IBM Support

Security Bulletin: Power Systems Firmware is affected by the following OpenSSL vulnerabilities: (CVE-2014-0224)

Security Bulletin


Summary

Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.

Vulnerability Details

CVE-ID: CVE-2014-0224
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.

CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Affected Products and Versions

Versions (350)
350.00: 01Ex350_039_038
350.10: 01Ex350_049_038, 01Ex350_053_038, 01Ex350_054_038
350.20: 01Ex350_063_038
350.30: 01EA350_071_071, 01Ex350_071_038
350.40: 01EA350_074_074
350.50: 01EA350_085_074, 01Ex350_085_038
350.60: 01EA350_103_074, 01Ex350_103_038
350.70: 01EA350_107_074, 01Ex350_107_038
350.80: 01EA350_108_074, 01Ex350_108_038
350.90: 01EA350_118_074, 01Ex350_118_038, 01Ex350_120_038
350.A0: 01EA350_126_074, 01Ex350_126_038
350.B0: 01EA350_132_074, 01Ex350_132_038
350.B1: 01EA350_136_074
350.C0: 01Ex350_143_038,
350.D0: 01EA350_149_074, 01Ex350_149_038

350 Platforms Impacted:
IBM BladeCenter JS12 Express (7998-60X)
IBM BladeCenter JS22 (7998-61X)
IBM BladeCenter JS23 (7778-23X)
IBM BladeCenter JS43 (7778-23X with feature code 8446)
IBM Power 520 Express (9407-M15)
IBM Power 520 Express (9408-M25)
IBM Power 520 Express (8203-E4A) F/C 5633
IBM Power 520 Express (8203-E4A) F/C 5634
IBM Power 520 Express (8203-E4A) F/C 5635
IBM Power 520 Express (8203-E4A) F/C 5577
IBM Power 520 Express (8203-E4A) F/C 5587
IBM Power 550 Express (9409-M50)
IBM Power 550 Express (8204-E8A) F/C 4965
IBM Power 550 Express (8204-E8A) F/C 4667
IBM Power 560 Express (8234-EMA)
IBM Power 570 (9406-MMA)
IBM Power 570 (9117-MMA)
IBM Power 575 (9125-F2A)
IBM Power 595 (9119-FHA)

Versions (730)
730.00: 01Ax730_031_031, 01Ax730_039_035, 01AA730_039_035
730.20: 01Ax730_045_035
730.30: 01Ax730_049_035, 01Ax730_051_035, 01Ax730_052_035
730.40: 01Ax730_058_035, 01AA730_059_035, 01AL730_060_035
730.45: 01Ax730_065_035
730.46: 01Ax730_066_035
730.50: 01Ax730_078_035
730.51: 01Ax730_087_035
730.60: 01AA730_094_035, 01Ax730_095_035
730.61: 01Ax730_099_035
730.70: 01Ax730_114_035,
730.71: 01Ax730_115_035
730.72: 01Ax730_116_035
730.80: 01Ax730_122_035
730.90: 01Ax730_127_035

730 Platforms Impacted:
IBM Power PS700 (8406-70Y)
IBM Power PS701 (8406-71Y)
IBM Power PS702 (8406-71Y)
IBM Power PS703 (7891-73X)
IBM Power PS704 (7891-74X)
IBM Power 750 (8233-E8B)
IBM Power 755(8236-E8C)
IBM Power 710 Express (8231-E2B)
IBM Power 730 Express (8231-E2B)
IBM Power 720 Express (8202-E4B)
IBM Power 740 Express (8205-E6B)
IBM Power 770 (9117-MMB)
IBM Power 780 (9179-MHB)

Versions (740)
740.00: 01Ax740_042_042
740.10: 01Ax740_043_042
740.15: 01Ax740_045_042
740.16: 01Ax740_046_042
740.20: 01Ax740_075_042
740.21: 01Ax740_077_042
740.40: 01Ax740_088_042
740.50: 01Ax740_095_042
740.51: 01Ax740_098_042
740.52: 01Ax740_100_042
740.60: 01Ax740_110_042
740.61: 01Ax740_112_042
740.70: 01Ax740_121_042
740.80: 01Ax740_126_042

740 Platforms Impacted:
IBM Power 710 (8231-E1C)
IBM Power 720 (8202-E4C)
IBM Power 730 (8231-E2C)
IBM Power 740 (8205-E6C)
IBM Power 770 (9117-MMC)
IBM Power 780 (9179-MHC)

Versions (760)
760.00: Ax760_034_034
760.10: Ax760_043_043, Ax760_043_034, AM760_044_034
760.11: Ax760_051_034
760.20: AM760_062_034, AH760_062_043
760.30: AM760_068_034, AH760_068_043
760.31: AM760_069_034, AH760_069_043
760.40: AM760_078_034, AH760_078_043

760 Platforms Impacted:
IBM Power 770 (9117-MMD)
IBM Power 780(9179-MHD)
IBM Power ESE(8412-EAD)
IBM Power 795(9119-FHB)

Versions (770)
770.00: 01AL770_032_032
770.10: 01Ax770_038_032
770.20: 01Ax770_048_032
770.21: 01Ax770_052_032
770.22: 01Ax770_055_032
770.31: 01Ax770_063_032
770.32: 01Ax770_076_032

770 Platforms Impacted:
IBM Power 780 (9179-MHC)
IBM Power 770 (9117-MMC)
IBM Power 760 (9109-RMD)
IBM Power 750 (8408-E8D)
IBM PowerLinux 7R4 (8248-L4T)
IBM PowerLinux 7R2 (8246-L2D)
IBM PowerLinux 7R2 (8246-L2T)
IBM PowerLinux 7R1 (8246-L1D)
IBM PowerLinux 7R1 (8246-L1T)
IBM Power 740 (8205-E6D)
IBM Power 730 (8231-E2D)
IBM Power 720 (8202-E4D)
IBM Power 720 (8202-40A)
IBM Power 710 (8231-E1D)
IBM Power 710 (8268-E1D)

Versions (773)
773.00: 01AF773_033_033
773.01: 01AF773_035_033
773.10: 01AF773_051_033
773.11: 01AF773_054_033
773.12: 01AF773_056_033

773 Impacted Versions:
IBM Flex System p270 (7954-24X)
IBM Flex System p260 (7895-23X)
IBM Flex System p260 (7895-23A)
IBM Flex System p460 (7895-43X)
IBM Flex System p260 (7895-22X)
IBM Flex System p460 (7895-42X)
IBM Flex System p24L (1457-7FL)

Versions (780):
780.00: 01Ax780_040_040
780.01: 01Ax780_050_040
780.02: 01Ax780_054_040
780.10: 01Ax780_056_040

780 Platforms Impacted:
IBM Power 770 (9117-MMB)
IBM Power 780 (9179-MHB)
IBM Power 770 (9117-MMD)
IBM Power 780 (9179-MHD)
IBM Power ESE (8412-EAD)
IBM Power 795 (9119-FHB)

Versions (783)
783.00: AF783_021_021

783 Platforms Impacted:
IBM Flex System p260 Compute Node (7895-22X)
IBM Flex System p460 Compute Node (7895-42X)
IBM Flex System p24L Compute Node (1457-7FL)
IBM Flex System p260 Compute Node (7895-23X)
IBM Flex System p260 Compute Node (7895-23A)/FC EFD9
IBM Flex System p460 Compute Node (7895-43X)
IBM Flex System p270 Compute Node (7954-24X)

Versions (810)
810.00: 01SV810_054_054

810 Platforms Impacted:
IBM Power System S822 (8284-22A)
IBM Power System S814 (8286-41A)
IBM Power System S824 (8286-42A)
IBM Power System S822L (8247-22L)

Remediation/Fixes

Customers on Version 350, upgrade to 350.E0: 01Ex350_159 or higher.
Customers on Version 730, upgrade to 730.91: 01Ax730_142 or higher.
Customers on Version 740, upgrade to 740.81: 01Ax740_152 or higher.
Customers on Version 760, upgrade to 760.41: Ax760_079 or higher.
Customers on Version 770, upgrade to 770.40: 01Ax770_090 or higher.
Customers on Version 773, upgrade to 773.13: 01AF773_058 or higher.
Customers on Version 780, upgrade to 780.11: 01Ax780_059 or higher.
Customers on Version 783.00, upgrade to 783.01: 01AF783_022 or higher.
Customers on Version 810.00, upgrade to 810.01: 01SV810_052 or higher.

The fix can be obtained from FixCentral by providing the MTM and current fix level.

Workarounds and Mitigations

None known

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

06/24/14: Information for Versions 780, 783 and 810 published.
06/25/14: Information for Versions 350, 730, 740 and 760 added.
06/27/14: Information for Version 770 added.
07/03/14: Information for Version 773 added.




*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.2
Operating System IBM i 7.1

Document information

More support for: IBM i
Security

Software version: 6.1.1, 7.1, 7.1.0, 7.2, 7.2.0

Operating system(s): IBM i

Reference #: N1020172

Modified date: 23 September 2015


Translate this page: