Security Bulletin: January 2016 OpenSSL Vulnerabilities in Multiple N series Products

Summary Multiple N series products incorporate the OpenSSL software libraries to provide cryptographic capabilities. OpenSSL versions below 1.0.2f and 1.0.1r are susceptible to vulnerabilities that could lead to man-in-the-middle attacks. Multiple N series Products have addressed the applicable...

Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Virtualization Engine TS7700 - July 2017

Summary There are multiple vulnerabilities in IBM SDK, Java Technology Edition, Versions 6, 7 and 8, that are used by IBM Virtualization Engine TS7700. These issues were disclosed as part of the IBM Java SDK updates in July 2017. Vulnerability Details CVEID: CVE-2017-10067 DESCRIPTION: An...

Security Bulletin: Multiple vulnerabilities in Network Time Protocol (NTP) affect IBM Virtualization Engine TS7700 (CVE-2015-7848, CVE-2015-7855)

Summary There are multiple vulnerabilities in the Network Time Protocol NTP implementation embedded within the IBM Virtualization Engine TS7700. Vulnerability Details CVEID: CVE-2015-7848 DESCRIPTION: Network Time Protocol NTP is vulnerable to a denial of service, caused by an multiple integer...

Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603)

Summary Multiple N Series Products incorporate the Oracle Java Platform, Standard Edition Java SE software libraries. Java SE JDK and JRE versions below6u113, 7u97 or 8u73 are susceptible to a vulnerability potentially leading to an unauthorized Operating System takeover. Vulnerability Details...

Security Bulletin: Apache Commons Collection Java Deserialization Vulnerability in Multiple N series Products

Summary Multiple N series products incorporate the Apache Commons Collection library. Versions of Apache Commons Collection before 3.2.2 and including 4.0 are susceptible to a vulnerability that could be exploited to allow remote attackers to execute arbitrary commands on the system. Multiple N...

Security Bulletin: HTTP Response Splitting in WebSphere Application Server affects IBM Virtualization Engine TS7700 (CVE-2016-0359)

Summary There is a potential HTTP response splitting vulnerability in IBM WebSphere Application Server as used by the IBM Virtualization Engine TS7700. Vulnerability Details CVEID: CVE-2016-0359 DESCRIPTION: IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remo...

Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen2 (CVE-2016-0777, CVE-2016-0778)

Summary An information leak flaw and buffer overflow flaw in the way the OpenSSH client roaming feature was implemented affects IBM XIV Gen2. Vulnerability Details CVEID: CVE-2016-0777 DESCRIPTION: OpenSSH could allow a remote attacker to obtain sensitive information, caused by a client informati...

Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen3 (CVE-2016-0777, CVE-2016-0778)

Summary An information leak flaw and buffer overflow flaw in the way the OpenSSH client roaming feature was implemented affects IBM XIV Gen3. Vulnerability Details CVEID: CVE-2016-0777 DESCRIPTION: OpenSSH could allow a remote attacker to obtain sensitive information, caused by a client informati...

Security Bulletin: IBM Virtualization Engine TS7700 Is Affected by IBM GPFS Security Vulnerabilities (CVE-2015-4974 CVE-2015-4981)

Summary Security vulnerabilities have been identified in the current levels of IBM GPFS as used by the TS7700: - could allow a local non privileged attacker to execute commands with root privileges CVE-2015-4974 - could allow a local non privileged attacker to read system memory contents...

Security Bulletin: IBM Virtualization Engine TS7700 Is Affected by IBM GPFS Security Vulnerability (CVE-2015-1788)

Summary An OpenSSL denial of service vulnerability disclosed by the OpenSSL Project affects GSKit, which is used by the version of IBM GPFS used by the TS7700. Vulnerability Details CVEID: CVE-2015-1788 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing ...

Security Bulletin: Vulnerability in Apache Commons affects IBM Virtualization Engine TS7700 (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Virtualization Engine TS7700. Vulnerability Details CVEID: CVE-2015-7450 DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system,...

Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 - July 2015

Summary There are multiple vulnerabilities in IBM® SDKs Java™ Technology Edition, Versions 5, 6 and 7, that are used by IBM Virtualization Engine TS7700. These issues were disclosed as part of the IBM Java SDK updates in July 2015. Vulnerability Details CVEID: CVE-2015-2613 DESCRIPTION: An...

Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Virtualization Engine TS7700 (CVE-2015-4000)

Summary The Logjam Attack on TLS connections using the Diffie-Hellman DH key exchange protocol affects IBM Virtualization Engine TS7700. Vulnerability Details CVEID: CVE-2015-4000 DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to...

Security Bulletin: IBM Virtualization Engine TS7700 is affected by vulnerabilities in IBM General Parallel File System (CVE-2015-0197, CVE-2015-0198)

Summary Security vulnerabilities have been identified in current levels of GPFS V3.5 and V3.4 as used within the IBM Virtualization Engine TS7700: - could allow a local attacker which only has a non-privileged account to execute programs with root privileges CVE-2015-0197 - may not properly...

Security Bulletin: Vulnerability in OpenSSL affects IBM XIV Storage System Gen3 (CVE-2014-3570)

Summary OpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. OpenSSL is used by IBM XIV Storage System. IBM XIV Storage System has addressed the applicable CVE. We are unaware of any customer being affected by this issue. Vulnerability Details CVEID: CVE-2014-3570...

Security Bulletin: Vulnerability in RC4 stream cipher affects the IBM Virtualization Engine TS7700 (CVE-2015-2808)

Summary The RC4 “Bar Mitzvah” Attack for SSL/TLS affects the IBM Virtualization Engine TS7700 Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could...

Security Bulletin: IBM Virtualization Engine TS7700 - SSH Server CBC Mode Ciphers Enabled (CVE-2008-5161)

Summary The SSH server is configured to support Cipher Block Chaining CBC encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Vulnerability Details CVEID: CVE-2008-5161 DESCRIPTION: The SSH server is configured to support Cipher Block Chaining CBC...

Security Bulletin: IBM Virtualization Engine TS7700 - The NTP monlist command is enabled (CVE-2013-5211)

Summary The NTP daemon on the TS7700 has the 'monlist' command enabled. This command returns a list of recent hosts that have connected to the service.. Vulnerability Details CVEID: CVE-2013-5211 DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error in the monlist feature in...

Security Bulletin: Vulnerability in SSLv3 affects IBM XIV Storage System Gen 2 (CVE-2014-3566)

Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled in IBM XIV Storage System Gen2. Vulnerability Details CVEID: CVE-2014-3566 DESCRIPTION: Product could allow a remote attacker to obtain sensitive...

Security Bulletin: Vulnerability in SSLv3 affects IBM XIV Storage System Gen 3.0 (CVE-2014-3566)

Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled in IBM XIV Storage System Gen 3.0 Vulnerability Details CVEID: CVE-2014-3566 DESCRIPTION: Product could allow a remote attacker to obtain sensitiv...