Security Bulletin: Vulnerabilities in OpenSSL affect IBM Service Delivery Manager. OpenSSL is installed on the operating system shipped via IBM Service Delivery Manager

Vulnerability Details

CVEID: CVE-2014-3569
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99706 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3570
DESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99710 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-3571
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99703 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3572
DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99705 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-8275
DESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 1.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0204
DESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0205
DESCRIPTION: OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99708 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-0206
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99704 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0209
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the d2i_ECPrivateKey or EVP_PKCS82PKEY function. An attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0286
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the ASN1_TYPE_cmp function when attempting to compare ASN.1 boolean types. An attacker could exploit this vulnerability to crash any certificate verification operation and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101666 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0287
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0288
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the X509_to_X509_REQ function. An attacker could exploit this vulnerability to trigger a NULL pointer dereference.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101675 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0289
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle missing outer ContentInfo by the PKCS#7 parsing code. An attacker could exploit this vulnerability using a malformed ASN.1-encoded PKCS#7 blob to trigger a NULL pointer dereference.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101669 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0292
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error when processing base64 encoded data. An attacker could exploit this vulnerability using specially-crafted base 64 data to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101670 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0293
DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending a specially-crafted SSLv2 CLIENT-MASTER-KEY message, a remote attacker could exploit this vulnerability to trigger an assertion.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101671 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)