'8.0.0.0', 'max_version':'8.0.0.15', 'fixed_version':fix},\n {'min_version':'8.5.0.0', 'max_version':'8.5.5.13', 'fixed_version':'8.5.5.14 or ' + fix},\n {'min_version':'9.0.0.0', 'max_version':'9.0.0.8', 'fixed_version':'9.0.0.9 or ' + fix}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:22:34", "description": "The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities, including the following:\n\n - IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. (CVE-2018-1426)\n\n - The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. (CVE-2018-1447)\n\n - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. (CVE-2017-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-06T00:00:00", "type": "nessus", "title": "IBM HTTP Server 7.0.0.0 <= 7.0.0.43 / 8.0.0.0 <= 8.0.0.14 / 8.5.0.0 < 8.5.5.14 / 9.0.0.0 < 9.0.0.8 Multiple Vulnerabilities (569301)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3193", "CVE-2016-0702", "CVE-2016-7056", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:ibm:http_server"], "id": "IBM_HTTP_SERVER_569301.NASL", "href": "https://www.tenable.com/plugins/nessus/144773", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144773);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-0702\",\n \"CVE-2016-7056\",\n \"CVE-2017-3732\",\n \"CVE-2017-3736\",\n \"CVE-2018-1426\",\n \"CVE-2018-1427\",\n \"CVE-2018-1447\"\n );\n script_bugtraq_id(\n 83740,\n 95375,\n 95814,\n 101666,\n 103536,\n 104511,\n 105580\n );\n\n script_name(english:\"IBM HTTP Server 7.0.0.0 <= 7.0.0.43 / 8.0.0.0 <= 8.0.0.14 / 8.5.0.0 < 8.5.5.14 / 9.0.0.0 < 9.0.0.8 Multiple Vulnerabilities (569301)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities, including the following:\n\n - IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across\n fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and\n a risk of duplicate key material. (CVE-2018-1426)\n\n - The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6)\n CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A\n weak password may be recovered. Note: After update the customer should change password to ensure the new\n password is stored more securely. Products should encourage customers to take this step as a high priority\n action. (CVE-2018-1447)\n\n - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before\n 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA\n and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks\n against DH are considered just feasible (although very difficult) because most of the work necessary to\n deduce information about a private key may be performed offline. The amount of resources required for such\n an attack would be very significant and likely only accessible to a limited number of attackers. An\n attacker would additionally need online access to an unpatched system using the target private key in a\n scenario with persistent DH parameters and a private key that is shared between multiple clients. For\n example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very\n similar to CVE-2015-3193 but must be treated as a separate problem. (CVE-2017-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/569301\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM HTTP Server version 7.0.0.45, 8.5.5.14, 9.0.0.8, or later. Alternatively, upgrade to the minimal fix\npack levels required by the interim fix and then apply Interim Fix PI91913 or PI94222.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1426\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:http_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_http_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM HTTP Server (IHS)\");\n\n exit(0);\n}\n\n\ninclude('vcf.inc');\n\napp = 'IBM HTTP Server (IHS)';\nfix = 'Interim Fix PI94222';\n\napp_info = vcf::get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nif ('PI91913' >< app_info['Fixes'] || 'PI94222' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n { 'min_version' : '7.0.0.0', 'max_version' : '7.0.0.43', 'fixed_display' : '7.0.0.45 or Interim Fix PI91913'},\n { 'min_version' : '8.0.0.0', 'max_version' : '8.0.0.14', 'fixed_display' : fix },\n { 'min_version' : '8.5.0.0', 'max_version' : '8.5.5.13', 'fixed_display' : '8.5.5.14 or ' + fix },\n { 'min_version' : '9.0.0.0', 'max_version' : '9.0.0.7', 'fixed_display' : '9.0.0.8 or ' + fix }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:25:44", "description": "Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-07-15T00:00:00", "type": "nessus", "title": "Fedora 24 : struts (2016-d717fdcf74)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:struts", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-D717FDCF74.NASL", "href": "https://www.tenable.com/plugins/nessus/92292", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-d717fdcf74.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92292);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\");\n script_xref(name:\"FEDORA\", value:\"2016-d717fdcf74\");\n\n script_name(english:\"Fedora 24 : struts (2016-d717fdcf74)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-d717fdcf74\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected struts package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:struts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"struts-1.3.10-18.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"struts\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-29T14:12:49", "description": "Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-07-15T00:00:00", "type": "nessus", "title": "Fedora 23 : struts (2016-21bd6a33af)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:struts", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-21BD6A33AF.NASL", "href": "https://www.tenable.com/plugins/nessus/92234", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-21bd6a33af.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92234);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\");\n script_xref(name:\"FEDORA\", value:\"2016-21bd6a33af\");\n\n script_name(english:\"Fedora 23 : struts (2016-21bd6a33af)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-21bd6a33af\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected struts package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:struts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"struts-1.3.10-18.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"struts\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:24:35", "description": "The remote web server hosts struts-examples, a demonstration application for the Struts framework. Input passed via the 'theText' POST parameter to the 'upload-submit.do' page is not properly sanitized before using it to generate dynamic HTML. \n\nBy tricking a user into clicking on a specially crafted link, an attacker can exploit this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.", "cvss3": {}, "published": "2012-07-23T00:00:00", "type": "nessus", "title": "Apache Struts struts-examples upload-submit.do 'theText' Parameter XSS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1007"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_EXAMPLES_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/60094", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60094);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2012-1007\");\n script_bugtraq_id(51900);\n script_xref(name:\"EDB-ID\", value:\"18452\");\n\n script_name(english:\"Apache Struts struts-examples upload-submit.do 'theText' Parameter XSS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A remote web application is vulnerable to a cross-site scripting\nattack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts struts-examples, a demonstration\napplication for the Struts framework. Input passed via the 'theText'\nPOST parameter to the 'upload-submit.do' page is not properly\nsanitized before using it to generate dynamic HTML. \n\nBy tricking a user into clicking on a specially crafted link, an\nattacker can exploit this to inject arbitrary HTML and script code\ninto a user's browser to be executed within the security context of\nthe affected site.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secpod.org/blog/?p=450\");\n # http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d16eaf1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Remove or restrict access to the Struts-examples application.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\n\n# Loop through directories.\ndirs = list_uniq(make_list(\"/struts-examples\",cgi_dirs()));\nif (thorough_tests) \n{\n struts_1x_versions = make_list(\"1.3.10\",\"1.3.8\",\"1.3.5\",\"1.2.9\",\"1.2.8\",\"1.2.7\",\"1.2.4\", \"1.1\", \"1.0.2\");\n\n foreach ver (struts_1x_versions)\n dirs = list_uniq(make_list(dirs, \"/struts-examples-\" + ver));\n}\n\nxss_string = \"<script>alert('\" + SCRIPT_NAME + '_' + rand_str() + \"');</script>\";\n\nattack_page = \"/upload/upload-submit.do?queryParam=Successful\";\nverify_page = \"/upload/upload-submit.do\";\n\nreport_requests = make_list();\nforeach dir (dirs)\n{\n verify_url = dir + verify_page;\n res = http_send_recv3(method:\"GET\", \n port:port, \n item:verify_url, \n exit_on_fail:TRUE);\n if (\n \"upload-submit.do\" >< res[2] && \n \"<title>File Upload Example</title>\" >< res[2]\n )\n {\n bound = \"nessus\";\n boundary = \"--\" + bound;\n postdata = \n boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"theText\"\\r\\n' +\n '\\r\\n' +\n xss_string + '\\r\\n' +\n\n boundary + '\\r\\n' + \n 'Content-Disposition: form-data; name=\"theFile\"; filename=\"\"\\r\\n' +\n 'Content-Type: application/octet-stream\\r\\n' +\n '\\r\\n\\r\\n' +\n\n boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n\\r\\n' +\n boundary + '--\\r\\n';\n\n attack_url = dir + attack_page;\n\n res = http_send_recv3(method:\"POST\", \n port:port, \n item:attack_url, \n content_type: \"multipart/form-data; boundary=\"+bound,\n data:postdata, \n exit_on_fail:TRUE);\n \n if ('&nbsp;' + xss_string + '<' >< res[2])\n { \n report_requests = make_list(report_requests, http_last_sent_request()); \n output = strstr(res[2], xss_string);\n if (!thorough_tests) break;\n } \n }\n}\n\nif (max_index(report_requests) > 0)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n line_limit : 5,\n xss : TRUE, # Sets XSS KB key\n request : report_requests,\n output : chomp(output)\n );\n exit(0);\n}\nelse exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:24:36", "description": "The remote web server hosts struts-cookbook, a demonstration application for the Struts framework. Input passed via the 'message' parameter to the 'processSimple.do' page is not properly sanitized before using it to generate dynamic HTML. \n\nBy tricking someone into clicking on a specially crafted link, an attacker may be able exploit this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.", "cvss3": {}, "published": "2012-07-23T00:00:00", "type": "nessus", "title": "Apache Struts struts-cookbook processSimple.do message Parameter XSS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1007"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_COOKBOOK_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/60093", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60093);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2012-1007\");\n script_bugtraq_id(51900);\n script_xref(name:\"EDB-ID\", value:\"18452\");\n\n script_name(english:\"Apache Struts struts-cookbook processSimple.do message Parameter XSS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A remote web application is vulnerable to a cross-site scripting\nattack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts struts-cookbook, a demonstration\napplication for the Struts framework. Input passed via the 'message'\nparameter to the 'processSimple.do' page is not properly sanitized\nbefore using it to generate dynamic HTML. \n\nBy tricking someone into clicking on a specially crafted link, an\nattacker may be able exploit this to inject arbitrary HTML and script\ncode into a user's browser to be executed within the security context\nof the affected site.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://secpod.org/blog/?p=450\");\n # http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d16eaf1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Remove or restrict access to the Struts-cookbook application.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\n\n# Loop through directories.\ndirs = list_uniq(make_list(\"/struts-cookbook\", cgi_dirs()));\nif (thorough_tests) \n{\n struts_1x_versions = make_list(\"1.3.10\",\"1.3.8\",\"1.3.5\",\"1.2.9\",\"1.2.8\",\"1.2.7\",\"1.2.4\", \"1.1\", \"1.0.2\");\n\n foreach ver (struts_1x_versions)\n dirs = list_uniq(make_list(dirs, \"/struts-cookbook-\" + ver));\n}\n\nxss_string = \"<script>alert('\" + SCRIPT_NAME + '_' + rand_str() + \"');</script>\";\n\nattack_page = \"/processSimple.do\";\nverify_page = \"/processSimple.do\";\n\nreport_requests = make_list();\nforeach dir (dirs)\n{\n verify_url = dir + verify_page;\n res = http_send_recv3(method:\"GET\", \n port:port, \n item:verify_url, \n exit_on_fail:TRUE);\n\n if (\n \"<title>Simple form using ActionForm</title>\" >< res[2] && \n 'processSimple.do' >< res[2]\n )\n {\n postdata =\n \"name=nessus&\" +\n \"secret=nessus&\" +\n \"message=\" + xss_string;\n \n attack_url = dir + attack_page;\n\n headers = make_array(\"Content-Type\", \"application/x-www-form-urlencoded\");\n\n res = http_send_recv3(method:\"POST\", \n port:port, \n item:attack_url, \n add_headers:headers,\n data:postdata, \n exit_on_fail:TRUE);\n \n if ('>' + xss_string + '<' >< res[2])\n { \n report_requests = make_list(report_requests, http_last_sent_request());\n output = strstr(res[2], xss_string);\n if (!thorough_tests) break;\n } \n }\n}\n\nif (max_index(report_requests) > 0)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n line_limit : 5,\n xss : TRUE, # Sets XSS KB key\n request : report_requests,\n output : chomp(output)\n );\n exit(0);\n}\nelse exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:55", "description": "The IBM WebSphere Application Server running on the remote host is version 7.0.0.0 through 7.0.0.45, 8.0.0.0 through 8.0.0.15, 8.5.0.x prior to 8.5.5.14, or 9.0.x prior to 9.0.0.8. It is, therefore, affected by an information disclosure vulnerability that allows a remote, authenticated attacker to browse the file system due to improper handling of Administrative Console panel fields. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-27T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.14 / 9.0.x < 9.0.0.8 Information Disclosure (CVE-2017-1743)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1743"], "modified": "2020-11-30T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_304545.NASL", "href": "https://www.tenable.com/plugins/nessus/141920", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141920);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2017-1743\");\n\n script_name(english:\"IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.14 / 9.0.x < 9.0.0.8 Information Disclosure (CVE-2017-1743)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by an information disclosure vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The IBM WebSphere Application Server running on the remote host is version 7.0.0.0 through 7.0.0.45, 8.0.0.0 through\n8.0.0.15, 8.5.0.x prior to 8.5.5.14, or 9.0.x prior to 9.0.0.8. It is, therefore, affected by an information disclosure\nvulnerability that allows a remote, authenticated attacker to browse the file system due to improper handling of\nAdministrative Console panel fields. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/304545\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM WebSphere Application Server 8.5.5.14, 9.0.0.8, or later. Alternatively, upgrade to the minimal fix pack\nlevels required by the interim fix and then apply Interim Fix PH14004.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1743\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\", \"ibm_enum_products.nbin\", \"ibm_websphere_application_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Application Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'IBM WebSphere Application Server';\nfix = 'Interim Fix PH14004';\n\napp_info = vcf::combined_get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\n# If the detection is only remote, Source will be set, and we should require paranoia\nif (!empty_or_null(app_info['Source']) && app_info['Source'] != 'unknown' && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\n# PI90009 was the original fix, but it was superseded by PH14004. Accept either as a fix, but if none are present\n# suggest the latest fix.\nif ('PH14004' >< app_info['Fixes'] || 'PI90009' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n {'min_version':'7.0.0.0', 'max_version':'7.0.0.45', 'fixed_display':fix},\n {'min_version':'8.0.0.0', 'max_version':'8.0.0.15', 'fixed_display':fix},\n {'min_version':'8.5.0.0', 'max_version':'8.5.5.13', 'fixed_display':'8.5.5.14 or ' + fix},\n {'min_version':'9.0.0.0', 'max_version':'9.0.0.7', 'fixed_display':'9.0.0.8 or ' + fix}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-27T14:14:14", "description": "The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783)", "cvss3": {}, "published": "2013-09-04T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : jakarta-commons-httpclient (ALAS-2013-169)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-5783"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:jakarta-commons-httpclient", "p-cpe:/a:amazon:linux:jakarta-commons-httpclient-demo", "p-cpe:/a:amazon:linux:jakarta-commons-httpclient-javadoc", "p-cpe:/a:amazon:linux:jakarta-commons-httpclient-manual", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2013-169.NASL", "href": "https://www.tenable.com/plugins/nessus/69728", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-169.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69728);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2012-5783\");\n script_xref(name:\"ALAS\", value:\"2013-169\");\n script_xref(name:\"RHSA\", value:\"2013:0270\");\n\n script_name(english:\"Amazon Linux AMI : jakarta-commons-httpclient (ALAS-2013-169)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Jakarta Commons HttpClient component did not verify that the\nserver hostname matched the domain name in the subject's Common Name\n(CN) or subjectAltName field in X.509 certificates. This could allow a\nman-in-the-middle attacker to spoof an SSL server if they had a\ncertificate that was valid for any domain name. (CVE-2012-5783)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-169.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update jakarta-commons-httpclient' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:jakarta-commons-httpclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:jakarta-commons-httpclient-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:jakarta-commons-httpclient-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:jakarta-commons-httpclient-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"jakarta-commons-httpclient-3.1-12.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"jakarta-commons-httpclient-demo-3.1-12.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"jakarta-commons-httpclient-javadoc-3.1-12.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"jakarta-commons-httpclient-manual-3.1-12.6.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-httpclient / jakarta-commons-httpclient-demo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2023-02-21T05:40:52", "description": "## Summary\n\nThere are multiple vulnerabilities in the GSKit component that is included in the IBM HTTP Server used by WebSphere Application Server. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2016-7056](<https://vulners.com/cve/CVE-2016-7056>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by the failure to properly set the BN_FLG_CONSTTIME for nonces when signing with the P-256 elliptic curve by the ecdsa_sign_setup() function.. An attacker could exploit this vulnerability using a cache-timing attack to recover ECDSA P-256 private keys. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120434> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.\n\n * Version 9.0\n * Version 8.5\n * Version 8.0\n * Version 7.0\n\n## Remediation/Fixes\n\n**NOTE:** After applying the interim fixes or fixpack levels as noted below, please refer to this document <http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html> for information concerning password res-stashing. It is advised that you re-stash your password due to CVE-2018-1447 after you apply the interim fixes.\n\n**For V9.0.0.0 through 9.0.0.7:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI94222](<http://www-01.ibm.com/support/docview.wss?uid=swg24044861>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.8 or later.\n\n \n**For V8.5.0.0 through 8.5.5.13:**\n\n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI94222](<http://www-01.ibm.com/support/docview.wss?uid=swg24044861>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.14. \n \n \n**For V8.0.0.0 through 8.0.0.14:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI94222](<http://www-01.ibm.com/support/docview.wss?uid=swg24044861>)\n\n \n**For V7.0.0.0 through 7.0.0.43:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI91913_](<http://www-01.ibm.com/support/docview.wss?uid=swg24044636>) \n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.45 or later. \n \n_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-10-29T15:00:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-7056", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-10-29T15:00:02", "id": "78B5CDD949B0594AC0F181656CB6536E0B075D4B064576C915C9BFAF10028314", "href": "https://www.ibm.com/support/pages/node/569301", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T21:47:15", "description": "## Summary\n\nThere are multiple security vulnerabilities in the GSKit used by Edge Caching proxy of WebSphere Application Server. \nThis is a separate install from WebSphere Application Server. You only need to apply this if you use the Edge Caching Proxy. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) contains several enviornment variables that a local attacker could overflow and cause a denial of service. IBM X-Force ID: 139072. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the Edge Caching Proxy (separate install) shipped with the following versions and releases of IBM WebSphere Application Server:\n\n * Version 9.0\n * Version 8.5\n * Version 8.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. \n \n**_Fix:_** \nApply an Interim Fix, Fix Pack or PTF containing APAR PH00635 if you use the Edge Caching Proxy component (separate install from WebSphere Application Server) as noted below: \n \n**For IBM WebSphere Application Server ** \n**For V9.0.0.0 through 9.0.0.8:**\n\n * Upgrade to 9.0.0.7 or 9.0.0.8 fix pack level then apply Interim Fix [9.0.8-WS-EDGECP-FP00000081.zip](<http://download4.boulder.ibm.com/sar/CMA/WSA/07v6h/2/9.0.8-WS-EDGECP-FP00000081.zip>)\n\n\\-- OR\n\n * Apply Fix Pack 9 (9.0.0.9), or later.\n\n` ` \n**For V8.5.0.0 through 8.5.5.14:**\n\n * Upgrade to 8.5.5.13 or 8.5.5.14 fix pack level and then apply Interim Fix [8.5.5-WS-EDGECP-FP000000141.zip](<http://download4.boulder.ibm.com/sar/CMA/WSA/07v6i/1/8.5.5-WS-EDGECP-FP000000141.zip>)\n\n\\-- OR\n\n * Apply Fix Pack 15 (8.5.5.15), or later (targeted availability 1Q2019).\n\n` ` \n**For V8.0.0.0 through 8.0.0.1** **5:**\n\n * Upgrade to 8.0.0.15 fix pack level and then apply Interim Fix [8.0.0-WS-EDGECP-FP000000151.zip](<http://download4.boulder.ibm.com/sar/CMA/WSA/07v6j/2/8.0.0-WS-EDGECP-FP000000151.zip>)\n\n_WebSphere Application Server V8 is no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-01T20:10:01", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in GSKit used by Edge Caching proxy of WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-10-01T20:10:01", "id": "DA52C8AAC8E49FE83875D8FD83693222E58D6D178EBC1C00B564B8EB59727C9C", "href": "https://www.ibm.com/support/pages/node/732391", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:43:31", "description": "## Summary\n\nIBM HTTP Server is used by IBM Netezza Performance Portal. IBM Netezza Performance Portal has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID: **[CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION: **The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Netezza Performance Portal 1.0-2.1.1.7\n\n## Remediation/Fixes\n\nTo resolve the above reported CVE for IBM HTTP Server on Netezza Performance Portal, update to the following IBM Netezza Performance Portal release:\n\nProduct\n\n| VRMF | Remediation / First Fix \n---|---|--- \nIBM Netezza Performance Portal | 2.1.1.8 | _[Link to Fix Centra](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FNetezza+Applications&release=PERFPORTAL_2.1&platform=All&function=fixId&fixids=2.1.1.8-IM-Netezza-PERFPORTAL-fp122059>)l_ \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-10-18T03:36:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affects Netezza Performance Portal", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2019-10-18T03:36:34", "id": "06FAF3AD79C8BAC8455C602C3F4C354C0CD9450DE060FB4D831ED000993782B4", "href": "https://www.ibm.com/support/pages/node/718249", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-22T01:47:10", "description": "## Summary\n\nThere are multiple security vulnerabilities in IBM\u00ae GSKit version 8. \nGSKit is used by IBM Rational Directory Server (Tivoli). \n\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: ** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) | Affected Supporting Product(s) and Version(s) \n---|--- \nRational Directory Server (Tivoli) v5.2.1 | Tivoli Directory Server 6.3, \nSecurity Directory Server 6.4 \n \n## Remediation/Fixes\n\nConsult the security bulletin [Security Bulletin: IBM Security Directory Server is affected by multiple vulnerabilities in GSKit](<https://www-01.ibm.com/support/docview.wss?uid=ibm10718847>) for vulnerability details and information about fixes.\n\n_For versions of Rational Directory Server that are earlier than version 5.2.1, and Rational Directory Administrator versions earlier than 6.0.0.2, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-01-28T20:20:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM GSKit affect Rational Directory Server (Tivoli)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2019-01-28T20:20:01", "id": "7B815188E16C52B322DD4246EBAB0FC7BA3EDE14D3D566E6B024A1EA3CA43349", "href": "https://www.ibm.com/support/pages/node/794839", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T21:44:33", "description": "## Summary\n\nIBM Security Directory Server has addressed the following vulnerabilities caused by issues in GSKit.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: ** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM Security Directory Server | Affected SDS Versions | Affected GSKit Versions \n---|---|--- \nIBM Tivoli Directory Server | 6.2 - 6.2.0.55, 6.3 - 6.3.0.48 | 7.0.5.14 and lower \nIBM Security Directory Server | 6.3.1 - 6.3.1.23, 6.4 - 6.4.0.15 | 8.0.50.85 and lower \n \n## Remediation/Fixes\n\nAffected IBM Security Directory Server | VRMF | Updated GSKit Version | Remediation \n---|---|---|--- \nIBM Tivoli Directory Server | 6.2 - 6.2.0.55 | 7.0.5.15 | [6.2.0.56-ISS-ITDS-IF0056 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.56&platform=All&function=all>) \nIBM Tivoli Directory Server | 6.3 - 6.3.0.48 | 8.0.50.89 | [6.3.0.49-ISS-ITDS-IF0049](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.49&platform=All&function=all>) \nIBM Security Directory Server | 6.3.1 - 6.3.1.23 | 8.0.50.89 | [6.3.1.24-ISS-ISDS-IF0024 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.3.1.24&platform=All&function=all>) \nIBM Security Directory Server | 6.4 - 6.4.0.15 | 8.0.50.89 | [6.4.0.16-ISS-ISDS-IF0016 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.4.0.16&platform=All&function=all>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-02-15T07:50:01", "type": "ibm", "title": "Security Bulletin: IBM Security Directory Server is affected by multiple vulnerabilities in GSKit", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2019-02-15T07:50:01", "id": "B61307CAECBB5590BF8837472BAB9C85B9153B31B334257C484DD1ADD641B9ED", "href": "https://www.ibm.com/support/pages/node/718847", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-22T01:48:27", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1.0 - 2.1.0.5\n\nTivoli Integrated Portal version 2.2.0.0 - 2.2.0.19\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nTivoli Integrated Portal version \n\n2.1.0 - 2.1.0.5\n\n2.2.0 - 2.2.0.19\n\n| embedded Websphere Application Server version 7.0.x | \n\n# [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n \nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.31 or higher installed. \n \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 or TIP 2.2.0.19 must be applied which will upgrade eWAS to 7.0.0.31 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin.\n\n## Workarounds and Mitigations\n\nPlease refer to WAS iFix as described above\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-11-28T11:50:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI shipped with Tivoli Integrated Portal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-11-28T11:50:02", "id": "E31CD1CAA68AD6659A7C459337F50C896A6D30B1CC25BEF6FC361000F2ACE0D4", "href": "https://www.ibm.com/support/pages/node/741905", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-13T01:33:44", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| \n\n**WebSphere Version** \n \n---|--- \n \nTSPM 7.1\n\n| \n\nWAS v7.0 \n \nRTSS 7.1\n\n| \n\nWAS v7.0, v8.0 \n \n**Note: **TSPM is comprised of TSPM and Runtime Security Services (RTSS)\n\n## ", "cvss3": {}, "published": "2018-07-23T06:08:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2014-0114, CVE-2016-1181, CVE-2016-1182, CVE-2012-1007)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-23T06:08:09", "id": "A49F8E92510CDD96D8127764BC310529CF44A60596DB14352FF329575652A707", "href": "https://www.ibm.com/support/pages/node/717511", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T21:34:27", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about multiple security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager.\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nIBM Tivoli System Automation Application Manager 4.1\n\n| \n\nWebSphere Application Server 8.5\n\n| \n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2023-01-17T17:35:00", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2014-0114, CVE-2012-1007, CVE-2016-1182, CVE-2016-1181)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2023-01-17T17:35:00", "id": "39D4A3024CD82E0AB1412C8F0B7DE6C9C896CC59E99FBAB7A5A61175586A3211", "href": "https://www.ibm.com/support/pages/node/719303", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T21:44:29", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional using the optional UDDI.ear. \n\n * Version 9.0\n * Version 8.5\n * Version 8.0\n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI97162 if you are using the optional UDDI.ear for each named product as soon as practical. \n \n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:** \n**For V9.0.0.0 through 9.0.0.8:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044995>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.9 or later. \n \n**For V8.5.0.0 through 8.5.5.13:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI9716](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) 2[](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.14 or later. \n\n**For V8.0.0.0 through 8.0.0.15:** \n\u00b7 Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>)\n\n**For V7.0.0.0 through 7.0.0.45:** \n\u00b7 Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>)\n\n \n \n_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2019-02-19T17:50:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2019-02-19T17:50:01", "id": "615E4369D0B07E7BA358AF447BD05A3ACC0720A255109ADB57E2A2080DB3607A", "href": "https://www.ibm.com/support/pages/node/711865", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:45:32", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3 | Websphere Application Server Full Profile 8.5.5 | \n\n# [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-11-28T11:00:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI shipped with Jazz for Service Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-11-28T11:00:02", "id": "88E396C29AABC664ACC3D5B0A3797EDDA0587772D5D9F452A2E356E7CC5BCD5D", "href": "https://www.ibm.com/support/pages/node/741907", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-13T09:35:19", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www.ibm.com/support/docview.wss?uid=swg22016214>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0 \nIBM Case Manager 5.3.1 \nIBM Case Manager 5.3.2 \nIBM Case Manager 5.3.3 | IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \nIBM WebSphere Application Server 9.0 \n \n## ", "cvss3": {}, "published": "2018-07-10T22:09:09", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2014-0114, CVE-2016-1181, CVE-2016-1182, CVE-2012-1007)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-10T22:09:09", "id": "68E7DB3D7E398B2706226213F9B1A94ACD374A065EE9538BCE2CF140B065CB08", "href": "https://www.ibm.com/support/pages/node/713521", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:50:37", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) | WebSphere Application Server Version \n---|---|--- \nIBM Security Key Lifecycle Manager | 4.0 | 9.0.5 \nIBM Security Key Lifecycle Manager | 3.0.1 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 3.0 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 2.7 | 9.0.0.1 \n \n## Remediation/Fixes\n\nPlease consult the following bulletins: \n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<https://www.ibm.com/support/pages/security-bulletin-potential-vulnerability-websphere-application-server-cve-2015-0899> \"Security Bulletin: Potential vulnerability in WebSphere Application Server \\(CVE-2015-0899\\)\" ) \n[Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114](<https://www.ibm.com/support/pages/security-bulletin-classloader-manipulation-vulnerability-ibm-websphere-application-server-cve-2014-0114> \"Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114\" ) \n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-struts-affects-ibm-websphere-application-server-cve-2016-1181-and-cve-2016-1182> \"Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server \\(CVE-2016-1181 and CVE-2016-1182\\)\" )\n\nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-09-26T18:24:35", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2015-0899, CVE-2014-0114, CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-09-26T18:24:35", "id": "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "href": "https://www.ibm.com/support/pages/node/6338461", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-11T15:13:38", "description": "## Summary\n\nMultiple vulnerabilities in WebSphere Application Server traditional bundled with IBM Jazz Team Server based Applications affect the following products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM) and Rational Software Architect Design Manager (RSA DM).\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2012-5783_ ](<https://vulners.com/cve/CVE-2012-5783>) \n**DESCRIPTION:** Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/79984_ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2018-1614_ ](<https://vulners.com/cve/CVE-2018-1614>) \n**DESCRIPTION:** IBM WebSphere Application Server using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/144270_ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/144270>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1621_ ](<https://vulners.com/cve/CVE-2018-1621>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties. \nCVSS Base Score: 4.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/144346_ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/144346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 5.0 - 6.0.6 \n \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.6 \n \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.6 \n \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.6 \n \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.6 \n \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.6 \n \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.1\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version some previous versions of WAS are also supported. For a remediation follow the WAS security bulletin appropriately.\n\nFor vulnerability details/affected versions/Remediation and fixes, review the Security Bulletins:\n\n * [Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www.ibm.com/support/docview.wss?uid=swg22015348>)\n * [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www.ibm.com/support/docview.wss?uid=swg22016214>)\n * [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www.ibm.com/support/docview.wss?uid=swg22016216>)\n * [Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www.ibm.com/support/docview.wss?uid=swg22016887>)\n * [Security Bulletin: Information Disclosure in WebSphere Application Server (CVE-2018-1621)](<http://www.ibm.com/support/docview.wss?uid=swg22016821>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Rational products based on IBM Jazz technology", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2012-5783", "CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182", "CVE-2018-1614", "CVE-2018-1621"], "modified": "2021-04-28T18:35:50", "id": "3D8540513E9389E52505EF4CCF99C1FC5DC8928BFA49128170D48087D1264725", "href": "https://www.ibm.com/support/pages/node/717509", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:02", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Tivoli Storage Manager FastBack. IBM Tivoli Storage Manager FastBack has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n\n## Affected Products and Versions\n\nIBM Tivoli Storage Manager FastBack versions 6.1.0.0 through 6.1.12.4 are affected.\n\n## Remediation/Fixes\n\n**_Tivoli Storage Manager FastBack Release_**\n\n| **_First \nFixing \nVRM Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n6.1| 6.1.12.5| Windows| [https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Tivoli+Storage+Manager+FastBack&amp;fixids=6.1.12.5-TIV-TSMFB-FP001&amp;source=SAR&amp;function=fixId&amp;parent=ibm/Tivoli](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Tivoli+Storage+Manager+FastBack&fixids=6.1.12.5-TIV-TSMFB-FP001&source=SAR&function=fixId&parent=ibm/Tivoli>) \n \n\n\nCustomers on older versions of the product should upgrade to a fixed supported level.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:54", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Tivoli Storage Manager FastBack", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:54", "id": "5641564DE1A4B9249AC0EED2F265EE204961C428F093EC99321D93DA0AA23C3E", "href": "https://www.ibm.com/support/pages/node/569543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:30", "description": "## Summary\n\nIBM Security Access Manager has addressed these vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n#### **CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Software releases**\n\n**Affected product**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Access Manager (software) | 7.0-7.0.0.34 \n \n \n**Appliance releases**\n\n**Affected IBM Security Access Manager Appliance**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Access Manager for Web | 7.0-7.0.0.34 \nIBM Security Access Manager for Web | 8.0-8.0.1.7 \nIBM Security Access Manager for Mobile | 8.0-8.0.1.7 \nIBM Security Access Manager | 9.0.0.0 - 9.0.4.0 \n \n## Remediation/Fixes\n\nThe table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch. \n\n\n**Product** | **VRMF** | **APAR** | **Remediation** \n---|---|---|--- \nIBM Security Access Manager for Web (software) | 7.0 - 7.0.0.34 (software) | IJ06612 / IJ07064 / IJ07965 | Apply Interim Fix 35: \n[7.0.0-ISS-SAM-IF0035](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>) \nIBM Security Access Manager for Web (appliance) | 7.0 - 7.0.0.34 (appliance) | IJ06612 / IJ07965 / IJ07064 | Apply Interim Fix 35: \n[7.0.0-ISS-WGA-IF0035](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0&platform=All&function=all>) \nIBM Security Access Manager for Web (appliance) | 8.0 - 8.0.1.7 | IJ06588 / IJ07004 | Upgrade to 8.0.1.8: \n[_8.0.1-ISS-WGA-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.1.3&platform=All&function=all>) \nIBM Security Access Manager for Mobile (appliance) | 8.0 - 8.0.1.7 | IJ06609 / IJ07005 | Upgrade to 8.0.1.8: \n[_8.0.1-ISS-ISAM-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Security+Access+Manager+for+Mobile&release=8.0&platform=Linux&function=all>) \nIBM Security Access Manager (appliance) | 9.0 - 9.0.4.0 | IJ06588 / IJ07004 | Upgrade to 9.0.5.0: \n[9.0.5-ISS-ISAM-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.0.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-24T16:00:01", "type": "ibm", "title": "Security Bulletin: IBM Security Access Manager is affected by multiple vulnerabilities in GSKit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-10-24T16:00:01", "id": "C7752951E8085C186BF5D89E852FCD41F36C211BD9364B8CA87F6E4FF8AFF924", "href": "https://www.ibm.com/support/pages/node/715277", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:41:30", "description": "## Summary\n\nDb2 is affected by multiple vulnerabilities in the GSKit library.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAll fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 editions on all platforms are affected.\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \n**FIX:** \n \nThe fix for DB2 V11.1 is in V11.1.3 FP3, available for download from [Fix Central](<https://www-01.ibm.com/support/docview.wss?uid=swg24044630>). \n \nCustomers running any vulnerable fixpack level of an affected Program, V9.7, V10.1, and V10.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.7 FP11, V10.1 FP6, and V10.5 FP9. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. \n\n\n**Release** | **Fixed in fix pack** | **APAR** | **Download URL** \n---|---|---|--- \nV9.7 | TBD | [IT24060](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24060>) | Special Build for V9.7 FP11: \n\n[AIX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-aix64-universal_fixpack-9.7.0.11-FP011%3A342430609765551296&includeSupersedes=0>) \n[HP-UX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-hpipf64-universal_fixpack-9.7.0.11-FP011%3A647468550017045760&includeSupersedes=0>) \n[Linux 32-bit, x86-32](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linuxia32-universal_fixpack-9.7.0.11-FP011%3A100802993476380880&includeSupersedes=0>) \n[Linux 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linuxx64-universal_fixpack-9.7.0.11-FP011%3A846014147085173504&includeSupersedes=0>) \n[Linux 64-bit, POWER\u2122 big endian](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linuxppc64-universal_fixpack-9.7.0.11-FP011%3A210757668673804416&includeSupersedes=0>) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-linux390x64-universal_fixpack-9.7.0.11-FP011%3A776704555879687168&includeSupersedes=0>) \n[Solaris 64-bit, SPARC](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-sun64-universal_fixpack-9.7.0.11-FP011%3A266307692735048160&includeSupersedes=0>) \n[Solaris 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-sunamd64-universal_fixpack-9.7.0.11-FP011%3A962344119922453248&includeSupersedes=0>) \n[Windows 32-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-nt32-universal_fixpack-9.7.1100.352-FP011%3A963026636921819392&includeSupersedes=0>) \n[Windows 64-bit, x86](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37314_DB2-ntx64-universal_fixpack-9.7.1100.352-FP011%3A752185724875373440&includeSupersedes=0>) \n \nV10.1 | TBD | [IT24061](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24061>) | Special Build for V10.1 FP6: \n\n[AIX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-aix64-universal_fixpack-10.1.0.6-FP006%3A443466106958785728&includeSupersedes=0>) \n[HP-UX 64-bit](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-hpipf64-universal_fixpack-10.1.0.6-FP006%3A250032157453062944&includeSupersedes=0>) \n[Linux 32-bit, x86-32](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linuxia32-universal_fixpack-10.1.0.6-FP006%3A256262794475707328&includeSupersedes=0>) \n[Linux 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linuxx64-universal_fixpack-10.1.0.6-FP006%3A135750620039121520&includeSupersedes=0>) \n[Linux 64-bit, POWER\u2122 big endian](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linuxppc64-universal_fixpack-10.1.0.6-FP006%3A459172922007315328&includeSupersedes=0>) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-linux390x64-universal_fixpack-10.1.0.6-FP006%3A612113355309593216&includeSupersedes=0>) \n[Solaris 64-bit, SPARC](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-sun64-universal_fixpack-10.1.0.6-FP006%3A638512873974999424&includeSupersedes=0>) \n[Solaris 64-bit, x86-64 ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-sunamd64-universal_fixpack-10.1.0.6-FP006%3A424428187597334144&includeSupersedes=0>) \n[Windows 32-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-nt32-universal_fixpack-10.1.600.580-FP006%3A279857245880667744&includeSupersedes=0>) \n[Windows 64-bit, x86](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_37313_DB2-ntx64-universal_fixpack-10.1.600.580-FP006%3A160886734969399104&includeSupersedes=0>) \n \nV10.5 | FP10 | [IT24058](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24058>) | <https://www-01.ibm.com/support/docview.wss?uid=swg24045012> \nV11.1.3 | FP3 | [IT24059](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT24059>) | <https://www-01.ibm.com/support/docview.wss?uid=swg24044630> \n \n \n_For customers running IBM data __server client and driver types_ \n \nUpgrading of GSKit is required if either of the following applies to you:\n\n * IBM data server client and driver types for V9.7, V10.1 level and any V10.5 level before fixpack 5.