Lucene search

K
ibmIBMF17C09CA9366DB4B46C2D2458B4B0B2F150A45007792754545A5B15C91CA9BBA
HistoryApr 05, 2019 - 11:50 a.m.

Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation

2019-04-0511:50:01
www.ibm.com
24

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Summary

OpenSSL vulnerabilities were disclosed on 30 October 2018 and later by the OpenSSL Project. OpenSSL is used by IBM Worklight and IBM MobileFirst Platform Foundation. IBM Worklight and IBM MobileFirst Platform Foundation have addressed the applicable CVEs.

Vulnerability Details

CVE-ID: CVE-2018-0734
Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the DSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key.
CVSS Base Score: 3.7
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2019-1559
Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/157514&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions

IBM MobileFirst Platform Foundation 8.0.0.0
IBM MobileFirst Platform Foundation 7.1.0.0
IBM MobileFirst Platform Foundation 6.3.0.0
IBM Worklight Enterprise Edition 6.2.0.1

Remediation/Fixes

Product

| VRMF |APAR|Remediation/First Fix
—|—|—|—
IBM MobileFirst Platform Foundation | 8.0.0.0 | PH09324 | Download the latest iFix for IBM MobileFirst Platform Foundation on FixCentral
IBM MobileFirst Platform Foundation | 7.1.0.0 | Download the latest iFix for IBM MobileFirst Platform Foundation on FixCentral
IBM MobileFirst Platform Foundation | 6.3.0.0 | Download the latest iFix for IBM MobileFirst Platform Foundation on FixCentral
IBM Worklight Enterprise Edition | 6.2.0.1 | Download the latest iFix for IBM MobileFirst Platform Foundation on FixCentral
| |

Workarounds and Mitigations

None

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Related for F17C09CA9366DB4B46C2D2458B4B0B2F150A45007792754545A5B15C91CA9BBA