IBM Support

Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Master Data Management ( CVE-2014-3513, CVE-2014-3567)

Security Bulletin


Summary

OpenSSL vulnerabilities along with SSL 3 Fallback protection (TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by IBM InfoSphere Master Data Management. IBM InfoSphere Master Data Management has addressed the applicable CVEs and included the SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) provided by OpenSSL.

Vulnerability Details

CVE-ID: CVE-2014-3513
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97035 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3567

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97036 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

These vulnerabilities are known to affect the following offerings:

·IBM Initiate Master Data Service versions 8.5, 9.0, 9.2, 9.5, 9.7, 10.0, 10.1 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)


·IBM Initiate Master Data Service Patient Hub versions 9.5, 9.7 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)

·IBM Initiate Master Data Service Provider Hub versions 9.5, 9.7 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)

·IBM InfoSphere Master Data Management Patient Hub version 10.0 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)

·IBM InfoSphere Master Data Management Provider Hub version 10.0 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkit component)

· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.0 (impacts Message Brokers component and Enterprise Integrator Toolkit component)

· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.3 (impacts Message Brokers component)

· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.4 (impacts Message Brokers component)

Remediation/Fixes

For IBM Initiate Master Data Service V8.5: 
· Apply Fix 8.5.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix central.

For IBM Initiate Master Data Service V9.0: 
· Apply Fix 9.0.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix central.

For IBM Initiate Master Data Service V9.2: 
· Apply Fix 9.2.0.111414_IM_ Initiate_MasterDataService_ALL_ifix from fix central.

For IBM Initiate Master Data Service V9.5: 
· Apply Fix 9.5.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service Patient Hub V9.5: 
· Apply Fix 9.5.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service Provider Hub V9.5: 
· Apply Fix 9.5.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central

For IBM Initiate Master Data Service V9.7: 

· Apply Fix 9.7.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service Patient Hub V9.7: 
· Apply Fix 9.7.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service Provider Hub V9.7: 
· Apply Fix 9.7.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service V10.0: 
· Apply Fix 10.0.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.

For IBM InfoSphere Master Data Management Patient Hub V10.0: 
· Apply Fix 10.0.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

For IBM InfoSphere Master Data Management Provider Hub V10.0: 
· Apply Fix 10.0.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central

For IBM Initiate Master Data Service V10.1: 

· Apply Fix 10.1.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central

For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.0: 

· Apply Fix 11.0.0.2-MDM-SE-AE-FP02IF000_FC from fix central.

For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.3: 
· Apply Fix 11.3.0.1-MDM-SE-AE-FP01IF000_FC from fix central.

For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.4: 
· Apply Fix 11.4.0.0-MDM-IF001 fromfix central.

Workarounds and Mitigations

None known

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

15 November 2014: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: InfoSphere Master Data Management

Software version: 9.0, 9.2, 9.5, 9.7, 10.0, 10.1, 11.0, 11.3, 11.4

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Advanced Edition, Standard Edition

Reference #: 1690523

Modified date: 18 November 2014