\n * IBM data server client and driver types for V10.5 fixpack 5 or later and have additionally installed GSKit.\n * Where to obtain the GSKit depends on the DB2 release and platform:\n\n * IBM data server client and driver types V10.5 fix pack 5 on Inspur or Linux 64-bit POWER\u2122 little endian on Power System, please contact customer support to obtain the \"IBM DB2 Support Files for SSL Functionality\".\n * IBM data server client and driver types V9.7, V10.1 level and any V10.5 level before fixpack 5: \n * _Client and the server are on the same physical computer_: For the Windows platform, you do not need to upgrade the GSKit as GSKit is automatically installed with the DB2 server image. For all other platforms, you will need to download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae.\n * _Client and the server are on different computer_: For all platforms, download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae and perform the GSKit upgrade.\n * Refer to the following chart below for the proper version of GSKit\n\n**Release** | **GSkit Version** \n---|--- \nV9.7 | V8.0.50.86 \nV10.1 | V8.0.50.86 \nV10.5 | V8.0.50.86 \nV11.1 | V8.0.50.86 \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-11T19:03:44", "type": "ibm", "title": "Security Bulletin: IBM\u00ae Db2\u00ae is affected by multiple vulnerabilities in the GSKit library", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-11T19:03:44", "id": "3D737E91C4B3785D05EA6B518DF81A98A3D897F7446C9E2969F3A9E22A7F3BF4", "href": "https://www.ibm.com/support/pages/node/304801", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:38:57", "description": "## Summary\n\nIBM SPSS Statistics has addressed the following vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION: **OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \n****CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n** \nCVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n** \nCVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n** \n****CVEID: **[_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \n****DESCRIPTION: The **GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM SPSS Statistics\n\n| \n\nAffected Versions \n \n---|--- \nSPSS Statistics| 21.0.0.2 \nSPSS Statistics| 22.0.0.2 \nSPSS Statistics| 23.0.0.3 \nSPSS Statistics| 24.0.0.2 \nSPSS Statistics| 25.0.0.1 \n** \n**\n\n## Remediation/Fixes\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation / First Fix \n \n---|---|---|--- \nSPSS Statistics| 21.0.0.2| None| Install [_Statistics 21 FP002 IF016_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-ALL-FP002-IF016&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 22.0.0.2| None| Install [_Statistics 22 FP002 IF017_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-ALL-FP002-IF017&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 23.0.0.3| None| Install [_Statistics 23 FP003 IF013_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-ALL-FP003-IF013&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 24.0.0.2| None| Install [_Statistics 24 FP002 IF010_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.2&platform=All&function=fixId&fixids=24.0-IM-S24STAT-ALL-FP002-IF010&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nSPSS Statistics| 25.0.01| None| Install [_Statistics 25 FP001 IF006_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=25.0.0.1&platform=All&function=fixId&fixids=25.0-IM-S25STAT-ALL-FP001-IF006&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n** \n**\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-13T14:43:07", "type": "ibm", "title": "Security Bulletin: IBM SPSS Statistics is affected by multiple GSKit vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2020-04-13T14:43:07", "id": "470FB53E20DCF01D3FF4FB7251C5868A5D215FF7480131C88B1F5C06E159D01A", "href": "https://www.ibm.com/support/pages/node/569155", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:04", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V. IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of the IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V are affected: \n\n * 8.1.0.0 through 8.1.4.0\n * 7.1.0.0 through 7.1.8.0\n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V Release_**\n\n| **_First \nFixing \nVRM Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.4.2| Windows| <http://www.ibm.com/support/docview.wss?uid=swg24044927> \n7.1| \n| Windows| Install the IBM Spectrum Protect Client 7.1.8.2 fix or higher using the following link: \n[](<http://www.ibm.com/support/docview.wss?uid=swg24044550>)<http://www.ibm.com/support/docview.wss?uid=swg24044550> \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:48", "id": "F590F9B8CCE606C3A8B1868747618F53738AF0A967C71C872865E6F97E3E2A42", "href": "https://www.ibm.com/support/pages/node/569233", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:40:46", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Client. The IBM Spectrum Protect Client has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of the IBM Spectrum Protect (formerly Tivoli Storage Manager) Client are affected: \n\n * 8.1.0.0 through 8.1.4.0\n * 7.1.0.0 through 7.1.8.1\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) Client Release_**\n\n| **_First \nFixing \nVRM Level_** | **_Platform_** | **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1 | 8.1.4.1 | AIX \nLinux \nMacintosh \nSolaris \nWindows | <http://www.ibm.com/support/docview.wss?uid=swg24043653> \n7.1 | 7.1.8.2 | AIX \nHP-UX \nLinux \nMacintosh \nSolaris \nWindows | [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043984>) <http://www.ibm.com/support/docview.wss?uid=swg24044550> \n \n \nCustomers using older versions of the product (6.4 and below) should upgrade to a supported fixed version. \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-07T23:00:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Client", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2019-02-07T23:00:01", "id": "ACB1BEB9F23F8E2951B24CB2F49DBE6E43DA9F3C9311028237E3DCFF917143EE", "href": "https://www.ibm.com/support/pages/node/568221", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:04", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Server. The IBM Spectrum Protect Server has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following IBM Spectrum Protect (formerly Tivoli Storage Manager) Server levels: \n\n * 8.1.0.0 through 8.1.4.x\n * 7.1.0.0 through 7.1.8.x\n \n_ _\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) Server Release_**\n\n| **_First_** \n**_Fixing \nVRM \nLevel_**| **_ \n \nPlatform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.5| AIX \nLinux \nWindows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v8r1/> \n7.1| 7.1.9| AIX \nHP-UX \nLinux \nSolaris \nWindows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v7r1/> \n \nCustomers using older versions of the product (6.4 and below) should upgrade to a supported fixed version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:45", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:45", "id": "96172B0289A3157617DE620C9610D6DE694BCA12DD20D67BEB2C4BE5720F1E6F", "href": "https://www.ibm.com/support/pages/node/568879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:04", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware. IBM Spectrum Protect for Virtual Environments: Data Protection for VMware has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of the IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware are affected: \n\n * 8.1.0.0 through 8.1.4.0\n * 7.1.0.0 through 7.1.8.0\n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect (Tivoli Storage Manager) for Virtual Environments: Data Protection for VMare Release_**\n\n| **_First \nFixing \nVRM Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.4.1| Linux \nWindows| <http://www.ibm.com/support/docview.wss?uid=swg24044643> \n7.1| 7.1.8.1| Linux \nWindows| You can either upgrade to Data Protection for VMware 7.1.8.1 or apply the IBM Spectrum Protect 7.1.8.2 client fix. \nLink for Data Protection for VMware 7.1.8.1:_ \n_[](<http://www-01.ibm.com/support/docview.wss?uid=swg24043984>)<http://www.ibm.com/support/docview.wss?uid=swg24044553> \nLink for IBM Spectrum Protect 7.1.8.2 client fix: \n<http://www.ibm.com/support/docview.wss?uid=swg24044550> \n \nCustomers using older versions of the product (6.4 and below) should upgrade to a supported fixed version. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:44", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:44", "id": "F1D303774ACA9A5AD0E510C3DF5F1397009E7D6FD2FDAFAC4642501D873381FE", "href": "https://www.ibm.com/support/pages/node/568853", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:03", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager for Workstations). IBM Spectrum Protect for Workstations has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following versions of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations) are affected: \n\n * 8.1.0.0 through 8.1.2.0\n * 7.1.0.0 through 7.1.8.1\n \n\n\n## Remediation/Fixes\n\n**IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manger FastBack for Workstations) Release**\n\n| **First Fixing VRMF level**| ** Platform**| **Link to Fix** \n---|---|---|--- \n \n8.1\n\n| 8.1.2.1| Windows \nx64 \n \n \nWindows \nx64 \nStarter \nEdition \n| [`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-x64_windows&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-x64_windows&source=SAR>) \n \n`[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-SE-x64_windows&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FStorageSoftware%2FIBM+Spectrum+Protect+for+Workstations&fixids=8.1.2.1-SP4WKSTNS-SE-x64_windows&source=SAR>)` \n \n7.1\n\n| 7.1.8.2| Windows \nx64 \n \n \nWindows \nx64 \nStarter \nEdition| `[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x64_windows-FP0002&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x64_windows-FP0002&source=SAR>)` \n \n[`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x64_windows-FP0002&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x64_windows-FP0002&source=SAR>) \n` `7.1| 7.1.8.2| Windows \nx32 \n \n \nWindows \nx32 \nStarter \nEdition| [`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x86_windows-FP0002&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-x86_windows-FP0002&source=SAR>) \n \n[`http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x86_windows-FP0002&source=SAR`](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.8-TIV-FB4WKSTNS-SE-x86_windows-FP0002&source=SAR>) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:47", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:47", "id": "88D4396F5AFD082566BDD5FF95312101BB6F94623E716D993F113380B02DC7D4", "href": "https://www.ibm.com/support/pages/node/569089", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:52:54", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix. IBM Spectrum Protect Snapshot for Unix has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) components and levels are affected: \n\n\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix and Linux\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for DB2\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Oracle\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Oracle with SAP environments\n * IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Custom Applications \n * The above components are affected at these levels: \n \n\n\n * 8.1.0.0 through 8.1.4.0 \n * 4.1.0.0 through 4.1.6.1 (AIX and Linux)\n * 4.1.0.0 through 4.1.1.5 (HP_UX and Solaris)\n \n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix Release_**\n\n| **_First Fixing VRMF Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n8.1| 8.1.4.1| AIX \nLinux| <http://www.ibm.com/support/docview.wss?uid=swg24044634> \n4.1| 4.1.6.2| AIX \nLinux| [](<http://www.ibm.com/support/docview.wss?uid=swg24043441>)<http://www.ibm.com/support/docview.wss?uid=swg24044570> \n4.1| 4.1.1.6| HP-UX \nSolaris| [](<http://www.ibm.com/support/docview.wss?uid=swg24043442>)<http://www.ibm.com/support/docview.wss?uid=swg24044564> \n \nCustomers using older versions of the product (3.2 and below) should upgrade to a supported fixed version. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T11:19:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-02-01T11:19:59", "id": "E8A312ECF86D6A1C6D9722B8D51FDE987A400AF0C6568E0E843C6327878D3511", "href": "https://www.ibm.com/support/pages/node/568873", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:52:54", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware. IBM Spectrum Protect Snapshot for VMware has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nThe following levels of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware are affected: \n\n\n * 4.1.0.0 through 4.1.6.3 \n\n \n\n\n## Remediation/Fixes\n\n**_IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware Release _**\n\n| **_First Fixing VRMF Level_**| **_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n4.1| 4.1.6.4| Linux| <http://www.ibm.com/support/docview.wss?uid=swg24044554> \n \nCustomers using older versions of the product (3.2 and below) should upgrade to a supported fixed version. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T11:19:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-02-01T11:19:59", "id": "308A05F5B1028A741D58EC30AC13C7A0A2B660380B87E8811177772F0014DA1B", "href": "https://www.ibm.com/support/pages/node/568861", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:41:38", "description": "## Summary\n\nVulnerabilities have been addressed in the GSKit component of IBM Rational ClearCase.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**_ _[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_ _](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cjohn.kohl%40hcl.com%7C710ec60815784571b80508d5890fccf3%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636565623318353378&sdata=3%2BkVIKYQVmXaMT2U92O7TivZobwll5ZKjiMxI5RxPJw%3D&reserved=0>)[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See_ _<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**_ _[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**ClearCase Windows CMI/OSLC client**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n**CMI and OSLC integrations:** \nWindows clients only, of the indicated releases. \n\n\nThe IBM GSKit is used if ClearCase on Windows platforms is configured to integrate with a change management system with communication over SSL (https). This applies to any integration using Change Management Interface (CMI), and to non-CMI based UCM-enabled CQ integration via OSLC. If your ClearCase deployment is not using these integrations, or not using SSL with the integrations, then your deployment is not affected by this portion of the vulnerability. \n \nThe UCM-enabled CQ integration without using OSLC (SQUID) is not affected by this vulnerability.\n\n**CCRC WAN server release**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n**CCRC WAN Server:** \nAll platforms of the indicated releases. \n\n## Remediation/Fixes\n\n**Note:** After applying the fixes as noted below, please refer to this document [_http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html_](<http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html>) for information concerning password re-stashing. It is advised that you re-stash your password due to CVE-2018-1447 after you apply the fixes. \n \nThe solution is to upgrade to a newer fix pack or release of ClearCase, and to apply fixes for IBM HTTP Server (IHS). \n \n**CMI and OSLC integrations on Windows clients:** \nThe solution is to install a newer, fixed version of the GSKit runtime component. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n9.0.1 through 9.0.1.2 \n9.0 through 9.0.0.6\n\n| Install [Rational ClearCase Fix Pack 3 (9.0.1.3) for 9.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044201>) \n \n8.0.1 through 8.0.1.16 \n8.0 through 8.0.0.21 \n\n| Install [Rational ClearCase Fix Pack 17 (8.0.1.17) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044199>) \n**CCRC WAN Server:** \nApply an IHS fix for the issue: \n\n 1. Determine the IHS version used by your CCRC WAN server. Navigate to the IBM HTTP Server installation directory (typically `/opt/ibm/HTTPServer` or `C:\\Program Files (x86)\\IBM\\HTTPServer`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM HTTP Server for WebSphere Application Server\". Make note of the version listed in this section.\n 2. Review the following IHS security bulletin for the available fixes: **_ _**[Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>). **Note: **there may be newer security fixes for IBM HTTP Server. Follow the link below (in the section \"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in GSKit shipped with IBM Rational ClearCase", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-07-10T08:34:12", "id": "BFFC97D9B867396253756A09ED28B13F581A2B14A0637B4684951D9BD6071488", "href": "https://www.ibm.com/support/pages/node/303325", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-22T01:47:33", "description": "## Summary\n\nThere are multiple vulnerabilities in GSKit that affect IBM Tivoli Directory Server and IBM Security Directory Server for AIX.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>) \n**DESCRIPTION:** GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAIX 5.3, 6.1, 7.1, 7.2\n\nThe following fileset levels (VRMF) are vulnerable, if the respective IBM Tivoli Directory Server (ITDS) or IBM Security Directory Server (ISDS) version is installed:\n\nAffected IBM Security Directory Server | Affected Versions \n---|--- \nIBM Tivoli Directory Server on AIX | 6.2 - 6.2.0.55, 6.3 - 6.3.0.48 \nIBM Security Directory Server on AIX | 6.3.1 - 6.3.1.23, 6.4 - 6.4.0.15 \n \nNote: To find out whether the affected ITDS or ISDS filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.\n\nExample: lslpp -L | grep -i itds\n\n## Remediation/Fixes\n\nNote: Recommended remediation is to always install the most recent package available for the respective IBM Tivoli Directory Server or IBM Security Directory Server version.\n\nAffected IBM Security Directory Server | VRMF | Remediation \n---|---|--- \nIBM Tivoli Directory Server | 6.2 - 6.2.0.55 | [6.2.0.56-ISS-ITDS-IF0056 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.56&platform=All&function=all>) \nIBM Tivoli Directory Server | 6.3 - 6.3.0.48 | [6.3.0.49-ISS-ITDS-IF0049](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.49&platform=All&function=all>) \nIBM Security Directory Server | 6.3.1 - 6.3.1.23 | [6.3.1.24-ISS-ISDS-IF0024 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.3.1.24&platform=All&function=all>) \nIBM Security Directory Server | 6.4 - 6.4.0.15 | [6.4.0.16-ISS-ISDS-IF0016 ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.4.0.16&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-01-02T14:15:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affect IBM Tivoli Directory Server and IBM Security Directory Server for AIX", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2019-01-02T14:15:01", "id": "235A36D9CC1BA1B9BEC5F6CAD35060A5EF1602254ADE78302EA78955288ACDFE", "href": "https://www.ibm.com/support/pages/node/788069", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T21:41:26", "description": "## Summary\n\nGSKit is used by IBM Workload Manager and is vulnerable to some OpenSSL vulnerabilities. IBM Workload Manager has addressed the applicable CVEs using an updated version of GSKit libraries.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nTWS uses GSKit only for secure communication between internal processes. \nFor Tivoli Workload Scheduler Distributed, TWS nodes are impacted by these security exposures only if the TWS workstation has been defined with \u201csecuritylevel\u201d set to on or enabled or force and GSKit has been explictly enabled. \nFurthermore the vulnerability applies to Dynamic Agents or zCentric agents too. \nThe security exposures apply to the following versions: \nTivoli Workload Scheduler Distributed 8.6.0 FP04 and earlier \nTivoli Workload Scheduler Distributed 9.1.0 FP02 and earlier \nTivoli Workload Scheduler Distributed 9.2.0 FP02 and earlier \nIBM Workload Scheduler Distributed 9.3.0 FP03 and earlier \nIBM Workload Scheduler Distributed 9.4.0 FP03 and earlier\n\n## Remediation/Fixes\n\nAPAR IJ06473 has been opened to address the GSKit vulnerabilities for IBM Workload Scheduler. \nThe following limited availability fixes for IJ06473 are available for download on FixCentral \n8.6.0-TIV-TWS-FP0004-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 8.6.0 FP04 \n9.1.0-TIV-TWS-FP0002-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.1.0 FP02 \n9.2.0-TIV-TWS-FP0002-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.2.0 FP02 \n9.3.0-TIV-TWS-FP0003-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.3.0 FP03 \n9.4.0-TIV-TWS-FP0003-IJ06473 \nto be applied on top of Tivoli Workload Scheduler Distributed 9.4.0 FP03 \n \nFor Unsupported releases IBM recommends upgrading to a fixed, supported release of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T15:00:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in GSKit affect IBM Workload Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2020-06-19T15:00:50", "id": "7C371350C79C6F7596054D8B19A4BAAD069A8ADE699FB847B44E70E03F3D6988", "href": "https://www.ibm.com/support/pages/node/717133", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:02", "description": "## Summary\n\nThe following security issues have been identified in the GSKit component included as part of the IBM Tivoil Monitoring product.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>)** \nDESCRIPTION:** GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n \n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 all CVE's above except for CVE-2018-1388 \n\nIBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 all CVE's above except for CVE-2016-0702\n\n## Remediation/Fixes\n\n**All ITM distributed components (GSKIT/Basic Services)**\n\n \nThe patches upgrade the GSKit version to the level listed below: \n \n\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Upgraded GSKit Version**\n\n| **Remediation / First Fix** \n---|---|---|--- \nIBM Tivoli Monitoring| 6.2.3 any Fix Pack Level| 7.0.5.15| <http://www.ibm.com/support/docview.wss?uid=swg24044748> \nIBM Tivoli Monitoring| 6.3.0 Fix Pack 2 to Fix Pack 7| 8.0.50.88 \n \n \nIBM Tivoli Monitoring components and agents built for 6.2.3 are shipped with GSKit version 7 \nIBM Tivoli Monitoring components and agents built for 6.3.0 are shipped with GSKit version 8 \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:50:54", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:50:54", "id": "DDBD4BDAEE1412B8C8199BA8BCDE15F2A42D1C2982D2BFF3B062BFCD642CDD23", "href": "https://www.ibm.com/support/pages/node/569421", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-22T01:47:34", "description": "## Summary\n\nThe following security issues have been identified in the GSKit component included as part of the IBM Tivoil Monitoring product.