Flashes (Alerts)
Abstract
Multiple security problems exist in the IBM GSKit libraries that IBM Informix and IBM Informix ClientSDK use to provide communications security and other cryptographic functionality.
Content
CVE ID: CVE-2012-2190
DESCRIPTION:
GSKit allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75994 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID: CVE-2012-2191
DESCRIPTION:
GSKit does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack, which allows remote attackers to cause a denial of service (application crash) via crafted values in the TLS Record Layer.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID: CVE-2012-2203
DESCRIPTION:
GSKit uses the PKCS #12 file format for certificate objects without enforcing file integrity, which makes it easier for remote attackers to spoof SSL servers via vectors involving insertion of an arbitrary root Certification Authority (CA) certificate.
CVSS:
CVSS Base Score; 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
AFFECTED PRODUCTS:
IBM Informix 11.50.xC9W2 or earlier
IBM Informix 11.70.xC6 or earlier
IBM Informix ClientSDK 3.50.xC9W2 or earlier
IBM Informix ClientSDK 3.70.xC6 or earlier
REMEDIATION:
Upgrade to the latest fixpack for the products.
Fix(es):
The fix is available in these versions at Fix Central:
IBM Informix 11.50 — upgrade to Informix 11.50.xC9W3 or later
IBM Informix 11.70 — upgrade to Informix 11.70.xC7 or later
IBM Informix ClientSDK 3.50 — upgrade to CSDK 3.50.xC9W3 or later
IBM Informix ClientSDK 3.70 — upgrade to CSDK 3.70.xC7 or later
Workaround(s): None known.
Mitigation(s): None known.
REFERENCES:
RELATED INFORMATION:
CHANGE HISTORY: 2013-04-12 Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Was this topic helpful?
Document Information
Modified date:
26 September 2022
UID
swg21620711