6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.024 Low
EPSS
Percentile
89.8%
There are multiple vulnerabilities in OpenSSL that is used by IBM Systems Director. These issues were disclosed on August 6, 2014 by the OpenSSL Project.
There are multiple vulnerabilities in OpenSSL that is used by IBM Systems Director. These issues were disclosed on August 6, 2014 by the OpenSSL Project.
Vulnerability Details:
CVE-ID: CVE-2014-3509
Description: OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded client connects to a malicious server using a resumed session, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/95159> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3511
Description: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/95162> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
IBM Systems Director: 6.3.2.0, 6.3.2.1, 6.3.2.2, 6.3.3.0, 6.3.3.1, 6.3.5.0
Non-affected Products and Versions
IBM Systems Director versions 5.2.x.x, 6.1.x.x, 6.2.x.x, 6.3.0.0, 6.3.1.0, 6.3.1.1 server and agents on all hardware platforms are NOT vulnerable to the OpenSSL vulnerabilities (CVE-2014-3509 and CVE-2014-3511).
Click the following link:
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Director&product=ibm/Director/SystemsDirector&release=All&platform=All&function=all
Select the following fix pack:
SysDir6_3_2_0_6_3_5_0_IT04065_IT04067_IT04070_IT04072 Note: This fix package includes all releases, and all platforms.
None known
Note: IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
12 September 2014 : Original Copy Published
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.