GSKit Security Vulnerabilities addressed in IBM Tivoli Netcool OMNIbus

Flash (Alert)


Abstract

Several vulnerabilities related to the GSKit libraries used by Tivoli Netcool/OMNIbus have been resolved.

Content

VULNERABILITY DETAILS:
CVEID: CVE-2012-2190
DESCRIPTION: A vulnerability in relation to Session ID Lengths and SSL/TLS Server has been discovered that impacts GSKit.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75994 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-2191
Description: GSKit Encrypted Record Length Vulnerability. During the investigation of the possible impact of CVE-2012-2333 on GSKit, a vulnerability in relation to SSL/TLS Record Layer Processing has been discovered.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-2203
Description: A vulnerability in relation to PKCS#12 operations and insertion of Trust Anchor's exists with GSKit.

CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77280
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
-----------------------------------------------------------------
Description: OpenSSL versions prior to 1.0.0 do not follow best security practices and need to upgrade.

CVEID:CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2011-4577
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72131 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-3210
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69614 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVEID: CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
--------------------------------------------------
Description: A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 onAES-NI supporting platforms can be exploited in a DoS attack.

CVE ID: CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE ID: CVE-2013-0166
CVSS:Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81904 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2012-2686
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81903 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
------------------------------------------------------------------
Description: GSKit Lucky 13 TLS CBC Timing Attack. The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products,
do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

CVEID: CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PRODUCTS AND VERSIONS:
Tivoli Netcool/OMNIbus 7.2.1
Tivoli Netcool/OMNIbus 7.3.0
Tivoli Netcool/OMNIbus 7.3.1
Tivoli Netcool/OMNIbus 7.4.0

REMEDIATION:

Product VRMF APAR Remediation/First Fix
OMNIbus 7.2.1.14 IV38671 http://www-01.ibm.com/support/docview.wss?uid=swg24033920
OMNIbus 7.3.0.12 IV38671 http://www-01.ibm.com/support/docview.wss?uid=swg24033922
OMNIbus 7.3.1.7 IV38671 http://www-01.ibm.com/support/docview.wss?uid=swg24031555
OMNIbus 7.4.0.2 IV38671 http://www-01.ibm.com/support/docview.wss?uid=swg24034621

Workaround(s) & Mitigation(s):
None

REFERENCES:
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

CHANGE HISTORY
Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND,

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Netcool/OMNIbus

Software version:

7.2.1, 7.3.0, 7.3.1, 7.4.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1650623

Modified date:

2014-08-19

Translate my page

Machine Translation

Content navigation