\n\n## Vulnerability Details\n\nCVEID: [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \nDESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>) \nDESCRIPTION: GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\nCVEID: [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \nDESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\nCVEID: [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\nCVEID: [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\nCVEID: [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \nDESCRIPTION: IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \nDESCRIPTION: IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nCVEID: [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \nDESCRIPTION: IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Fix details \n---|--- \nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5 | [Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring](<https://www-01.ibm.com/support/docview.wss?uid=swg22015424>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-26T07:50:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring shipped with IBM Operations Analytics - Log Analysis", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-12-26T07:50:01", "id": "73AC0A21A1C1C6C3987AD6559B838B31C02E7FC2112C00D32E18ABA3B130AC8F", "href": "https://www.ibm.com/support/pages/node/792541", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:41:19", "description": "## Summary\n\nIBM BigInsights is affected by multiple vulnerabilities in IBM Db2. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1448_](<https://vulners.com/cve/CVE-2018-1448>) \n**DESCRIPTION:** IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/140043_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140043>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM BigInsights: 4.2, 4.2.5\n\n## Remediation/Fixes\n\nBigInsights 4.2: Fixes are available in a downloadable image here: [https://www.ibm.com/support/entdocview.wss?uid=swg24044682](<https://www-01.ibm.com/support/entdocview.wss?uid=swg24044682>) \nBigInsights 4.2.5: Fixes are available in a downloadable image here: [https://www.ibm.com/support/entdocview.wss?uid=swg24044646](<https://www-01.ibm.com/support/entdocview.wss?uid=swg24044646>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-18T23:34:36", "type": "ibm", "title": "Security Bulletin: IBM BigInsights is affected by multiple vulnerabilities in IBM Db2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447", "CVE-2018-1448"], "modified": "2020-07-18T23:34:36", "id": "7BD03C97D3450FEAE4EB4F8F33140691B9F85B4915C83AFD5212FE881A12ADDA", "href": "https://www.ibm.com/support/pages/node/735117", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:46", "description": "## Summary\n\nIBM API Connect has addressed multiple vulnerabilities in GSKit and OpenSSL.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID: ** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: ** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: ** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: ** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: ** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID: ** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION: **The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM API Management | Affected Versions \n---|--- \nIBM API Connect | 5.0.0.0-5.0.8.4 \n \n## Remediation/Fixes\n\nProduct | Fixed in VRMF | APAR | Remediation / First Fix \n---|---|---|--- \n \nIBM API Connect 5.0.0.0-5.0.8.4\n\n| \n\n5.0.8.5\n\n| \n\nLI80493\n\n| \n\nAddressed in IBM API Connect V5.0.8.5 fix pack.\n\nFollow this link and find the APIConnect_Management package.\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=5.0.8.4&amp;platform=All&amp;function=all&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-16T15:50:02", "type": "ibm", "title": "Security Bulletin: IBM API Connect is affected by multiple GSKit and OpenSSL vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2019-01-16T15:50:02", "id": "79C9308A38227EABEE316B0407CBC46021561F829AEBF9659F93085D4FC63547", "href": "https://www.ibm.com/support/pages/node/719379", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:49:48", "description": "## Summary\n\nMultiple security vulnerabilities (CVE-2018-1426, CVE-2018-1427, CVE-2018-1428, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705, and CVE-2018-1447) have been discovered in GSKit used with IBM Security Network Protection.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Security Network Protection 5.3.1 \nIBM Security Network Protection 5.3.3\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Security Network Protection| Firmware version 5.3.1| Download the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Protection Local Management Interface. \n[5.3.1.16-XGS-All-Models-Hotfix-IF0001](<https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.3.1.16-XGS-All-Models_Hotfix-IF0001&continue=1>) \nIBM Security Network Protection| Firmware version 5.3.3| Download the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Protection Local Management Interface. \n[5.3.3.6-XGS-All-Models-Hotfix-IF0001](<https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.3.3.6-XGS-All-Models-Hotfix-IF0001&continue=1>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:07:03", "type": "ibm", "title": "Security Bulletin: IBM Security Network Protection is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-16T22:07:03", "id": "F0864C914EFB62F7C48822F52BDF423B57466738327736DD211AEFBE34B7C109", "href": "https://www.ibm.com/support/pages/node/571209", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:05:27", "description": "## Summary\n\nMultiple vulnerabilities has been addressed in the GSKit component of Tivoli Netcool/OMNIbus.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2018-1447_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2016-0705_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus 7.4.0 \nTivoli Netcool/OMNIbus 8.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus| 7.4.0.17| IJ02853| <http://www-01.ibm.com/support/docview.wss?uid=swg24044483> \nOMNIbus| 8.1.0.16| IJ02853| <http://www-01.ibm.com/support/docview.wss?uid=swg24044414> \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n18 May 2018: Original version published, 6 June 2018: Updated with 7.4.0.17 details\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSSHTQ\",\"label\":\"Tivoli Netcool\\/OMNIbus\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.4.0;8.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:15:49", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the GSKit component of Tivoli Netcool/OMNIbus", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T15:15:49", "id": "2F4353DF684AD6726CB9491220A703D4AD06D4406D7B35BEBCB2D4EE11863E10", "href": "https://www.ibm.com/support/pages/node/538871", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:46", "description": "## Summary\n\nMultiple security vulnerabilities have been identified in GSKit and GSKit-Crypto that is used by IBM Cloud Manager with OpenStack. \nIBM Cloud Manager with OpenStack has addressed these vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n**Affected Product Name**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Cloud Manager with OpenStack| 4.3 \nbr&gt; \nbr&gt;\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Cloud Manager with OpenStack| 4.3| Upgrade to 4.3 FP 10: \n[**_http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&amp;fixids=4.3.0.10-IBM-CMWO-FP10&amp;source=SAR_**](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCloud+Manager+with+Openstack&fixids=4.3.0.10-IBM-CMWO-FP10&source=SAR>) \nbr&gt; \nbr&gt;\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-08T04:13:55", "type": "ibm", "title": "Security Bulletin: IBM Cloud Manager with OpenStack is affected by GSKit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-08-08T04:13:55", "id": "7A811732B34C1BAA3F2209EA69EE01FCACF762E53C22EAE8A8FB7A45B4E7164D", "href": "https://www.ibm.com/support/pages/node/664853", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:46:59", "description": "## Summary\n\nIBM FileNet Image Services has addressed multiple GSKit and GSKit-Crypto vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n** \nCVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n** \nCVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM FileNet Image Services 4.2.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM FileNet Image Services| 4.2.0| Please refer [technote](<http://www-01.ibm.com/support/docview.wss?uid=swg22016493>) for the fix. \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:19:30", "type": "ibm", "title": "Security Bulletin: IBM FileNet Image Services is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T12:19:30", "id": "DDAC6B14B8934B2E6C225A197BD36CA0AC38FD8684F572F5702537FFE8240DAB", "href": "https://www.ibm.com/support/pages/node/568337", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:07", "description": "## Summary\n\nIBM Content Collector for SAP Applications has addressed multiple GSKit and GSKit-Crypto vulnerabilities. Details of the vulnerabilities is mentioned below. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications 3.0.0\n\nIBM Content Collector for SAP Applications 4.0.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for SAP Applications | 3.0 | Use IBM Content Collector for SAP Applications [3.0.0.2 Interim Fix 8](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/IBM+Content+Collector+for+SAP+Applications&release=3.0.0.2&platform=All&function=all>) \nIBM Content Collector for SAP Applications | 4.0 | Use IBM Content Collector for SAP Applications[ 4.0.0.2 Interim Fix 2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/IBM+Content+Collector+for+SAP+Applications&release=4.0.0.2&platform=All&function=all>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-30T12:21:09", "type": "ibm", "title": "Security Bulletin: IBM Content Collector for SAP Applications is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-08-30T12:21:09", "id": "2BB93AE1C7A3B73A6491F3A66D7F39AEF96849CFFB0026B650053C816A375F8C", "href": "https://www.ibm.com/support/pages/node/715153", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T13:34:50", "description": "## Summary\n\nIBM Data Server Driver for ODBC and CLI is affected by multiple vulnerabilities in the GSKit library. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)\n\n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAll fix pack levels of IBM Data Server Driver for ODBC and CLI V9.7, V10.1, V10.5, and V11.1 editions on all platforms are affected.\n\n## Remediation/Fixes\n\nThe latest DB2 V11.1 m3FP3 and DB2 V10.5 FP10 has already got the most recent GSkit version V8.0.50.86 which address all the Vulnerabilties in GSKit reported till date .\n\nFor DB2 including IBM data server driver for V9.7, V10.1 level and any V10.5 level before fixpack 5,you can get all the required information and fixpack download location from:<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>.\n\n_For customers running IBM data __server client and driver types_\n\n \nUpgrading of GSKit is required if either of the following applies to you:\n\n * IBM data server client and driver types for V9.7, V10.1 level and any V10.5 level before fixpack 5.\n * IBM data server client and driver types for V10.5 fixpack 5 or later and have additionally installed GSKit.\n\nWhere to obtain the GSKit depends on the DB2 release and platform:\n\n * IBM data server client and driver types V10.5 fix pack 5 on Inspur or Linux 64-bit POWER\u2122 little endian on Power System, please contact customer support to obtain the \"IBM DB2 Support Files for SSL Functionality\".\n * IBM data server client and driver types V9.7, V10.1 level and any V10.5 level before fixpack 5: \n * _Client and the server are on the same physical computer_: For the Windows platform, you do not need to upgrade the GSKit as GSKit is automatically installed with the DB2 server image. For all other platforms, you will need to download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae.\n * _Client and the server are on different computer_: For all platforms, download \"IBM DB2 Support Files for SSL Functionality\" from IBM Passport Advantage\u00ae and perform the GSKit upgrade.\n\nRefer to the GSKit Versions chart Shipped with DB2[:http://www.ibm.com/support/docview.wss?uid=swg21617892](<https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fwww-2D01.ibm.com-252Fsupport-252Fdocview.wss-253Fuid-253Dswg21617892-26data-3D02-257C01-257Cpkulkarni-2540rocketsoftware.com-257C7fbf51b507274565eca108d5dd93849b-257C79544c1eed224879a082b67a9a672aae-257C0-257C0-257C636658548041989812-26sdata-3D9OPoRoLefTu8hJWJZlgtqmLbLy8YraAVyTRcbd3JATk-253D-26reserved-3D0&d=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=C3KXIH8M6AZ_La6XO1EqlFIslnpeQGTbAhQWYd22ujw&m=rAQ_lv0-nBUHyaOKSyPupZ_WbuZ_ZKhYtLALXKCLGJU&s=r769FVEREG6CWocIt2cGRdOfhjk6qCBmlS1UamAZZ4c&e=>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-03T03:38:29", "type": "ibm", "title": "Security Bulletin: IBM Data Server Driver for ODBC and CLI is affected by multiple vulnerabilities in the GSKit library", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-03T03:38:29", "id": "5B61A8C776F5DB5A9AF0C13607CB60BA8EAB34C3208154E6FCEAAD0857CCDCEA", "href": "https://www.ibm.com/support/pages/node/715907", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:47:01", "description": "## Summary\n\neDiscovery Manager has addressed multiple GSKit and GSKit-Crypto vulnerabilities. Details of the vulnerabilities is mentioned below. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n** \nCVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n** \nCVEID: **[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** \nCVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n** \nCVEID: **[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\neDiscovery Manager 2.2.2\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \neDiscovery Manager| 2.2.2| Use eDiscovery Manager 2.2.2 [Fix Pack 3](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/InfoSphere+eDiscovery+Manager&release=2.2.2.3&platform=All&function=all>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:19:30", "type": "ibm", "title": "Security Bulletin: eDiscovery Manager is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-17T12:19:30", "id": "C18E4772030D674D152D69B21575B31602E8081D2A7D63F34DF5712FA898D8EA", "href": "https://www.ibm.com/support/pages/node/568339", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T13:34:52", "description": "## Summary\n\nMultiple vulnerabilities in the IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products.\n\n## Vulnerability Details\n\nCVEID: [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \nDESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \nDESCRIPTION: IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139071 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\nCVEID: [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \nDESCRIPTION: IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139072 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nCVEID: [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \nDESCRIPTION: IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139073 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nCVEID: [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\nCVEID: [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \nDESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Cloud Application Performance Management, Base Private \n\nIBM Cloud Application Performance Management, Advanced Private \n\nIBM Cloud Application Performance Management\n\n## Remediation/Fixes\n\n_Product_\n\n| _Product \nVRMF_ | _Remediation_ \n---|---|--- \nIBM Cloud Application Performance Management, Base Private \n \nIBM Cloud Application Performance Management, Advanced Private | _8.1.4_ | The vulnerabilities can be remediated by applying the Core Framework interim fix8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0003 to all systems where Cloud APM agents are installed: \n[https://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003972](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003972>) \nIBM Cloud Application Performance Management | _N/A_ | \n\nAfter your subscription is upgraded to V8.1.4, the vulnerabilities can be remediated by either \n \na) downloading the Core Framework interim fix 8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0003 to all systems where Cloud APM agents are installed and applying the fix by following the instructions at this link: \n[https://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003972](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003972>) \n \nb) downloading the Cloud APM agent packages for the operating systems that your agents run on and using the downloaded packages to upgrade existing agents to use the updated Core Framework or to install new agents with the updated Core Framework. \n \nPlease refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/download_agents_intro.htm> for details \non downloading agent packages from IBM Marketplace \n \nPlease refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_agent_upgrade.htm> or details on upgrading existing agents. \n \nPlease refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_intro.htm> \nfor details on installing new agents. \n \nIBM Monitoring \nIBM Application Diagnostics \nIBM Application Performance Management \nIBM Application Performance Management Advanced | _8.1.3_ | The vulnerabilities can be remediated by applying the Core Framework interim fix 8.1.3.0-IBM-IPM-CORE-FRAMEWORK-IPM-IF0007 to all systems where Performance Management agents are installed: \n[https://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003966](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003966>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-03T02:48:06", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-03T02:48:06", "id": "73288A84B49A641505C576DEDC995F44E69001C227078E86112664767072BDA2", "href": "https://www.ibm.com/support/pages/node/716097", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:47:13", "description": "## Summary\n\nIBM MQ and WebSphere MQ have addressed multiple vulnerabilities in OpenSSL and GSKit. \n \nOpenSSL is used by IBM MQ Advanced Message Security on the IBM i platform only.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n_WebSphere MQ v7.0.1_\n\n * Maintenance levels: 7.0.1.0 - 7.0.1.14\n \n_WebSphere MQ v7.1_\n\n * Maintenance levels: 7.1.0.0 - 7.1.0.9\n \n_WebSphere MQ v7.5_\n\n * Maintenance levels: 7.5.0.0 - 7.5.0.8\n \n_IBM MQ v8.0 and IBM MQ Appliance v8.0_\n\n * Maintenance level: 8.0.0.0 - 8.0.0.8\n \n_IBM MQ v9.0 LTS_\n\n * Maintenance levels: 9.0.0.0 - 9.0.0.2\n \n_IBM MQ v9.0.x CD and IBM MQ Appliance v9.0.x CD_\n\n * IBM MQ version 9.0.1 - 9.0.4\n\n## Remediation/Fixes\n\n \n_WebSphere MQ v7.0.1_\n\n * Contact WebSphere MQ Support requesting an iFix for APAR IT25200\n \n_WebSphere MQ v7.1_\n\n * Contact WebSphere MQ Support requesting an iFix for APAR IT25200\n \n_WebSphere MQ v7.5_\n\n * [Apply iFix IT25200](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=7.5&platform=All&function=aparId&apars=IT25200&source=fc>)\n \n_IBM MQ v8.0 and IBM MQ Appliance v8.0_\n\n * [Apply fixpack 8.0.0.9](<http://www-01.ibm.com/support/docview.wss?uid=swg22015103>)\n \n_IBM MQ v9.0 LTS_\n\n * [Apply fixpack 9.0.0.3](<http://www-01.ibm.com/support/docview.wss?uid=swg27006037#8000>)\n \n_IBM MQ v9.0.x CD and IBM MQ Appliance v9.0.x CD_\n\n * [Upgrade to IBM MQ 9.0.5](<http://www-01.ibm.com/support/docview.wss?uid=swg24043463>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-20T01:29:42", "type": "ibm", "title": "Security Bulletin: IBM MQ and WebSphere MQ are affected by multiple vulnerabilities in OpenSSL and GSKit.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-08-20T01:29:42", "id": "A965468AD7FD6E0FC84AAD8198928B8ABF25FC38D0638161A79D59279C9E678D", "href": "https://www.ibm.com/support/pages/node/711755", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T17:51:59", "description": "## Summary\n\nMultiple security vulnerabilities (CVE-2018-1426, CVE-2018-1427, CVE-2018-1428, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705, and CVE-2018-1447) have been discovered in GSKit used with IBM Security Network Intrusion Prevention System.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Security Network Intrusion Prevention System 4.6.1\n\nIBM Security Network Intrusion Prevention System 4.6.2\n\n## Remediation/Fixes\n\nProduct | VRMF | Remediation/First Fix \n---|---|--- \nIBM Security Network Intrusion Prevention System | Firmware version 4.6.1 | \n\nDownload the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Intrusion Prevention System Local Management Interface.\n\n[4.6.1.0-ISS-ProvG-AllModels-Hotfix-FP0019](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&fixids=4.6.1.0-ISS-ProvG-AllModels-Hotfix-FP0019&source=SAR&function=fixId&parent=IBM%20Security>) \n \nIBM Security Network Intrusion Prevention System | Firmware version 4.6.2 | \n\nDownload the fix from [IBM Fix Central](<https://www-945.ibm.com/support/fixcentral>) and install it via IBM Security Network Intrusion Prevention System Local Management Interface.\n\n[4.6.2.0-ISS-ProvG-AllModels-Hotfix-FP0027](<https://www-945.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&fixids=4.6.2.0-ISS-ProvG-AllModels-Hotfix-FP0027&source=SAR&function=fixId&parent=IBM%20Security>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-23T19:48:26", "type": "ibm", "title": "Security Bulletin: IBM Security Network Intrusion Prevention System is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2022-02-23T19:48:26", "id": "7E4E851053AF5C2BFADF66AC8494971BF986538EB9E1BEE4C5D8B83D2DB1BBB0", "href": "https://www.ibm.com/support/pages/node/713555", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:38:57", "description": "## Summary\n\nIBM Sterling File Gateway has addressed the following vulnerabilities caused by Apach Struts 1.1\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2008-2025](<https://vulners.com/cve/CVE-2008-2025>)** \nDESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/49712> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92889> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling File Gateway 2.2 \n\n## Remediation/Fixes\n\n**PRODUCT &amp; Version **\n\n| \n\n**APAR**\n\n| \n\n**Remediation/Fix** \n \n---|---|--- \nIBM Sterling File Gateway 2.2 | IT23546| \n\nApply Fix Pack 5020603_5 available on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-05T00:53:36", "type": "ibm", "title": "Security Bulletin: Multiple Apache Struts Vulnerabilities Affect IBM Sterling File Gateway", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2025", "CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-05T00:53:36", "id": "1A977E1D46AE4CB4B7068DB341125931FAD75C28D6703503973FFF9BE917887F", "href": "https://www.ibm.com/support/pages/node/301983", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:39:00", "description": "## Summary\n\nIBM Sterling B2B Integrator Standard Edition has addressed the following multiple vulnerabilities caused by Apach Struts 1.1\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2008-2025](<https://vulners.com/cve/CVE-2008-2025>)** \nDESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/49712> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92889> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling B2B Integrator 5.2\n\n## Remediation/Fixes\n\n**PRODUCT &amp; Version **\n\n| \n\n**APAR**\n\n| \n\n**Remediation/Fix** \n \n---|---|--- \n \nIBM Sterling B2B Integrator 5.2\n\n| IT23546| \n\nApply Fix Pack 5020603_4 available on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-05T00:53:36", "type": "ibm", "title": "Security Bulletin: Multiple Apache Struts Vulnerabilities Affect IBM Sterling B2B Integrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2025", "CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-05T00:53:36", "id": "71A473993D401FAFDA20A063C958EB3785E06B0F2833BBEB5FA0B1E2E3123139", "href": "https://www.ibm.com/support/pages/node/301933", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:27", "description": "## Summary\n\nMultiple security vulnerabilities have been reported for Apache Struts that is used by IBM Business Process Manager and WebSphere Lombardi Edition.