Security Bulletin: IBM Security Virtual Server Protection for VMware System can be affected by vulnerabilities in OpenSSL (CVE-2013-0169, CVE-2013-0166, and CVE-2011-4354)

Flash (Alert)


Abstract

IBM Security Virtual Server Protection for VMware System can be affected by several vulnerabilities in OpenSSL. These vulnerabilities include obtaining sensitive information and denial of service vulnerabilities that could be exploited remotely by an attacker.

Content

VULNERABILITY DETAILS

The following information was provided by OpenSSL. In the case of IBM Security Virtual Server Protection for VMware System the SSH can be affected by the vulnerabilities. Further, for each vulnerability identified below, no authentication is required, the vulnerability is remotely exploitable, and no specialized knowledge is required.

CVE-ID: CVE-2013-0169

DESCRIPTION:


A weakness in the handling of cipher-block chaining (CBC) ciphersuites in Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) could lead to plaintext recovery of sensitive information by exploiting timing differences arising during message authentication codes (MAC) processing. The CVSS score is based on IBM X-Force rankings.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector (AV:N/AC:M/Au:N/C:P/I:N/A:N)



CVE-ID: CVE-2013-0166

DESCRIPTION:

OpenSSL is vulnerable to a denial of service, caused by an error when handling Online Certificate Status Protocol (OCSP) response verification. A remote attacker could exploit this vulnerability to cause the application to become unresponsive.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81904 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector (AV:N/AC:L/Au:N/C:N/I:N/A:P)



CVE-ID CVE 2011-4354

DESCRIPTION:


OpenSSL could allow a remote attacker to obtain sensitive information, caused by a computation error when using NIST elliptic curves P-256 or P-384. An attacker could exploit this vulnerability to obtain the Elliptic curve cryptography (ECC) private key of a TLS server.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/71601 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N)


AFFECTED PRODUCTS AND VERSIONS:

Products: IBM Security Virtual Server Protection for VMware (VSP)
Versions: 1.0, 1.1, 1.1.0.1, 1.1.1

REMEDIATION:

The following IBM Threat Fixpacks have the fixes for these vulnerabilities.

· 1.1.0.1-ISS-VSP-scm-IF002 for IBM Security Virtual Server Protection for VMware System products at version 1.1.0.1
(http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Security+Virtual+Server+Protection+for+VMware&release=1.1.0.1&platform=VMware&function=all)
· 1.1.1.2-ISS-VSP-svm-FP002 IBM Security Virtual Server Protection for VMware System products at version 1.1.1
(http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Security+Virtual+Server+Protection+for+VMware&release=1.1.1.0&platform=VMware&function=all)

IBM Security Virtual Server Protection for VMware System users on version 1.0 or 1.1 should upgrade to version 1.1.0.1, with fixpack 1.1.0.1-ISS-VSP-scm-IF002, or version 1.1.1, with fixpack 1.1.1.2-ISS-VSP-svm-FP002, or later.


Contact IBM Security Systems Support (http://www-947.ibm.com/support/entry/portal/overview) to upgrade to the above required Fixpacks.

Workaround(s):
None

Mitigation(s):
None

REFERENCES:


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT
None


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Virtual Server Protection for VMware

Software version:

1.0, 1.1, 1.1.0.1, 1.1.1.0

Operating system(s):

Firmware

Reference #:

1636105

Modified date:

2013-05-15

Translate my page

Machine Translation

Content navigation