Security Bulletin
Summary
There are multiple vulnerabilities addressed in OpenSSL that is used by IBM Systems Director(ISD) Platform Agent. These OpenSSL vulnerabilities were disclosed in January 2017 by the OpenSSL Project.
Vulnerability Details
CVEID: CVE-2017-3731
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121312 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a propagation error in the BN_mod_exp() function. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Systems Director:
- 6.3.5.0
- 6.3.6.0
- 6.3.7.0
Remediation/Fixes
To determine the ISD level installed, enter smcli lsver on a command line. IBM Systems Director versions pre-6.3.5 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product.
Please follow the instructions provided to apply fixes on the below releases.
- 6.3.5.0
- 6.3.6.0
- 6.3.7.0
1. Open the below link to download the fix:
2. Select the below fix package that includes fixes for all the supported platforms:
SysDir6_3_5_0_6_3_6_0_6_3_7_0_IT20035_IT20036_IT20037_IT20038
3. Follow the Instructions in the table for your desired platform
| Product | VRMF | Associated Technote |
| IBM Systems Director and IBM Systems Director Platform Agent | Xlinux Platform Agent 6.3.5 to 6.3.7 | 812945449 Go to http://www-01.ibm.com/support/us/search/ and search for the technote number. |
| IBM Systems Director and IBM Systems Director Platform Agent | Windows Platform Agent 6.3.5 to 6.3.7 | 812942115 Go to http://www-01.ibm.com/support/us/search/ and search for the technote number. |
| IBM Systems Director and IBM Systems Director Platform Agent | Power Linux Platform Agent 6.3.5 to 6.3.7 | 812924559 Go to http://www-01.ibm.com/support/us/search/ and search for the technote number. |
| IBM Systems Director and IBM Systems Director Platform Agent | Zlinux Platform Agent 6.3.5 to 6.3.7 | 812977661 Go to http://www-01.ibm.com/support/us/search/ and search for the technote number. |
| IBM Systems Director and IBM Systems Director Platform Agent | AIX Platform Agent 6.3.5 to 6.3.7 | 812925254 Go to http://www-01.ibm.com/support/us/search/ and search for the technote number. |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
14 April 2017 : Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1025103