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n * * WebSphere Lombardi Edition V7.2.0.0 - V7.2.0.5\n * IBM Business Process Manager all editions V7.5.0.0 - V7.5.1.2\n * IBM Business Process Manager all editions V8.0.0.0 - V8.0.1.3\n * IBM Business Process Manager all editions V8.5.0.0 - V8.5.7.0 prior to cumulative fix 2016.09\n\n## Remediation/Fixes\n\nInstall IBM Business Process Manager interim fix JR56285 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version. \n\n\n * [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR56285>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR56285>)\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR56285>)\n \nAs WebSphere Lombardi Edition and IBM Business Process Manager V7.5 are out of general support, customers with a support extension contract can contact IBM support to request the fix for download. \n \nIBM Business Process Manager and WebSphere Lombardi Edition build upon IBM WebSphere Application Server that also uses Apache Struts. Refer to the [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for details on fixes for WebSphere Application Server. \nIBM Business Process Manager V8.5.7.0 cumulative fix 2016.09 includes IBM WebSphere Application Server V8.5.5.10, thus does not require additional fixes for this vulnerability. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:16", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:16", "id": "107B029DD56A2199A3A87E51461350D452A0422C3E3D25CE9E1B91F71C36131B", "href": "https://www.ibm.com/support/pages/node/552311", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:33", "description": "## Summary\n\nIBM C\u00faram Social Program Management uses the Apache Struts Library. Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator; or Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance; or Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \n_CVSS Base Score: 4.8 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/113853__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L_) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \n_CVSS Base Score: 8.1 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/113852__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H_) \n \n**CVEID:** [_CVE-2015-0899_](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \n_CVSS Base Score: 4.3 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/101770__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101770>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)_\n\n## Affected Products and Versions\n\nIBM C\u00faram Social Program Management 7.0.0.0 - 7.0.1.0 \nIBM C\u00faram Social Program Management 6.2.0.0 - 6.2.0.5 \nIBM C\u00faram Social Program Management 6.1.0.0 - 6.1.1.5 \nIBM C\u00faram Social Program Management 6.0.5.0 - 6.0.5.10\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| _Remediation/First Fix_ \n---|---|--- \nIBM C\u00faram Social Program Management| 7.0| Visit IBM Fix Central and upgrade to [_7.0.1.1_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.1.0&platform=All&function=all>) or a subsequent 7.0.1 release \nIBM C\u00faram Social Program Management| 6.2| Visit IBM Fix Central and upgrade to [_6.2.0.6_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.2.0.0&platform=All&function=all>) or a subsequent 6.2.0 release \nIBM C\u00faram Social Program Management| 6.1| Visit IBM Fix Central and upgrade to [_6.1.1.6_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.1.1.0&platform=All&function=all>) or a subsequent 6.1.1 release \nIBM C\u00faram Social Program Management| 6.0.5| Visit IBM Fix Central and upgrade to [_6.0.5.10 iFix2_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0.5.10&platform=All&function=all>) or a subsequent 6.0.5 release \n \n## Workarounds and Mitigations\n\nFor information on all other versions please contact C\u00faram Customer Support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T13:09:41", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM C\u00faram Social Program Management (CVE-2016-1182, CVE-2016-1181, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T13:09:41", "id": "B4BA991763253D738BCAA9AB61AE50E1AA4C20D6F3366D5551C3051C29FEADB2", "href": "https://www.ibm.com/support/pages/node/296843", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:40:48", "description": "## Summary\n\nA vulnerability has been addressed in the GSKit component of IBM Sterling Connect:Direct for UNIX. Further, OpenSSL vulnerabilities disclosed by the OpenSSL Project affect GSKit. IBM Sterling Connect:Direct for UNIX uses GSKit and therefore is also vulnerable.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139072](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID: **[CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID: **[CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/134397](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct for Unix 4.2.0\n\n## Remediation/Fixes\n\n**V.R.M.F** | **APAR** | **Remediation/First Fix** \n---|---|--- \n4.2.0 | None | Apply 4.2.0.4.iFix086, available in cumulative iFix088 on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+for+UNIX&release=4.1.0.4&platform=All&function=fixId&fixids=4.2.0.4*iFix088*&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:19:08", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit affects IBM Sterling Connect:Direct for UNIX", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1427"], "modified": "2020-07-24T22:19:08", "id": "6DB274E6F7EB4D6F538135EC07CF4443980A5C2FC8C1652E16833E39D5F430D2", "href": "https://www.ibm.com/support/pages/node/726077", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:38:13", "description": "## Summary\n\nVulnerabilities have been found in the IBM GSKit component used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID: **[**CVE-2017-3732**](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: **[**CVE-2017-3736**](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**** **[**CVE-2018-1427**](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct for Microsoft Windows 4.7.0.0 through 4.7.0.5_iFix012\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM Sterling Connect:Direct for Microsoft Windows| 4.7.0| [IT24136](<http://www.ibm.com/support/docview.wss?uid=swg1IT24136>)| Apply 4.7.0.5_iFix013, available on [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Sterling+Connect%3ADirect+for+Microsoft+Windows&release=4.7.0.5&platform=All&function=aparId&apars=IT24136>) \n_For older versions/releases IBM recommends upgrading to a fixed, supported version/release of the product._\n\n## Workarounds and Mitigations\n\nTo protect the system from issues CVE-2017-3732 &amp; CVE-2017-3736, only use Cipher Suites that start with TLS_ECDHE_ECDSA...\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:19:08", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in GSKit Affect IBM Sterling Connect:Direct for Microsoft Windows", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1427"], "modified": "2020-07-24T22:19:08", "id": "D5AA5A836C6CC887766560D5C0DEA7A00ECE08E7210420C4B9BBFF45EA1FF9F6", "href": "https://www.ibm.com/support/pages/node/304413", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:50:48", "description": "## Summary\n\nFileNet Capture has addressed multiple GSKit and GSKit-Crypto vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nFileNet Capture 5.2.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM** | **Remediation** \n---|---|--- \nFileNet Capture | 5.2.1 | Use FileNet Capture 5.2.1.8 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Capture&release=5.2.1.8&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-02T18:45:28", "type": "ibm", "title": "Security Bulletin: FileNet Capture is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1447"], "modified": "2018-07-02T18:45:28", "id": "5B4C19B2CA9D2714AEF1546FC810D709406148AD04288568A5EFCF5FDEF9B2D5", "href": "https://www.ibm.com/support/pages/node/715255", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:45:38", "description": "## Summary\n\nIBM Security Privileged Identity Manager has addressed the following vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nProduct | VRMF \n---|--- \nIBM Security Privileged Identity Manager | 2.1.0 - 2.1.0.7 \nIBM Security Privileged Identity Manager | 2.0.2 - 2.0.2.10 \n \n## Remediation/Fixes\n\n**Product** | **VRMF** | **Remediation** \n---|---|--- \nIBM Security Privileged Identity Manager | 2.1.0 - 2.1.0.7 | [_2.1.0-ISS-ISPIM-VA-FP0008 _](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?fixids=2.1.0-ISS-ISPIM-VA-FP0008&mhq=2.1.0-ISS-ISPIM-VA-FP0008&mhsrc=ibmsearch_a&product=ibm%2FTivoli%2FIBM%20Security%20Privileged%20Identity%20Manager&source=dbluesearch&function=fixId&parent=IBM%20Security>) \nIBM Security Privileged Identity Manager | 2.0.2 - 2.0.2.10 | [_2.0.2-ISS-ISPIM-VA-FP0011_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.0.2&platform=Linux&function=fixId&fixids=2.0.2-ISS-ISPIM-VA-FP0011&includeRequisites=1&includeSup&login=true>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-02T02:10:01", "type": "ibm", "title": "Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2019-07-02T02:10:01", "id": "0E703A42B01F9DF3E0FEC04EEA4F7733F5A313C86865501C0F8A79378E425C34", "href": "https://www.ibm.com/support/pages/node/871366", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:49:30", "description": "## Summary\n\nGSKit is an IBM component that is used by IBM Personal Communications. GSKit that is shipped with IBM Personal Communications contains multiple security vulnerabilities. IBM Personal Communications has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-0705&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317464102&sdata=2tIz5ha0DGBXizlOjOHLzfTvoFvSvoAHvSk15VXrH4Y%3D&reserved=0>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/111140](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F111140&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317474110&sdata=Da1cDeWj%2BFdlC9xIPo%2F37hluV4EmP3Smem3YvgCduzQ%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n**CVEID:** [CVE-2017-3732](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3732&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317484117&sdata=Ep6n2Dr77RNBPh8blWIhw1Ui0OK7aenDQPmEpgAWrzM%3D&reserved=0>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F121313&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317484117&sdata=KVBWjO6EXAx6SOBkBREoge1CIpo6uH3y%2BJadCTdo1gU%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\n**CVEID:** [CVE-2017-3736](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3736&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317494125&sdata=sJGB0T%2Bow4PkojoUUhApFy75JxiNo47WBbdCBXgsreQ%3D&reserved=0>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/134397](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F134397&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317504133&sdata=8fbkZSvpyUho6MA5UCm17btdpFbuwA%2F%2Fl4kCwX6gRNY%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n\n**CVEID:** [CVE-2018-1428](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1428&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317504133&sdata=lqDf4xXWIU6dkmXpwbMgWhFcI6E7CXcWhRW8XFhMyps%3D&reserved=0>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139073](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139073&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317514137&sdata=MT3SuUdAPUzd%2F5tmnmnF5DvNuheFXSoCabw8QlgycCA%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n\n**CVEID:** [CVE-2018-1427](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1427&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317524144&sdata=ak4M0Oq1K29x5ExXFriXrUoFpyMPSqp9p2PxkZOjOn4%3D&reserved=0>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139072](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317524144&sdata=IKNm9fqBEGjfbwzN6lHUXrQ7cT5IF%2BD48XL8SGHEWt0%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n\n**CVEID:** [CVE-2018-1426](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1426&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317534156&sdata=yQmxysYR0gNWeuLE%2FxyKtq3UMSkFrGIg8myg63%2Fl95E%3D&reserved=0>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/139071](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139071&data=02%7C01%7Cmadhukar.b%40hcl.com%7C0100f1e398944979e87808d5e66dba3e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636668281317534156&sdata=m%2BryQA4GqSjlZT3rcPEp83DhJ55yiEJ%2B0bjUze9LHXQ%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Personal Communications 12.0, 12.0.0.1, 12.0.1, 12.0.2, 12.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation_ \n \n---|---|--- \n \nIBM Personal Communications\n\n| \n\n12.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.0.1\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.1.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.2.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \nIBM Personal Communications\n\n| \n\n12.0.3.0\n\n| \n\n[Upgrade to Personal Communications 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=12.0.4&platform=Windows&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-30T17:22:28", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM GSKit affect IBM Personal Communications", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-07-30T17:22:28", "id": "2614071BF8D5B0482694D82BE1651280FCE95089D3BF507FE1CD1ED3591D2446", "href": "https://www.ibm.com/support/pages/node/717437", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:27", "description": "## Summary\n\nGSKit is shipped with IBM Tivoli Network Manager IP Edition. Information about security vulnerabilities affecting GSKit has been published here. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n \n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n**CVEID: **[CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n \n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Network Manager IP Edition 3.9, 4.1.1 and 4.2\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)** | **Remediation/Fix** \n---|--- \nIBM Tivoli Network Manager IP Edition 3.9 | \n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&amp;fixids=IJ08382.PlatformAll.3.9.0.132&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=IJ08382.PlatformAll.3.9.0.132&source=SAR>) \n \nIBM Tivoli Network Manager IP Edition 4.1.1 | \n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&amp;fixids=IJ08382.Linux.4.1.1.49&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=IJ08382.Linux.4.1.1.49&source=SAR>) \n \nIBM Tivoli Network Manager IP Edition 4.2 | [ITNM 4.2 FP005 on Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Network+Manager+IP+Edition&release=4.2.0.4&platform=All&function=all>) \n \n \n**Please also note the** ** ** [**end of support announcement**](<http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS917-138/index.html&lang=en&request_locale=en>) ** ** **from 12 September 2017 for selected Netcool product versions. You can find detailed information on whether the product version you have installed in your environment is affected by this end of service announcement by following the ** [**Netcool End of Support Knowledge Collection.**](<https://www-01.ibm.com/support/entdocview.wss?uid=swg22009231>) ** ** **If your product version is affected, IBM recommend to upgrade your product version to the latest supported version of your product. Please contact your IBM account manager for any question you might have or for any assistance you may require for upgrading an end of service announced offering.**\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-14T16:21:16", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in GSKit, which is shipped with IBM Tivoli Network Manager IP Edition.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-08-14T16:21:16", "id": "CC714D6CB93526CA67C3B1AF953783F7648CF4A4936616886992C0290C5D5B18", "href": "https://www.ibm.com/support/pages/node/720265", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:41:17", "description": "## Summary\n\nTXSeries for Multiplatforms has addressed the following vulnerabilities : CVE-2018-1426, CVE-2018-1427, CVE-2018-1428, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705\n\n## Vulnerability Details\n\n \n**CVEID:**[_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:**IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:**[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID:**[_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:**IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**[_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:**[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n## Affected Products and Versions\n\n**Aff****ected TXSeries for Multiplatforms**\n\n| **Affected Versions** \n---|--- \nTXSeries for Multiplatforms | 9.1 \nTXSeries for Multiplatforms | 8.2 \nTXSeries for Multiplatforms | 8.1 \nTXSeries for Multiplatforms | 7.1 \n \n## Remediation/Fixes\n\n**Product**\n\n| VRMF| APAR| Remediation / First Fix \n---|---|---|--- \nTXSeries for Multiplatforms| 9.1.| The updated GSkit have been made available on FixCentral as a special fix \n \nFixID : TXSeriesV91-SpecialFix_GSKit| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&amp;product=ibm/WebSphere/TXSeries+for+Multiplatforms&amp;release=9.1.0.0&amp;platform=All&amp;function=fixId&amp;fixids=TXSeriesV91-SpecialFix_GSKit&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=9.1.0.0&platform=All&function=fixId&fixids=TXSeriesV91-SpecialFix_GSKit&includeSupersedes=0&source=fc>) \nTXSeries for Multiplatforms| 8.2| The updated GSkit have been made available on FixCentral as FixPacks \nAIX : \n8.2.0.2-TXSeries-AIX-FixPack2 \n \nLinux x86 : 8.2.0.2-TXSeries-Linux-FixPack2 \n \nWindows : 8.2.0.2-TXSeries-WINDOWS-FixPack2 \n \nHPUX-IA64 : 8.2.0.2-TXSeries-HPUX-IA64-FixPack2| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&amp;product=ibm/WebSphere/TXSeries+for+Multiplatforms&amp;release=8.2.0.2&amp;platform=All&amp;function=all&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=8.2.0.2&platform=All&function=all&source=fc>) \nTXSeries for Multiplatforms| 8.1| The updated GSkit have been made available on FixCentral as a special fix \n \nFixID :TXSeriesV81-SpecialFix_GSKit| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&amp;product=ibm/WebSphere/TXSeries+for+Multiplatforms&amp;release=8.1.0.0&amp;platform=All&amp;function=fixId&amp;fixids=TXSeriesV81-SpecialFix_GSKit&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=8.1.0.0&platform=All&function=fixId&fixids=TXSeriesV81-SpecialFix_GSKit&includeSupersedes=0&source=fc>) \nTXSeries for Multiplatforms| 7.1| The updated GSkit have been made available on FixCentral as a special fix \n \nFixID :TXSeriesV71-SpecialFix_GSKit| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&amp;product=ibm/WebSphere/TXSeries+for+Multiplatforms&amp;release=7.1.0.6&amp;platform=All&amp;function=fixId&amp;fixids=TXSeriesV71-SpecialFix_GSKit&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%20software&product=ibm/WebSphere/TXSeries+for+Multiplatforms&release=7.1.0.6&platform=All&function=fixId&fixids=TXSeriesV71-SpecialFix_GSKit&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: TXSeries for Multiplatforms is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-08-03T04:23:43", "id": "5711509DD871227FC9F7CD530DA0E06F21DDA1D522E7B1C76AC95D3AD5F6BC07", "href": "https://www.ibm.com/support/pages/node/571623", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:03:02", "description": "## Summary\n\nGSKit is an IBM component that is used by Host On-Demand. GSKit that is shipped with Host On-Demand contains multiple security vulnerabilities .Host On-Demand has addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:**[CVE-2018-1426](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1426&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=M5qIAIZRv2pwFj4070mAqPKwBYv5Bp9VtctmJnCT4WI%3D&reserved=0>) \n**DESCRIPTION:**IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139071](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139071&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=gPpF21vx%2B1dcHum0GrEhHWKdNKwzOiAkonlrXlLz9bU%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:**[CVE-2018-1427](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1427&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=QC7ESqmyHvgI5ow8l6ZxreJZylEikfBAvbni3NbXhNo%3D&reserved=0>) \n**DESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139072](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=IJsptD8OiwisaEdw78jCGaMlASeDAKjjamr24c8rq2U%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:**[CVE-2018-1428](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1428&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=CdBNWfAS3cJbT5Td72wTBP1LgwUj9Nok%2FUmprLP2DsU%3D&reserved=0>) \n**DESCRIPTION:**IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/139073](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139073&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=Ww6SrhAO8kTTKTgAuU8SA9OO6UfEYFcRrHPtNQPA1bc%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:**[CVE-2017-3736](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3736&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=oBEwXm%2B9EjdT6LXbWoTv05s4DUQ%2FowzLWM96LrtT13g%3D&reserved=0>) \n**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/134397](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F134397&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=0gTXmKqt6zahWePHxfbd3a4%2FzIDj3l1z%2BkZCDNCtH20%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:**[CVE-2017-3732](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-3732&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=SZXzDnI1%2F7dryeBhWtbvV9gEHETaiGomULG8RgxFLVM%3D&reserved=0>) \n**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F121313&data=02%7C01%7Cbohra.d%40hcl.com%7C31a6b9cf7d1245a3437108d58b6e8972%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636568229252985383&sdata=R%2BOjm%2FxWj06jo24qUVvF0mZfZFW0GrA5yT4CXh9%2FqGo%3D&reserved=0>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:**[CVE-2016-0705](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>) \n**DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n## Affected Products and Versions\n\nHost On-Demand 13.0 \n\nHost On-Demand 12.0, 12.0.0.1, 12.0.1, 12.0.2, 12.