5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
There are multiple vulnerabilities in OpenSSL that is used by IBM Tivoli Composite Application Manager for Transactions. These issues were disclosed on January 8, 2015 by the OpenSSL Project.
CVE-ID:CVE-2014-3570
DESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.
CVSS Base Score: 2.600
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99710> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVE-ID:CVE-2014-3571** **
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.000
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99703> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID:CVE-2014-3572
DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.200
CVSS Temporal Score: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99705>_ for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVE-ID:CVE-2014-8275
DESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 1.200
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99709> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVE-ID:CVE-2015-0204
**
DESCRIPTION:** OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 4.300
CVSS Temporal Score: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>_ for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID:CVE-2015-0205
DESCRIPTION: OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.
CVSS Base Score: 2.100
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99708> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)
CVE-ID:CVE-2015-0206
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base Score: 5.000
CVSS Temporal Score: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99704>_ for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM Tivoli Composite Application Manager (ITCAM) for Transactions is affected. ITCAM for Transactions contains multiple sub components (Agents). Only the Internet Service Monitor (ISM – Agent code ‘IS’) is affected.
Versions:
· 7.4 – Affected by CVE’s (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
· 7.3 – Affected by CVE’s (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
· 7.2 – Affected by CVE’s (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
Product
| VRMF| APAR| Remediation/First Fix
—|—|—|—
7.4.0.0-TIV-CAMIS-IF0026| 7.4.0.0| None| http://www.ibm.com/support/docview.wss?uid=isg400002083
7.3.0.1-TIV-CAMIS-IF0034| 7.3.0.1| None| http://www.ibm.com/support/docview.wss?uid=isg400002090
7.2.0.3-TIV-CAMIS-IF0029| 7.2.0.3| None| http://www.ibm.com/support/docview.wss?uid=isg400002107
For unsupported versions/releases IBM recommends upgrading to a fixed, supported version/release/platform of the product.
CPE | Name | Operator | Version |
---|---|---|---|
tivoli composite application manager for transactions | eq | 7.4 |