Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to multiple OpenSSL vulnerabilities (CVE-2017-3738, CVE-2017-3737, CVE-2017-3736)

Summary

IBM InfoSphere Master Data Management is vulnerable to multiple OpenSSL vulnerabilities that could cause the application to crash, an attacker to obtain information about the private key, or cause a denial of service.

Vulnerability Details

CVEID: CVE-2017-3738 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136078&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-3737 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

This vulnerability is known to affect the following offerings:

Affected IBM Initiate Master Data Service

|

Affected Versions

—|—
IBM InfoSphere Master Data Management | 11.0
IBM InfoSphere Master Data Management | 11.3
IBM InfoSphere Master Data Management | 11.4
IBM InfoSphere Master Data Management | 11.5
IBM InfoSphere Master Data Management | 11.6

Remediation/Fixes

The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

11.0

| None | 11.0.0.7-MDM-SAE-FP07IF001_ _
IBM InfoSphere Master Data Management Standard/Advanced Edition |

11.3

| None | 11.3.0.7-MDM-SE-AE-FP07IF001
IBM InfoSphere Master Data Management Standard/Advanced Edition |

11.4

| None | 11.4.0.8-MDM-SE-AE-FP08IF002
IBM InfoSphere Master Data Management Standard/Advanced Edition |

11.5

| None | 11.5.0.7-MDM-SAE-FP07IF000
IBM InfoSphere Master Data Management Standard/Advanced Edition |

11.6

| None | 11.6.0.7-MDM-SAE

Workarounds and Mitigations

None