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation_ \n \n---|---|--- \n \nHost On-Demand\n\n| \n\n12.0\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.0.1\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.1\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.2\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n12.0.3\n\n| \n\n[Upgrade to Host On-Demand 12.0.4](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=12.0.4&platform=All&function=all>) \n \nHost On-Demand\n\n| \n\n13.0\n\n| \n\n[Upgrade to Host On-Demand 13.0.1](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=13.0.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n13 July 2018: Original version published \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSS9FA\",\"label\":\"IBM Host On-Demand\"},\"Component\":\"GSKit\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"12.0.0;12.0.0.1;12.0.1;12.0.2;12.0.3;13.0.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-01T16:04:04", "type": "ibm", "title": "Security Bulletin : Multiple vulnerabilities in\u00a0IBM GSKit affect\u00a0IBM Host On-Demand.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-08-01T16:04:04", "id": "BC7F561FAB80D5D0A48021AB45201595C02030C9CECEBEB548DFB50B6376384A", "href": "https://www.ibm.com/support/pages/node/716977", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-23T21:39:12", "description": "## Summary\n\nIBM Informix Client SDK has addressed the issues reported for the following GSKIT vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected IBM Informix Dynamic Server**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Informix Client Software Development Kit | 4.10.xC1 through 4.10.xC12 \n \n## Remediation/Fixes\n\nUpgrade to 4.10.xC13\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Informix Client Software Development Kit | \n\n4.10.xC13\n\n| \n\n[Fix Central](<https://www-945.ibm.com/support/fixcentral>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-07T15:25:06", "type": "ibm", "title": "Security Bulletin: IBM Informix Client SDK is affected by GSKIT vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2020-12-07T15:25:06", "id": "EFC96C84FC6627E09277E1FB61859CD2CA1859DFD91107C5D299A533D68503BF", "href": "https://www.ibm.com/support/pages/node/964993", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:43:58", "description": "## Summary\n\nVulnerabilities in IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See[ https://exchange.xforce.ibmcloud.com/vulnerabilities/121313](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Monitoring 8.1.3 \nIBM Advanced Diagnostics 8.1.3 \nIBM Application Performance Management 8.1.3 \nIBM Application Performance Management Advanced 8.1.3 \nIBM Application Performance Management, Base Private 8.1.4 \nIBM Application Performance Management, Advanced Private 8.1.4\n\n## Remediation/Fixes\n\n_Product_\n\n| _Product_ \n_VRMF_| _Remediation_ \n---|---|--- \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| _8.1.3_ \n \n_ _ \n_ _| The vulnerabilities can be remediated by applying the following 8.1.3.0-IBM-IPM-SERVER-IF0012 server patch to the system where the Performance Management server is installed: [http://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003854](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003854>) \nIBM Cloud Application Performance Management Base Private \n\nIBM Cloud Application Performance Management Advanced Private\n\n| _8.1.4_| The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0004 server patch to the system where the Cloud APM server is installed: [http://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003783](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003783>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:51:29", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-06-17T15:51:29", "id": "F90FD904FE2AD66DEF4FDDFD5D99DDE1F5E9A79893EE2F3ADB1619E2F648B6FC", "href": "https://www.ibm.com/support/pages/node/570497", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:02:38", "description": "## Summary\n\nIBM Algo One Core has addressed the following vulnerabilities: CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, and CVE-2018-1426.\n\n## Vulnerability Details\n\n**Relevant CVE Information:**\n\n**CVEID:** [_CVE-2016-0705_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-3732_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1428>)** \nDESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1427>)** \nDESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1426_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1426>)** \nDESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Algo One Core 5.0.0, 5.1.0\n\n## Remediation/Fixes\n\n**Product Name**\n\n| **iFix Name**| **Remediation/First Fix** \n---|---|--- \nIBM Algo One Core| 510-371| [Fix Central Download](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.1.0.0-Algo-One-AlgoCore-if0371:0&includeSupersedes=0&source=fc&login=true>) \nIBM Algo One Core| 500-403| [Fix Central Download](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-AlgoCore-if0403:0&includeSupersedes=0&source=fc&login=true>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSHKAP\",\"label\":\"Algo One\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Algo Core\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"5.1.0;5.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-22T01:40:32", "type": "ibm", "title": "Security Bulletin: Algo One Core is affected by GSKit vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428"], "modified": "2018-06-22T01:40:32", "id": "9872D764206750F6FD9C7F555D6B4C23926B755B4AE368CDD8485546CDEBC462", "href": "https://www.ibm.com/support/pages/node/711803", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:42:09", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting Websphere Application Server has been published in security bulletins.\n\n## Vulnerability Details\n\nPlease consult the security bulletins:\n\n[Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>),\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>),\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>),\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>)\n\nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is/are shipped with Predictive Customer Intelligence.\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1 | Websphere Application Server 8.5.5 | [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>)\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>)\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>)\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) \n \nPredictive Customer Intelligence 1.1 and 1.1.1 | Websphere Application Server 8.5.5.6 | [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>)\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>)\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>)\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) \n \nPredictive Customer Intelligence 1.1.2 | Websphere Application Server 9.0.0.4 | [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>)\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>)\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>)\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: Security Vulnerabilities have been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2012-5783, CVE-2018-1614, CVE-2014-0114, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5783", "CVE-2014-0114", "CVE-2015-0899", "CVE-2018-1614"], "modified": "2020-02-11T21:31:00", "id": "0F8C9B43069C04EF8D42F75FA8D42A5837D2A01F1B45F132DD6CE116C7562B83", "href": "https://www.ibm.com/support/pages/node/715391", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-13T01:33:47", "description": "## Summary\n\nIBM Security SiteProtector System has addressed the following vulnerabilities in GSKit. \n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION: **IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[CVE-2018-1427](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2018-1426](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION: **IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n**CVEID:** [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected IBM Security SiteProtector System | Affected Versions \n---|--- \nIBM Security SiteProtector System | 3.0.0 \nIBM Security SiteProtector System | 3.1.1 \n \n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _Remediation/First Fix_ \n---|---|--- \nIBM Security SiteProtector System | 3.1.1.16 | \n\nApply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:\n\nServicePack3_1_1_16.xpu \nAgentManager_WINNT_XXX_ST_3_1_1_52.xpu \nRSEvntCol_WINNT_XXX_ST_3_1_1_10.xpu \nDB_SP_3_1_1_65.xpu \nUpdateServer_3_1_1_11.pkg \nMU_3_1_1_8.xpu \nManualUpgrader_3_1_1_8.exe \nCertificateManagerTools_3_1_1_6.exe \nEventArchiver_3_1_1_7.pkg \nEventArchiverImporter_3_1_1_7.exe \nConsole-Setup.exe \n \nIBM Security SiteProtector System | 3.0.0.19 | \n\nApply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:\n\nServicePack3_0_0_19.xpu \nAgentManager_WINNT_XXX_ST_3_0_0_83.xpu \nRSEvntCol_WINNT_XXX_ST_3_0_0_16.xpu \nDB_SP_3_0_0_82.xpu \nUpdateServer_3_1_1_11.pkg \nMU_3_1_1_8.xpu \nManualUpgrader_3_1_1_8.exe \nCertificateManagerTools_3_1_1_6.exe \nEventArchiver_3_1_1_7.pkg \nEventArchiverImporter_3_1_1_7.exe \nConsole-Setup.exe \n \nAlternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL: \n \n<https://ibmss.flexnetoperations.com/service/ibms/login>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-07-19T08:30:38", "type": "ibm", "title": "Security Bulletin: IBM Security SiteProtector System is affected by GSKit vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-07-19T08:30:38", "id": "23BA9E1A95485FDA5113C5A985FFBA48AD2E78665BA734F9E465CCC361105BD6", "href": "https://www.ibm.com/support/pages/node/713561", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T05:48:17", "description": "## Summary\n\nVulnerabilities have been addressed in the GSKit component of IBM Rational ClearQuest.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>)** \nDESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:**_ _[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>)** \nDESCRIPTION:**IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See[_ _](<https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexchange.xforce.ibmcloud.com%2Fvulnerabilities%2F139072&data=02%7C01%7Cjohn.kohl%40hcl.com%7C710ec60815784571b80508d5890fccf3%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636565623318353378&sdata=3%2BkVIKYQVmXaMT2U92O7TivZobwll5ZKjiMxI5RxPJw%3D&reserved=0>)[_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n**CVEID: **[_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>)** \nDESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**ClearQuest version**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n\n\n**ClearQuest CM Server release**\n\n| \n\n**Status** \n \n---|--- \n \n8.0 through 8.0.0.21 \n8.0.1 through 8.0.1.16 \n9.0 through 9.0.0.6 \n9.0.1 through 9.0.1.2\n\n| \n\nAffected \n \n \n**ClearQuest CM Server:** \nAll platforms of the indicated releases. \n \nYou are vulnerable if you configure Rational ClearQuest to use LDAP authentication with secure sockets connections. \n\n## Remediation/Fixes\n\n**Note:** After applying the fixes as noted below, please refer to this document [_http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html_](<http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html>) for information concerning password re-stashing. It is advised that you re-stash your password due to CVE-2018-1447 after you apply the fixes. \n \nThe solution is to upgrade to a newer fix pack or release of ClearQuest, and to apply fixes for IBM HTTP Server (IHS). \n \n\n\n**Affected Versions**\n\n| \n\n** Fixes** \n \n---|--- \n \n9.0.1 through 9.0.1.2 \n9.0 through 9.0.0.6\n\n| Install [Rational ClearQuest Fix Pack 3 (9.0.1.3) for 9.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044200>) \n \n8.0.1 through 8.0.1.16 \n8.0 through 8.0.0.21\n\n| Install [Rational ClearQuest Fix Pack 17 (8.0.1.17) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24044198>) \n \n**ClearQuest CM Server:** \nApply an IHS fix for the issue: \n\n 1. Determine the IHS version used by your ClearQuest CM server. Navigate to the IBM HTTP Server installation directory (typically `/opt/ibm/HTTPServer` or `C:\\Program Files (x86)\\IBM\\HTTPServer`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM HTTP Server for WebSphere Application Server\". Make note of the version listed in this section.\n 2. Review the following IHS security bulletin for the available fixes: **_ _**[Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>). **Note: **there may be newer security fixes for IBM HTTP Server. Follow the link above (in the section \"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:26:53", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in GSKit shipped with IBM ClearQuest (CVE-2016-0702, CVE-2018-1447, CVE-2018-1427, CVE-2016-0705)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2018-1427", "CVE-2018-1447"], "modified": "2018-06-17T05:26:53", "id": "DBEBF5B229C8DE6CB3D8A210AACEF003D3ABB0F69D7078FE103C643B2D8909C5", "href": "https://www.ibm.com/support/pages/node/569381", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:41:59", "description": "## Summary\n\nVulnerabilities found in several components have been addressed in IBM Planning Analytics 2.0.5. \n \nThere are vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 7. These issues were disclosed as part of the IBM Java SDK updates in October 2017. \n \nMultiple vulnerabilities affect components consumed by IBM Planning Analytics including: OpenSSL, IBM SDK for Node.js, IBM GSKit and IBM WAS Liberty. \n \nA XSS vulnerability where detailed information can be revealed in a TM1Web JSP error page has also been addressed. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0702_](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-1681_](<https://vulners.com/cve/CVE-2017-1681>) \n**DESCRIPTION:** IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.15) could allow a local attacker to obtain sensitive information, caused by improper handling of application requests, which could allow unauthorized access to read a file. IBM X-Force ID: 134003. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134003_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134003>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3738_](<https://vulners.com/cve/CVE-2017-3738>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/136078_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136078>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n \n**CVEID:** [_CVE-2017-10356_](<https://vulners.com/cve/CVE-2017-10356>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/133785_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/133785>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** _[CVE-2018-1676](<https://vulners.com/cve/CVE-2018-1676>)_ \n**DESCRIPTION:** IBM Planning Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145118> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2018-1426_](<https://vulners.com/cve/CVE-2018-1426>) \n**DESCRIPTION:** IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION:** IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Planning Analytics Local 2.0.4\n\nIBM Planning Analytics Local 2.0.3\n\nIBM Planning Analytics Local 2.0.2\n\nIBM Planning Analytics Local 2.0.1\n\nIBM Planning Analytics Local 2.0.0\n\n## Remediation/Fixes\n\nPlease upgrade to [IBM Planning Analytics 2.0.5 ](<http://www.ibm.com/support/docview.wss?uid=swg24044955>) \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-02-24T07:27:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities exist in IBM Planning Analytics Local", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0701", "CVE-2016-0702", "CVE-2017-10356", "CVE-2017-1681", "CVE-2017-3732", "CVE-2017-3736", "CVE-2017-3738", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447", "CVE-2018-1676"], "modified": "2020-02-24T07:27:10", "id": "B7FF1129A02D2738AED73A8C157F3D6D872B530527C875906B3678301D70ECBB", "href": "https://www.ibm.com/support/pages/node/715229", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T21:47:58", "description": "## Summary\n\nWebSphere DataPower Appliances has addressed the following vulnerabilities: \nCVE-2018-1447 \nCVE-2018-1388 \nCVE-2016-0702 \nCVE-2016-0705 \nCVE-2017-3732 \nCVE-2017-3736 \nCVE-2018-1428\n\n## Vulnerability Details\n\nCVEID: [CVE-2018-1447](<https://vulners.com/cve/CVE-2018-1447>) \nDESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1388](<https://vulners.com/cve/CVE-2018-1388>) \n**DESCRIPTION:** GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138212> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n**CVEID:** [CVE-2016-0702](<https://vulners.com/cve/CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111144> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-0705](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1428](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected WebSphere DataPower Appliances | Affected Versions \n---|--- \nIBM DataPower Gateway | 7.1.0.0 - 7.1.0.23 \nIBM DataPower Gateway | 7.2.0.0 - 7.2.0.21 \nIBM DataPower Gateway | 7.5.0.0 - 7.5.0.15 \nIBM DataPower Gateway | 7.5.1.0 - 7.5.1.14 \nIBM DataPower Gateway | 7.6.0.0 - 7.6.0.7 \nIBM DataPower Gateway | 7.5.2.0 - 7.5.2.14 \nIBM DataPower Gateway CD | 7.7.0.0 - 7.7.1.0 \n \n## Remediation/Fixes\n\nProduct | VRMF | APAR | Remediation / First Fix \n---|---|---|--- \nIBM DataPower Gateway | 7.5.0.16 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway | 7.5.1.15 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway | 7.5.2.15 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway | 7.6.0.8 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataPower Gateway CD | 7.7.1.1 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataDower Gateway | 7.1.0.22 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \nIBM DataDower Gateway | 7.2.0.24 | IT25640 | [APAR IT25640](<http://www-01.ibm.com/support/docview.wss?uid=swg1IT25640>) \n \nFor IBM DataPower Gateway version 7.0 and below, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n## Monitor IBM Cloud Status for Future Security Bulletins\n\nMonitor the [security notifications](<https://cloud.ibm.com/status?selected=security>) on the IBM Cloud Status page to be advised of future security bulletins.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n13 August 2018: Original version published \n11 September: Fix typo in summary\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Product\":{\"code\":\"SS9H2Y\",\"label\":\"IBM DataPower Gateway\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF009\",\"label\":\"Firmware\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-11T13:21:30", "type": "ibm", "title": "Security Bulletin: WebSphere DataPower Appliances is affected by multiple issues", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1388", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-09-11T13:21:30", "id": "072EBEFE4EF574F4A87AC95BEA1237C43CF6D39DDD94C6BD9B965A322BB8CD15", "href": "https://www.ibm.com/support/pages/node/726039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:50:05", "description": "## Summary\n\nContent Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections has addressed multiple GSKit and GSKit-Crypto vulnerabilities. Details of the vulnerabilities is mentioned below. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n \n**CVEID: **[_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nContent Collector for Email 3.0 - 4.0.1 \nContent Collector for File Systems 3.0 - 4.0.1 \nContent Collector for Microsoft SharePoint 3.0 - 4.0.1 \nContent Collector for IBM Connections 3.0 - 4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM** | **Remediation** \n---|---|--- \nContent Collector for Email | 3.0 - 4.0.1 | \n\nUse Content Collector for Email 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for Email 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for Email 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \nContent Collector for File Systems | 3.0 - 4.0.1 | \n\nUse Content Collector for File Systems 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for File Systems 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for File Systems 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \nContent Collector for Microsoft SharePoint | 3.0 - 4.0.1 | \n\nUse Content Collector for Microsoft SharePoint 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for Microsoft SharePoint 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for Microsoft SharePoint 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \nContent Collector for IBM Connections | 3.0 - 4.0.1 | \n\nUse Content Collector for IBM Connections 3.0.0.6 [Interim Fix 004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=3.0.0.6-IBM-ICC-Server-IF004&source=SAR>)\n\nUse Content Collector for IBM Connections 4.0.0.4 [Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.0.4-IBM-ICC-IF001&source=SAR>)\n\nUse Content Collector for IBM Connections 4.0.1.8 [Interim Fix 004](< http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.8-IBM-ICC-IF004&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-12T10:16:52", "type": "ibm", "title": "Security Bulletin: Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections is affected by GSKit and GSKit-Crypto vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2018-1447"], "modified": "2018-07-12T10:16:52", "id": "33E618FFA988ABAF1F8980465E0C050DDAE38F327AE61E58375E39344D009142", "href": "https://www.ibm.com/support/pages/node/715203", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:45:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8.5.15 used by Rational Asset Analyzer. Rational Asset Analyzer has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3736](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-3732](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n# **Product**\n\n| \n\n# **Affected Versions** \n \n---|--- \nRational Asset Analyzer | 6.1.0.0 - 6.1.0.18 \n \n## Remediation/Fixes\n\n# **Product**\n\n| \n\n# **VRMF**\n\n| \n\n# ** APAR **\n\n| \n\n# ** Remediation **/ First Fix \n \n---|---|---|--- \n \nRational Asset Analyzer\n\n| 6.1.0.19 | \n\n-\n\n| \n\n[ RAA 6.1 Fix Pack 19](<http://www-01.ibm.com/support/docview.wss?uid=swg27021389>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-01T05:35:01", "type": "ibm", "title": "Security Bulletin: There are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8.5.15 used by Rational Asset Analyzer. Rational Asset Analyzer has addressed the applicable CVEs.