Lucene search

K
ibmIBMF1AF8344DD619E0CDA3C82F2BFF1084EE34E4DEBDE766E2D0E3E32185B84CFDD
HistoryOct 28, 2024 - 4:38 p.m.

Security Bulletin: Vulnerabilities in OpenSSL affect Cloud Pak System

2024-10-2816:38:11
www.ibm.com
7
openssl
vulnerabilities
denial of service
cloud pak system
ibm cloud pak system v2.3.3
ibm cloud pak system v2.3.4
upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.005

Percentile

77.1%

Summary

Vulnerabilities identified in OpenSSL affect Cloud Pak System.

Vulnerability Details

**CVEID:**CVE-2023-2650 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-0464 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error related to the verification of X.509 certificate chains that include policy constraints. By creating a specially crafted certificate chain that triggers exponential use of computational resources, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250736 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2023-0466 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509_VERIFY_PARAM_add0_policy function. By using invalid certificate policies, an attacker could exploit this vulnerability to bypass certificate verification.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251307 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2023-0465 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw when using a non-default option to verify certificates. By using invalid certificate policies in leaf certificates, an attacker could exploit this vulnerability to bypass policy checking.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251293 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak System 2.3.3.7, 2.3.3.7 iFix1, 2.3.3.7 iFix2 (Power)
IBM Cloud Pak System 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2 (Intel)
IBM Cloud Pak System 2.3.4.0 (Intel)

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying the fix reported below.

This security bulletin applies to Cloud Pak System, Cloud Pak System Software, Cloud Pak System Software Suite.

IBM Cloud Pak System provides Cloud Pak System v2.3.4.1 with OS image Red Hat Enterprise Linux System 5.0.0.0 based on Red Hat Enterprise Linux v9.4 and IBM Cloud Pak System provides Cloud Pak System v2.3.5.0 with AIX OS IMAGE 3.1.3.0 based on AIX 7.2 TL5 SP8 with OpenSSL v3.0.x.

For Intel, upgrade to minimum Fix Pack required Cloud Pak System v2.3.4.0,
apply Cloud Pak System v2.3.4.1 at IBM Fix Central
information on upgrading here http://www.ibm.com/support/docview.wss?uid=ibm10887959

For Power, apply IBM Cloud Pak System v2.3.5.0 at IBM Fix Central.

information on upgrading here http://www.ibm.com/support/docview.wss?uid=ibm10887959

For unsupported versions the recommendation is to upgrade to supported version of the product.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_pak_systemMatch2.3
VendorProductVersionCPE
ibmcloud_pak_system2.3cpe:2.3:a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.005

Percentile

77.1%