Lucene search

K
ibmIBMED421E5B06D77F465CCEA96D8345D19C2837ECC2D4297803042D83E3B60C624B
HistoryJun 18, 2018 - 1:35 a.m.

Security Bulletin: IBM Flex System Manager (FSM) is affected by a OpenSSL vulnerability (CVE-2017-3731)

2018-06-1801:35:33
www.ibm.com
16

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Summary

A security vulnerability has been identified in OpenSSL that is embedded in IBM FSM. This bulletin addresses this issue.

Vulnerability Details

CVEID: CVE-2017-3731**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121312 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Remediation/Fixes

IBM recommends updating the FSM using the instructions referenced in this table.

Product |

VRMF |

Remediation
—|—|—

Flex System Manager |

1.3.4.0 |

Disable RC4 ciphers as was described in this September 2015 security bulletin: <https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5098709&gt;.

Flex System Manager |

1.3.3.0 |

Disable RC4 ciphers as was described in this September 2015 security bulletin:<https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5098709&gt;.

Flex System Manager |

1.3.2.1
1.3.2.0 |

Disable RC4 ciphers as was described in this September 2015 security bulletin:<https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5098709&gt;.

For all VRMF not listed in this table, IBM recommends upgrading to a fixed and supported version/release of the product.

For a complete list of FSM security bulletins refer to this technote: http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex--NULL--E

Workarounds and Mitigations

None

CPENameOperatorVersion
flex system manager nodeeqany

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Related for ED421E5B06D77F465CCEA96D8345D19C2837ECC2D4297803042D83E3B60C624B