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3732", "CVE-2017-3736"], "modified": "2018-12-01T05:35:01", "id": "9CCEB90B89301ED91DF7A501EF3103FD54D3AD611D342CF6E4B19E5105E84E35", "href": "https://www.ibm.com/support/pages/node/743097", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:45:02", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Security Guardium. IBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium **\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.0 - 10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.0 - 10.5 | \n\nhttp://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=10.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_10.0p600_GPU_Nov-2018-V10.6&amp;includeSupersedes=0&amp;source=fc \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-12-13T20:35:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Guardium (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-12-13T20:35:01", "id": "F5BAF336C0FFA1A9715652B899383A9C6D730D8ADE9E07CAD68C90971C7F8249", "href": "https://www.ibm.com/support/pages/node/741659", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:13", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Security Identity Manager. IBM Security Identity Manager has addressed the applicable CVEs. \n \nThese issues were also addressed by IBM WebSphere Application Server, which is shipped with IBM Security Identity Manager. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n \nIBM Security Identity Manager version 6.0 \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Identity Manager version 6.0| Apply fixes from Identity Manager and WebSphere Application Server \n \nIBM Security Identity Manager (ISIM) [6.0.0-ISS-SIM-FP0015](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Identity+Manager&fixids=6.0.0-ISS-SIM-FP0015&source=SAR&function=fixId&parent=IBM%20Security>) \n \n \nIBM Websphere Application Server 7.0, 8.0, 8.5 and 8.5.5 - [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:47:37", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Identity Manager ( CVE-2016-1181 CVE-2016-1182 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:47:37", "id": "C24D4FCC97FD95E90382A4216040099F16203ABF61AF30281EF1C2E136253A42", "href": "https://www.ibm.com/support/pages/node/555339", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:52:19", "description": "## Summary\n\nMultiple vulnerabilities have been identified in Struts that is embedded in the IBM FSM. This bulletin addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM using the instructions referenced in this table. \n \n**WARNING:** If an early version (fix downloaded before 4/19/2017) of the fix listed below was installed, the brand information on the FSM login screen will be displayed as \"IBM Systems Director\". This branding issue will not cause any functional FSM issues. The correct FSM branding can be restored by downloading the current version of the fix (Release Date of the fix listed in table is 4/26/2017 or later), reinstalling the current version of the fix and restarting the FSM. \n \n\n\nProduct | \n\nVRMF | \n\nRemediation \n---|---|--- \n \nFlex System Manager | \n\n1.3.4.0 | Install [fsmfix1.3.4.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.4.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.3.0 | Install [fsmfix1.3.3.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.2.1 \n1.3.2.0 | Install [fsmfix1.3.2.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFor all VRMF not listed in this table, IBM recommends upgrading to a fixed and supported version/release of the product. \n \nFor a complete list of FSM security bulletins refer to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&amp;myns=purflex&amp;mync=E&amp;cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-18T01:35:37", "type": "ibm", "title": "Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple Struts vulnerabilities (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-18T01:35:37", "id": "3C630E87CC8A98E980FC5838CF94096C676B99FA65014F79A0F1057053EEB9E0", "href": "https://www.ibm.com/support/pages/node/630955", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:41:39", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability affects only the CCRC WAN server component. \n**Versions 7.1.x.x:**\n\n \nNot affected.\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile, 8.0, 7.0| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearCase (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-10T08:34:12", "id": "2DD38E427DB50FDA5C4D07F52BDC62BA35206BA44BC185595E39ACAE88DD41C5", "href": "https://www.ibm.com/support/pages/node/284237", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:01", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:05:57", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:57", "id": "4C800D760232A012AE25AED7F8AFCFF9E3EF3D9D48D3614E764CC6588F221519", "href": "https://www.ibm.com/support/pages/node/284105", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:51:23", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Partner Gateway. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| Product and Version shipped as a component \n---|--- \nWebSphere Partner Gateway Advanced/Enterprise Edition 6.2.1.4| WebSphere Application Server 7.0 \nWebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T20:02:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Partner Gateway Advanced/Enterprise Edition (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:02:09", "id": "AAE50909D8058934D5CCB989B4CEA17B72CABD2BC4CF08576581EC909FE087A7", "href": "https://www.ibm.com/support/pages/node/284941", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:51:14", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Security Policy Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nProduct Version\n\n| WebSphere version \n---|--- \nTivoli Security Policy Manager 7.1| WebSphere Application Server 7.0 \nWebSphere Application Server 8.0 \nTivoli Security Policy Manager 7.0| WebSphere Application Server 7.0 \n \n## Remediation/Fixes\n\nIBM Tivoli Security Policy Manager (TSPM) is affected through IBM WebSphere Application Server. If you are running TSPM with one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin ([Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)).\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:46:38", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:46:38", "id": "6F2C088BF5D78FB804760981ACFE38C9CC104BC5F9390812E5D324682512AD45", "href": "https://www.ibm.com/support/pages/node/552249", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:10", "description": "## Summary\n\nIBM WebSphere Application Server v7.0 is shipped as a component of IBM Integrated Information Core. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server v7.0 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T22:28:33", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Integrated Information Core (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T22:28:33", "id": "EA4BC9A6E1BC28B39AE0C360DA599139777EC05EDFDC5120E91AC3051300D3E7", "href": "https://www.ibm.com/support/pages/node/284009", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:34", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Workload Deployer. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerabilities in Apache Struts afftects IBM WebSphere Application Server _](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Workload Deployer 3.1.0.7| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:06:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts has been identified in IBM WebSphere Application Server shipped with IBM Workload Deployer (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:02", "id": "12780044E1A62D25F913723FBCBD5B926E91CC9AC8CA8FAA1DCE18D02D152689", "href": "https://www.ibm.com/support/pages/node/547901", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:39:08", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability affects only the server component.\n\n**Versions 7.1.x.x:**\n\nNot affected.\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile, 8.0, 7.0| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CQ server host. No ClearQuest-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-04T16:40:40", "id": "A4FDFC527D8A765D6247DDB806EE98612DA0FE7BCB4E133A742D7FA9A06E39DC", "href": "https://www.ibm.com/support/pages/node/284305", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:27", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting eWAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:25:58", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in embedded IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:25:58", "id": "F9A935F07F0C2592550406829A333AA17FFA9DE5B312BF55A008E03FEAC4C43E", "href": "https://www.ibm.com/support/pages/node/284185", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:38:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Predictive Customer Intelligence. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPredictive Customer Intelligence 1.0| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.0.1| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.1| WebSphere Application Server 8.5.5.6 ND \nPredictive Customer Intelligence 1.1.1| WebSphere Application Server 8.5.5.6 ND \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| WebSphere Application Server 8.5.5| [_Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \nPredictive Customer Intelligence 1.1 and 1.1.1| WebSphere Application Server 8.5.5.6| [_Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-11T21:31:00", "id": "C270008C47088F4AB45570D101436BB116E08F304CC36AF51E0823C68AFCAAE8", "href": "https://www.ibm.com/support/pages/node/284795", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:35", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21985995_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T15:25:57", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:25:57", "id": "65DC12D6E8E0D53E6ED0AF1F356647C749F500509AAE6E4435FC95F00517F01C", "href": "https://www.ibm.com/support/pages/node/284137", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:48:03", "description": "## Summary\n\n \nIBM WebSphere Application Server is shipped as a component of IBM Content Manager Records Enabler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n\n## Vulnerability Details\n\n \nPlease consult the security bulletin [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Content Manager Records Enabler 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \n \nIBM Content Manager Records Enabler 8.5.0.6 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \n \nIBM Content Manager Records Enabler 8.5.0.7 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Content Manager Records Enabler (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:17", "id": "FFF1402575E7BE1F32E231DF470BEDA94544D3C346FFE024F98E6A628264A23E", "href": "https://www.ibm.com/support/pages/node/284113", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-01T01:54:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: [CVE-2016-1181](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181>) \nDESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \nCVEID: [CVE-2016-1182](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182>) \nDESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5 \n \nIBM License Metric Tool 7.2.2 \nIBM Tivoli Asset Discovery for Distributed 7.2.2| WebSphere Application Server 7 \n \n \nWebSphere Application Server 6.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5 \n| WebSphere Application Server 7.0 \n| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM License Metric Tool 7.2.2 \nIBM Tivoli Asset Discovery for Distributed 7.2.2| WebSphere Application Server 6.1| Please contact support for any potential fixes. \n \n## Workarounds and Mitigations\n\n**N/A**\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.2.2;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.2.2;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-04-26T21:17:25", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2021-04-26T21:17:25", "id": "1815BD265DEB0EE550962E1526DA1FE75BACA3823A20A4BCDA8ED078F9EC9C8D", "href": "https://www.ibm.com/support/pages/node/550369", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | WebSphere Application Server v8.5.5 \n \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | WebSphere Application Server v8.5.5.7 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:44:41", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:44:41", "id": "9E3B1F6158EF5703EF54F7C3064A7EB99BF9523B8A6CCF05475346791179C879", "href": "https://www.ibm.com/support/pages/node/547477", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:03", "description": "## Summary\n\nApache Struts vulnerabilities affect WebSphere Application Server and WebSphere Application Server Hypervisor Edition Administration Console. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nThe following Versions of WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition may be affected: \n\n * Version 9.0\n * Version 8.5 and 8.5.5 Full Profile \n * Version 8.0 \n * Version 7.0 \n\n## Remediation/Fixes\n\n**For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:** \n \n**For V9.0.0.0**\n\n * Apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 1 (9.0.0.1), or later.\n** \nFor V8.5.0.0 through 8.5.5.9:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 10 (8.5.5.10), or later.\n** \nFor V8.0.0.0 through 8.0.0.12:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 13 (8.0.0.13), or later.\n** \nFor V7.0.0.0 through 7.0.0.41:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)\n\\-- OR \n * Apply Fix Pack 43 (7.0.0.43), or later. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:55", "id": "CD1AEA82D347BCF45C817F297F91F17B63798AE3055B653759D8342B9405F1E0", "href": "https://www.ibm.com/support/pages/node/283179", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:50:12", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.1| IBM WebSphere Application Server 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## Remediation/Fixes\n\nIBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway are affected through IBM WebSphere Application Server. If you use one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin, ([Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>).\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:49:00", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:49:00", "id": "E3BD856982B27C3FE93EC13A76D5806B5BB18B95DD328F70706B73BE68D790ED", "href": "https://www.ibm.com/support/pages/node/287829", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:47:40", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nAffected IBM WebSphere Application Server versions are listed in the security bulletin.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:26", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:26", "id": "A38279E551792BA29F1FA34034CD64E94266819C4862EDC7B206E7A748D269FD", "href": "https://www.ibm.com/support/pages/node/547525", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:52:44", "description": "## Summary\n\nIBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n\\- FTM for CPS v2.1.1.0, v2.1.1.1, v2.1.1.2, v2.1.1.3\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nFTM for Corporate Payment Services| 2.1.1.0, \n2.1.1.1, \n2.1.1.2, \n2.1.1.3| PI66509| Apply [2.1.1-FTM-CPS-MP-fp0004](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=2.1.1-FTM-CPS-MP-fp0004&includeSupersedes=0&source=fc>) or later \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:03:06", "type": "ibm", "title": "Security Bulletin: IBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:03:06", "id": "C9D56908C5941D51F8B700D0AEB133B65A72D4A5D3A7FAA2D989A477B71C954D", "href": "https://www.ibm.com/support/pages/node/548021", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Business Monitor V8.5.5, V8.5.6 and V8.5.7 \n\nIBM Business Monitor V8.0.1.3\n\nIBM Business Monitor V7.5.1.2\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:59", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:59", "id": "9CC98367A213309185EDA7DC75FCDBBA5D5754142F33E0C8ED1B454D10CF416E", "href": "https://www.ibm.com/support/pages/node/284535", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:36", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5, 9.0| [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:00", "id": "3CFF13ADA1D4912594BB3AC9D0D9ACB17881A208B1AD8998A1E8BD64DD6C5268", "href": "https://www.ibm.com/support/pages/node/547521", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:22", "description": "## Summary\n\nWebSphere Application Server is/are shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is/are shipped with Financial Transaction Manager. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0| [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:02:01", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:02:01", "id": "F2A538AF2ED1CAABCF5F0891DB02363ECADA659FE7F2989D3CCD7668E4585622", "href": "https://www.ibm.com/support/pages/node/284149", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:59", "description": "## Summary\n\nApache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. This vulnerability also affects other products. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Content Collector for Microsoft SharePoint v3.0 \nIBM Content Collector for Microsoft SharePoint v4.0 \nIBM Content Collector for Microsoft SharePoint v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for Microsoft SharePoint| 3.0| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Microsoft SharePoint| 4.0| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Microsoft SharePoint| 4.0.1| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:48", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:48", "id": "D75C787D719F6B509B47AAA92C0EBBE969DDCD2CD7BAA1800C224FD759790609", "href": "https://www.ibm.com/support/pages/node/292421", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:52:18", "description": "## Summary\n\nStruts vulnerabilities affect ISD Server. ISD Server has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFrom the IBM System Director command line enter smcli lsver to determine the level of IBM System Director installed. \n \nIBM Systems Director: \n\n\n * 6.1.0.0\n * 6.1.0.1\n * 6.1.0.2\n * 6.1.0.3\n * 6.1.1.1\n * 6.1.1.2\n * 6.1.1.3\n * 6.1.2.0\n * 6.1.2.1\n * 6.1.2.2\n * 6.1.2.3\n * 6.2.0.0\n * 6.2.0.1\n * 6.2.0.2\n * 6.2.1.0\n * 6.2.1.0\n * 6.2.1.1\n * 6.2.1.2\n * 6.3.0.0 \n * 6.3.1.0 \n * 6.3.1.1 \n * 6.3.2.0 \n * 6.3.2.1 \n * 6.3.2.2 \n * 6.3.3.0 \n * 6.3.3.1 \n * 6.3.5.0 \n * 6.3.6.0\n * 6.3.7.0\n\n## Remediation/Fixes\n\nIBM Systems Director version pre 6.3.5 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product. \n\nFollow the instructions mentioned in Technote [811735241](<http://www-01.ibm.com/support/docview.wss?uid=nas74ca280436f7c28b1862580f1005aa33d>)[](<http://www-01.ibm.com/support/docview.wss?uid=nas72cf7b7fb4cdb924b862580a40000b3be>) to apply the fix for releases:\n\n * 6.3.5.0\n * 6.3.6.0\n * 6.3.7.0\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-18T01:35:34", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts affect IBM Systems Director (ISD) Server (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-18T01:35:34", "id": "1D6C51DC7D1DD9D1A9F07B9737CE12B7F8F933D3089EBCB68A0BBCF75680D250", "href": "https://www.ibm.com/support/pages/node/630929", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:48", "description": "## Summary\n\nApache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. This vulnerability also affects other products. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nContent Collector for IBM Connections v3.0 \nContent Collector for IBM Connections v4.0 \nContent Collector for IBM Connections v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for IBM Connections| 3.0| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nContent Collector for IBM Connections| 4.0| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nContent Collector for IBM Connections| 4.0.1| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:48", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:48", "id": "6AB5B24B612744A794E7F28CC88F04C811F4BB9710FE31917EFCB65EDDDF7C9A", "href": "https://www.ibm.com/support/pages/node/292413", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:50", "description": "## Summary\n\nApache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Content Collector for File Systems v3.0 \nIBM Content Collector for File Systems v4.0 \nIBM Content Collector for File Systems v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for File Systems| 3.0| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for File Systems| 4.0| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for File Systems| 4.0.1| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:47", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerabilities in IBM Content Collector for File Systems", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:47", "id": "286378C830B748E29DFAEAB7AC19693EE4565D1CAB6189EAA20A975B835DFAD6", "href": "https://www.ibm.com/support/pages/node/292427", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:30", "description": "## Summary\n\nApache Struts vulnerabilities affect FastBack for Workstations Central Administration Console.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFastBack for Workstations Central Administration Console v6.3 \n\n## Remediation/Fixes\n\nThe fix for FastBack for Workstations CAC 6.3 will be to apply the WAS interim fix pack PI64303 to the version of WAS included with the Tivoli Integrated Portal. \nIn order to obtain the PI64303 fix refer to the WAS security bulletin: \n<http://www-01.ibm.com/support/docview.wss?uid=swg21985995> \nClick on the link for v7.0.0.0 through v7.0.0.41 interim fix pack PI64303. Click the HTTPS download link for 7.0.0.33-WS-WAS-IFPI64303. \nThere will be a Readme.txt file and a 7.0.0.33-ws-was-ifpi64303.pak file. \n \nTo apply, do the following: \n1\\. If not already at the CAC 6.3.1.1 version upgrade to this version. \n2\\. Stop the Tivoli Service: Tivoli Intergrated Portal - V2.2_TIPProfile_Port_16310 \n3\\. Using the Update Installer application (update.exe) found in the Tivoli Intergrated Portal installation directory \n(default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the .pak file downloaded earlier \n4\\. Restart the Tivoli Service or reboot the machine \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:26:53", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affects FastBack for Workstations Central Administration Console (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:26:53", "id": "BE523D88E9070A2DC41C20554C070BC6A203CA40E3C999CC7B9D52C82AF77DEF", "href": "https://www.ibm.com/support/pages/node/547735", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:34", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerabilities in Apache Struts afftects IBM WebSphere Application Server _](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.0, 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:06:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts has been identified in IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:02", "id": "C9594147E388237928595F1CF759F8EC355015BE6AC29A030A2FA3207D9B6DE4", "href": "https://www.ibm.com/support/pages/node/547903", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:48:01", "description": "## Summary\n\nSecurity vulnerabilitiy exists in IBM FileNet Content Manager and IBM Content Foundation in Apache Struts.