Security Bulletin: IBM Communications Server for Data Center Deployment, IBM Communications Server for AIX, IBM Communications Server for Linux, and IBM Communications Server for Linux on System z are affected by a vulnerability.

Summary

IBM Communications Server for Data Center Deployment, IBM Communications Server for AIX, IBM Communications Server for Linux, and IBM Communications Server for Linux on System z have addressed the following vulnerability:
CVE-2018-1447 GSKit and GSKit-Crypto Security Advisory December 2017 Part 1

Vulnerability Details

CVEID: CVE-2018-1447**
DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected IBM Communications Server for Linux & CS for Linux on System z

|

Affected Versions

—|—
Communications Server for Data Center Deployment| 700
Communications Server for AIX| 640
Communications Server for Linux| 640
Communications Server for Linux on System z| 640

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
Communications Server for Data Center Deployment| 7.0.0.4| (AIX) IJ03789
(LINUX) LI79870| (AIX) Link to FIX
(LINUX)
Link to FIX on i686
Link to FIX on x86_64
Link to FIX on ppc
Link to FIX on s390x
Communications Server for AIX| 6.4.0.7| IJ03797| Link to FIX
Communications Server for Linux| 6.4.0.7| LI79880| Link to FIX on i686
Link to FIX on x86_64
Link to FIX on ppc
Communications Server for Linux on System z| 6.4.0.7| LI79891| Link to FIX

Workarounds and Mitigations

none