Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0475
IBM Sterling Connect:Express for UNIX is affected by
multiple vulnerabilities in OpenSSL
4 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Sterling Connect:Express for UNIX
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0169 CVE-2013-0166 CVE-2012-2686
CVE-2012-2131 CVE-2012-2110 CVE-2012-0884
CVE-2012-0050 CVE-2012-0027 CVE-2011-4619
CVE-2011-4577 CVE-2011-4576 CVE-2011-4108
CVE-2011-3210 CVE-2011-3207 CVE-2011-0027
CVE-2011-0014 CVE-2010-4252 CVE-2010-3864
CVE-2010-1633 CVE-2010-0742
Reference: ESB-2013.0161
ESB-2012.0408
ESB-2012.0388
ESB-2012.0269
ESB-2012.0077
ESB-2012.0027
ESB-2011.0916
ESB-2011.0247
ESB-2011.0169
ASB-2010.0135
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21633107
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Sterling Connect:Express for UNIX is affected by
multiple vulnerabilities in OpenSSL
Flash (Alert)
Document information
Sterling Connect:Express for UNIX
Software version:
1.4, 1.5
Operating system(s):
AIX, HP-UX, Linux, Solaris
Reference #:
1633107
Modified date:
2013-04-03
Abstract
A number of security vulnerabilities have been discovered in the OpenSSL
libraries included in IBM Sterling Connect:Express for UNIX.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2013-0169 CVE-2013-0166 CVE-2012-2686 CVE-2012-2131 CVE-2012-2110
CVE-2012-0884 CVE-2012-0050 CVE-2011-4108 CVE-2011-4576 CVE-2011-4577
CVE-2011-4619 CVE-2012-0027 CVE-2011-3207 CVE-2011-3210 CVE-2011-0014
CVE-2010-4252 CVE-2010-3864 CVE-2010-0742 CVE-2010-1633
DESCRIPTION: IBM Sterling Connect:Express for UNIX uses OpenSSL libraries
for cryptography, and a number of security vulnerabilities have been
discovered in the OpenSSL libraries.
CVE-2013-0169
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2013-0166
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81904 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2012-2686
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81903 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2011-4577
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72131 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2012-0027
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72133 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-3207
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69613 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-3210
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69614 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2010-4252
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63636 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2010-0742
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/59039 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2010-1633
CVSS Base Score: 6.4
CVSS Temporal Score: See http:/xforce.iss.net/xforce/xfdb/59040for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
AFFECTED VERSIONS:
IBM Sterling Connect:Express for UNIX 1.4.6.
IBM Sterling Connect:Express for UNIX 1.5.0.
REMEDIATION:
The recommended solution is to apply the fix for each version as soon as
practical. See below for information on the available fixes.
Version 1.5.0: apply Fix Pack 1.5.08.
Version 1.4.6: apply Fix Pack 1.4.64.
WORKAROUND(S):
None known; apply fix.
MITIGATION(S):
None known
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-0169
X-Force Database: http://xforce.iss.net/xforce/xfdb/81902
CVE-2013-0166
X-Force Database: http://xforce.iss.net/xforce/xfdb/81904
CVE-2012-2686
X-Force Database: http://xforce.iss.net/xforce/xfdb/81903
CVE-2012-2131
X-Force Database: http://xforce.iss.net/xforce/xfdb/75099
CVE-2012-2110
X-Force Database: http://xforce.iss.net/xforce/xfdb/74926
CVE-2012-0884
X-Force Database: http://xforce.iss.net/xforce/xfdb/73916
CVE-2012-0050
X-Force Database: http://xforce.iss.net/xforce/xfdb/72458
CVE-2011-4108
X-Force Database: http://xforce.iss.net/xforce/xfdb/72128
CVE-2011-4576
X-Force Database: http://xforce.iss.net/xforce/xfdb/72130
CVE-2011-4577
X-Force Database: http://xforce.iss.net/xforce/xfdb/72131
CVE-2011-4619
X-Force Database: http://xforce.iss.net/xforce/xfdb/72132
CVE-2011-0027
X-Force Database: http://xforce.iss.net/xforce/xfdb/72133
CVE-2011-3207
X-Force Database: http://xforce.iss.net/xforce/xfdb/69613
CVE-2011-3210
X-Force Database: http://xforce.iss.net/xforce/xfdb/69614
CVE-2011-0014
X-Force Database: http://xforce.iss.net/xforce/xfdb/68221
CVE-2010-3864
X-Force Database: http://xforce.iss.net/xforce/xfdb/63293
CVE-2010-4252
X-Force Database: http://xforce.iss.net/xforce/xfdb/63636
CVE-2010-0742
X-Force Database: http://xforce.iss.net/xforce/xfdb/59039
CVE-2010-1633
X-Force Database: http://xforce.iss.net/xforce/xfdb/59040
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUV0qqO4yVqjM2NGpAQLNoA/+LDCdE3ovZQwYT1Ns4OZG+VCvyWZsu8kk
Bf1uHWXSS4xFZah8eFeYMcJPM/iiIsUB1ep1vp6d8LcHCkfvFHj5bW/3m8n12JDJ
NpJYbjWvxMvJ6nDLU4tb/Wjn1eMiMwIqVgFbr/cO3sJkOQqWpfE2Uhl7NcTl74hz
kyS2wWgtJnQKz/b8Pjngok7JIQBtL3teQE77MRK0BbAO9SsFIQUv9va3WW1uHIGR
oieKMYyti3cU27blg4xxcJ1uAJ4UtP9tptsKKQeXbKpqqT7+95ve2nG79tpCC7Wh
05V7m9f5ZsBd0eTkbYtapXXJEU1U4PIvktxfHcKgrwHe6OY0sFMoJ0CsYRD75kxr
aybqZdjFQMW/dyJeZVHur/P/vqoWxQxNWKx5Uo2blBysqQw7bo/PoNDxrgkgd03l
YZLd38Tlxz5za5s00RgyjuUHFOEMP/+0I4vrXgOPsXVOwRHN1S9CkvJyZYssuqZV
CWi/yw+yG+vKOngmQxB2OlG4wBC2eedhtRt4EjPHwhOUKm/oUcCX1FNj7OU+qDBe
+J/6rVCs6/iJ8WfMbsc1vniNBjgTIGhiy1RYoQITi51LhxmJuXkvyD2sjusa/ed7
55K9rCjt5m6ynCjfKFVdLs75DJjjnda42Px8/jCKSK9urxx92Ang/mRrVa1s6YBh
ThXXb9Wbbyk=
=Ci+m
-----END PGP SIGNATURE-----