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n\n## Affected Products and Versions\n\nFileNet Content Manager 5.2.0 \nIBM Content Foundation 5.2.0 \n \nNote: this vulnerability is **_not_** applicable to FileNet Content Manager 5.2.1 or IBM Content Foundation 5.2.1\n\n## Remediation/Fixes\n\nInstall one of the fixes listed below to resolve the Apache Struts security vulnerability. \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.2.0| [PJ44282](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44282>)| [5.2.0.5-P8CPE-IF001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.0.5&platform=All&function=all>) \\- Available 9/20/2016 \nIBM Content Foundation| 5.2.0| [PJ44282](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44282>)| [5.2.0.5-P8CPE-IF001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.0.5&platform=All&function=all>) \\- Available 9/20/2016 \n \nIn the above table, the APAR links will provide more information about the fix. \nThe links in the Remediation column will take you to the location within IBM Fix Central where you can download the particular fix you need. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects FileNet Content Manager and IBM Content Foundation (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:24", "id": "691466DAEE06683E49687F1AD61B1DE274EE44CA9F6E86B9BF8D7D76D6346999", "href": "https://www.ibm.com/support/pages/node/285013", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:48:03", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Records Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\n \nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version \n---|--- \nIBM Records Manager 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Records Manager 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Records Manager 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Records Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:17", "id": "D9F3546932BD432766323A6E9A562D656E3EAC77AAB6EE3AAADFF6008E59BC30", "href": "https://www.ibm.com/support/pages/node/284115", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:54", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Enterprise Records has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Enterprise Records v5.2.0 - 5.2.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation_ \n---|---|--- \nIBM Enterprise Records| 5.2.0 - 5.2.0.3| Use IBM Enterprise Records 5.2.0 Fix Pack 4 Interim Fix 2 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Enterprise Records", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:55", "id": "C6D76168198B9EF24D77F1D04BA06E30D33B0C7D71C8457114E69E1A43BB68AD", "href": "https://www.ibm.com/support/pages/node/294473", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:52:17", "description": "## Summary\n\nStruts v2 vulnerabilities affet IBM Spectrum Control and Tivoli Storage Productivity Center. IBM Spectrum Control and Tivoli Storage Productivity Center have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n\n## Affected Products and Versions\n\n \nIBM Spectrum Control 5.2.8 through 5.2.10.1 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7.1 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.10 \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.\n\n## Remediation/Fixes\n\n**Note:** It is always recommended to have a current backup before applying any update procedure. \n \nApply the IBM Spectrum Control or Tivoli Storage Productivity Center fix maintenance as soon as practicable. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>).) \n\n\n**Affected Version**| **APAR**| **Fixed Version**| **Availability** \n---|---|---|--- \n5.2.x| IT16542 | 5.2.11| August 2016 \n5.1.1.x| IT16542| 5.1.1.12| October 2016 \n \n \n\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-02-22T19:50:07", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-1181, CVE-2016-1182", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-02-22T19:50:07", "id": "29036B6FEB00571E2FBC00E867150134E5DF9C08AD44F9670B7C8B0109F99570", "href": "https://www.ibm.com/support/pages/node/549139", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:45:42", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nSmartCloud Control Desk 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nSmartCloud Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-09-22T03:02:31", "id": "23F8C1E67922626C0589CA86ED9B40D441D494E8B56CD8FF4A2EF76F18E6861F", "href": "https://www.ibm.com/support/pages/node/284963", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:47:29", "description": "## Summary\n\nIBM WebSphere Application Server v7.0 is shipped as a component of IBM Intelligent Operations Center. Information about security vulnerabilities affecting IBM WebSphere Application Server have been identified and published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products and Versions** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.6| IBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Operations for Water V1.0, V1.5, V1.6 \nIBM Intelligent Operations for Transportation V1.0, V1.5, V1.6 \nIBM Intelligent City Planning and Operations V1.5, V1.6 \nIBM Intelligent Operations Center V5.1| IBM Intelligent Operations Center for Emergency Management V5.1 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Intelligent Operations Center and related products (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-08-19T21:04:31", "id": "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4", "href": "https://www.ibm.com/support/pages/node/284011", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:51:18", "description": "## Summary\n\nVulnerabilities in GSKit and GSKit-Crypto were addressed by IBM InfoSphere Information Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0705_](<https://vulners.com/cve/CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2017-3732_](<https://vulners.com/cve/CVE-2017-3732>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2017-3736_](<https://vulners.com/cve/CVE-2017-3736>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/134397_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134397>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1428_](<https://vulners.com/cve/CVE-2018-1428>) \n**DESCRIPTION:** IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. \nConsider changing your passwords to ensure that the new passwords are stored more securely. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following products, running on all supported platforms, are affected: \nIBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7 \nIBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud| 11.7| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--New installations of IBM InfoSphere Information Server version 11.7.0.1 (and later) are not vulnerable \n\\--If IBM InfoSphere Information Server version 11.7.0.0 or earlier was installed, apply Information Server Framework [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113-11701_JR59097_ISF_services_engine*>) \n\\--Consider changing your passwords to ensure that the new passwords are stored more securely. \nInfoSphere Information Server, Information Server on Cloud| 11.5| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--Apply IBM InfoSphere Information Server version [_11.5.0.2_](<http://www.ibm.com/support/docview.wss?uid=swg24043666>) \n\\--Apply Information Server Framework [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113-11701_JR59097_ISF_services_engine*>) \n\\--Consider changing your passwords to ensure that the new passwords are stored more securely. \nInfoSphere Information Server| 11.3| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--Apply IBM InfoSphere Information Server version [_11.3.1.2 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24040138>) \n\\--Apply Information Server Framework [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113-11701_JR59097_ISF_services_engine*>) \n\\--Consider changing your passwords to ensure that the new passwords are stored more securely. \nInfoSphere Information Server| 9.1| [_JR59097_](<http://www.ibm.com/support/docview.wss?uid=swg1JR59097>)| \\--Upgrade to a new release \n \n \nFor IBM InfoSphere Information Server version 9.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-22T01:53:09", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in GSKit and GSKit-Crypto affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1428", "CVE-2018-1447"], "modified": "2018-06-22T01:53:09", "id": "3DF4EFFCBD4398CD9D2C6995C59DEC9020B7665B1A75D2B23F0CFA94C34BBB8A", "href": "https://www.ibm.com/support/pages/node/711793", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:48:08", "description": "## Summary\n\nDB2 contains several vulnerabilities which can affect the IBM Performance Management product. Some of the information about security vulnerabilities affecting DB2 has been published in security bulletins.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-1571](<https://vulners.com/cve/CVE-2017-1571>) \n**DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 131853. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-1677](<https://vulners.com/cve/CVE-2017-1677>) \n**DESCRIPTION:** IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1)deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133999> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2018-1448](<https://vulners.com/cve/CVE-2018-1448>) \n**DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140043. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140043> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nDetails of these vulnerabilities are published in the following security bulletins: \n[Security: IBM Db2 is affected by multiple vulnerabilities in the GSKit library (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426)](<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>) \n[Security: IBM Db2 vulnerability allows local user to overwrite Db2 files (CVE-2018-1448)](<http://www-01.ibm.com/support/docview.wss?uid=swg22014388>) \n[Security: IBM Db2 performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012896>) \n[Security: Under specific circumstances IBM Db2 installation creates users with a weak password hashing algorithm (CVE-2017-1571).](<http://www-01.ibm.com/support/docview.wss?uid=swg22012948>) \n\n\n## Affected Products and Versions\n\nIBM Monitoring 8.1.3 \nIBM Application Diagnostics 8.1.3 \nIBM Application Performance Management 8.1.3 \nIBM Application Performance Management Advanced 8.1.3 \nIBM Cloud Application Performance Management, Base Private 8.1.4 \nIBM Cloud Application Performance Management, Advanced Private 8.1.4\n\n## Remediation/Fixes\n\nProduct | Product VRMF | Remediation \n---|---|--- \n \nIBM Cloud Application Performance Management Base Private\n\nIBM Cloud Application Performance Management Advanced Private\n\n| 8.1.4 | \n\nThe vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5, or V11.1 server. The fixes can be accessed from the following security bulletins:\n\n[Security: IBM Db2 is affected by multiple vulnerabilities in the GSKit library (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426)](<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>)\n\n[Security: IBM Db2 vulnerability allows local user to overwrite Db2 files (CVE-2018-1448)](<http://www-01.ibm.com/support/docview.wss?uid=swg22014388>)\n\n[Security: IBM Db2 performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012896>)\n\n[Security: Under specific circumstances IBM Db2 installation creates users with a weak password hashing algorithm (CVE-2017-1571)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012948>)\n\nTo use your updated DB2 V10.5, or V11.1 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&amp;product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&amp;release=8.1.4.0&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.4.0&platform=All&function=all>) \n \n \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| 8.1.3 | \n\nThe vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5 server. The fixes can be accessed from the following security bulletins:\n\n[Security: IBM Db2 is affected by multiple vulnerabilities in the GSKit library (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426)](<http://www-01.ibm.com/support/docview.wss?uid=swg22013756>)\n\n[Security: IBM Db2 vulnerability allows local user to overwrite Db2 files (CVE-2018-1448)](<http://www-01.ibm.com/support/docview.wss?uid=swg22014388>)\n\n[Security: IBM Db2 performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012896>)\n\n[Security: Under specific circumstances IBM Db2 installation creates users with a weak password hashing algorithm (CVE-2017-1571)](<http://www-01.ibm.com/support/docview.wss?uid=swg22012948>)\n\nTo use your updated DB2 V10.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.3.0-IBM-IPM-SERVER-IF0011 or later server patch to the system where the APM server is installed. Interim fixes for the APM server version 8.1.3 are available to download from IBM Fix Central at this link: \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&amp;product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&amp;release=8.1.3.0&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.3.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-30T09:49:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0705", "CVE-2017-1571", "CVE-2017-1677", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1448"], "modified": "2018-08-30T09:49:34", "id": "CF8080897BA997E374072C563D7B6C6088F56DDA07F407BD98DF25411FE5E09C", "href": "https://www.ibm.com/support/pages/node/729759", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:41:26", "description": "## Summary\n\nRational DOORS has addressed the following vulnerabilities\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2018-1457_](<https://vulners.com/cve/CVE-2018-1457>) \n**DESCRIPTION: **An undisclosed vulnerability in IBM Rational DOORS 9 application allows an attacker to gain DOORS administrator privileges. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/140208_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140208>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2018-1447_](<https://vulners.com/cve/CVE-2018-1447>) \n**DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[_CVE-2018-1427_](<https://vulners.com/cve/CVE-2018-1427>) \n**DESCRIPTION: **IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139072_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139072>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nRational DOORS: 9.5.1 - 9.5.1.9 \nRational DOORS: 9.5.2 - 9.5.2.8 \nRational DOORS: 9.6.0 - 9.6.0.7 \nRational DOORS: 9.6.1 - 9.6.1.10\n\nRational DOORS: 9.7.x \n \nThe following Rational DOORS components are affected:\n\n * Rational DOORS desktop client\n * Rational DOORS interoperation server\n\n## Remediation/Fixes\n\nUpgrade to the fix pack that corresponds to the version of Rational DOORS that you are running, as shown in the following table. Upgrade the Rational DOORS client, the Rational DOORS database server, and the Rational DOORS interoperation server. \nNOTE: You should verify applying this fix does not cause any compatibility issues. \n**Rational DOORS version** | **Upgrade to fix pack** \n---|--- \n9.5.1 - 9.5.1.9 | [9.5.1.10](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.5.1.10-RATIONAL-DOORS-fixpack1&release=9.5&platform=All&source=SAR>) \n9.5.2 - 9.5.2.8 | [](<http://w3.hursley.ibm.com/java/jim/ibmsdks/java60/601615/index.html>)[9.5.2.9](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.5.2.9-RATIONAL-DOORS-fixpack1&release=9.5&platform=All&source=SAR>) \n9.6.0 - 9.6.0.7 | [9.6.0.8](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.6.0.8-RATIONAL-DOORS-fixpack1&release=9.6.0.0&platform=All&source=SAR>) \n9.6.1 - 9.6.1.10 | [9.6.1.11](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+DOORS&fixids=9.6.1.11-RATIONAL-DOORS-fixpack&release=9.6.1.10&platform=All&source=SAR>) \n \n \n_For Rational DOORS version 9.5.0.x and earlier, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \n**Citrix and Remote desktop** \nTo reduce installation overhead and to increase security, many clients make use of remote desktop software (Citrix or Microsoft Remote Desktop). All remote desktop solutions provide communication level security in addition to the benefits for installation. Clients using a remote desk top solution such as Citrix XenApp can organize their network infrastructure to forbid users accessing DOORS directly and so avoid issues regarding communication exposures as described by this vulnerability.\n\n \n**Update to Server Security** \nThe fix to prevent an attacker to gain DOORS administrator privileges is an enhancement to the DOORS server security functionality. DOORS must be configured to use server security to enable this feature. When enabled, interop servers will now only connect to the database server if approved. This can be done by either starting the database server using the \"secureInteropbyIP\" command line switch or by adding the interop server certificate information to a allowlist.dat file. The allowlist.dat file needs to be located at the top level of the DOORS data directory.\n\nIf the database server is started using the \"secureInteropbyIP\" command line switch then the allowlist.dat file is unnecessary if all the interop servers are running on the same machine as the database server. Interop servers must be started with the \"sssServer\" command line switch to be recongised as secure by the database server. \nFor further information see the documentation on how to configure [server security](<https://www.ibm.com/support/knowledgecenter/SSYQBZ_9.6.1/com.ibm.doors.configuring.doc/topics/c_configuringrserversidesecurity.html>).\n\n**Configure Rational DOORS Web Access** \nIf you are using Rational DOORS Web Access, after you upgrade, _but before you start the Rational DOORS Web Access server_, edit the core configuration file and set the required version of the interoperation server to the version of the fix pack upgrade, as described in the following steps.\n\n**Procedure:**\n\n 1. To edit the Rational DOORS Web Access core configuration file, open the `festival.xml` file, which is in the `server\\festival\\config` directory.\n 2. Add the following line in the `<f:properties>` section: \n \n`<``**f:property name=\"interop.version\" value=\"9.n.n.n\"**`` />` \n \nReplace \"`9.n.n.n`\" with the version of the fix pack upgrade: 9.5.1.10, 9.5.2.9, 9.6.0.8, or 9.6.1.11.\n 3. Save and close the file.\n\nAfter this revision, only the specified version of the interoperation server can access the Rational DOORS database.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-29T16:11:30", "type": "ibm", "title": "Security Bulletin: Rational DOORS is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1427", "CVE-2018-1447", "CVE-2018-1457"], "modified": "2020-06-29T16:11:30", "id": "050C4CD191E772BBB89D37433656A4CF140CE5C30F03D9CE4A5D8081AA772A03", "href": "https://www.ibm.com/support/pages/node/712319", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:04:59", "description": "## Summary\n\nIBM Communications Server for Windows has addressed the following vulnerabilities: \nCVE-2018-1388 3RD PARTY GSKit V7 ROBOT Security Advisory \nCVE-2016-0702 Side channel attack on modular exponentiation (CVE-2016-0702) in GSKit \nCVE-2018-1447 GSKit and GSKit-Crypto Security Advisory December 2017 Part 1 \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2018-1388_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1388>)** \nDESCRIPTION: **GSKit V7 may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/138212_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138212>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n- \n**CVEID: **[_CVE-2016-0702_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702>)** \nDESCRIPTION: **OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n- \n**CVEID:** [_CVE-2018-1447_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1447>)** \nDESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/139972_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139972>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n**Affected IBM Communications Server for Windows**\n\n| \n\n**Affected Versions** \n \n---|--- \nCommunications Server for Windows| 6.4.0 \nCommunications Server for Windows| 6.1.3 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**APAR**\n\n| \n\n**Remediation / First Fix** \n \n---|---|---|--- \nCommunications Server for Windows| 6.4.0.7 \n6.4.0.8| JR59019| (6.4.0.7 or lower) [Link to FIX to update CSWIN to 6.4.0.8 with fix included](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/WebSphere/Communications+Server+for+Windows&release=All&platform=Windows&function=fixId&fixids=OS-GSKIT8-86-UPDATE-6408-WINDOWS-UPDATE+&includeSupersedes=0>)\n\n(6.4.0.8) [Link to FIX to apply to existing CSWIN 6.4.0.8](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/WebSphere/Communications+Server+for+Windows&release=All&platform=Windows&function=fixId&fixids=OS-GSKIT8-86-UPDATE-CMS-KDB-WEAKNESS+&includeSupersedes=0>) \n \nCommunications Server for Windows| 6.1.3.5| JR59029| [Link to FIX](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/WebSphere/Communications+Server+for+Windows&release=All&platform=Windows&function=fixId&fixids=WS-CSWIN-GSKIT7F-GSKIT-UPDATE-6135+&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSHQNF\",\"label\":\"Communications Server for Windows\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"All\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.1.3;6.4;6.4.0.1;6.4.0.2;6.4.0.3;6.4.0.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}] \n\n## Product Synonym\n\nCommunications Server commserver comm server sna cswin cswindows", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: IBM Communications Server for Windows is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0702", "CVE-2018-1388", "CVE-2018-1447"], "modified": "2018-08-03T04:23:43", "id": "F862AA8C70B0343452BE1F88AAFBC22FF6D70527EFA74872A5EBBA9DE943691D", "href": "https://www.ibm.com/support/pages/node/569075", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:46:26", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by multiple security vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0359_](<https://vulners.com/cve/CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \