IBM Support

Security Bulletin: IBM DS8870 Release 7.2 is affected by an additional vulnerability in OpenSSL (CVE-2014-0160)

Security Bulletin


Summary

Security vulnerabilities have been discovered in OpenSSL which have an impact on the IBM Power Servers incorporated in the IBM DS8870. While another IBM security bulletin addresses this vulnerability in these IBM Power servers generally (https://www-304.ibm.com/support/docview.wss?uid=nas8N1020034), this bulletin addresses this vulnerability in the specific context of these servers’ use in the DS8870. (This bulletin addresses a vulnerability that is separate and distinct from the DS8870 OpenSSL vulnerability security bulletin published at https://www-304.ibm.com/support/docview.wss?uid=ssg1S1004582.)

Vulnerability Details

CVE-ID: CVE-2014-0160
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. An attacker can repeatedly expose additional 64k chunks of memory. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. It can be exploited on any system (ie. server, client, agent) receiving connections using the vulnerable OpenSSL library.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322


CVSS Environmental Score*: Undefined


CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

IBM’s standard and recommended configuration for the IBM DS8870 does not connect the service processor ports on the IBM Power servers to any network other than a private network to the DS8870 hardware management console (HMC). As a result, the OpenSSL vulnerability in the DS8870’s Power servers should generally be a limited threat if you have not connected the Power Server service processor ports in your DS8870 to other networks and follow the mitigations identified below.

Affected Products and Versions

DS8870 Release 7.2

Remediation/Fixes

This vulnerability is fixed in DS8870 Release 7.3. Please contact your IBM representative to order and install DS8870 Release 7.3.

IBM currently plans to make a fix available for this vulnerability in DS8870 Release 7.2 in a service release scheduled for late June. This bulletin will be updated when this is available.

Although IBM suggests you install a fix for this vulnerability, you can consider the mitigations identified below in determining when and how to implement these fixes in your particular environment.

Workarounds and Mitigations

The following steps can help mitigate, but not eliminate the risks of this vulnerability: 

Ensure that the DS8870 HMC is installed behind a firewall that limits access to the HMC ports.


Ensure that access to the DS8870 HMC is only by trusted personnel.

Ensure that no Flexible Service Processor (FSP) ports on the Power servers in the DS8870 are connected to a reachable network (this is the standard and recommended DS8870 configuration).

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

Acknowledgement

None

Change History

2014-06-09 Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: DS8870

Version: 7.2

Operating system(s): N/A

Software edition: N/A

Reference #: S1004661

Modified date: 08 June 2014


Translate this page: