Security Bulletin
Summary
Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.
IBM Real-time Compression Appliance is exposed to CVE-2014-0224, CVE-2014-0198, CVE-2010-5298.
Vulnerability Details
CVE-ID: CVE-2014-0224
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify management traffic only.
CVSS Base Score: 5.8
CVE-ID: CVE-2014-0198
DESCRIPTION: OpenSSL that has SSL_MODE_RELEASE_BUFFERS enabled, is vulnerable to data injection across sessions or denial of service, by remote attackers via an SSL connection.
CVSS Base Score: 4.8
CVE-ID: CVE-2010-5298
DESCRIPTION: Open SSL is vulnerable to data injection across sessions and denial of service (use-after-free and parsing error) via an SSL connection in a multi threaded environment, caused when SSL_MODE_RELEASE_BUFFERS is enabled.
CVSS Base Score: 4
Affected Products and Versions
IBM Real-time Compression Appliance versions:
4.1.2
3.9.1
3.8.0
Remediation/Fixes
Customers are advised to upgrade to the following releases: 3.8.1.06, 3.9.1.07 or 4.1.2.03 |
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
ssg1S1004830