Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0760 Security Bulletin: OpenSSL vulnerability issues for IBM Cloudburst 31 May 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cloudburst Publisher: IBM Operating System: AIX SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-0169 CVE-2013-0166 CVE-2012-2686 CVE-2012-2131 CVE-2012-2110 CVE-2012-0884 CVE-2012-0050 CVE-2012-0027 CVE-2011-4619 CVE-2011-4577 CVE-2011-4576 CVE-2011-4108 CVE-2011-3210 CVE-2011-3207 CVE-2011-0014 CVE-2010-4252 CVE-2010-3864 CVE-2010-1633 CVE-2010-0742 Reference: ESB-2013.0183 ESB-2012.0388 ESB-2012.0269 ESB-2012.0074 ESB-2012.0027 ESB-2011.0916 ESB-2011.0169 ASB-2010.0135 ESB-2010.1048.2 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21638669 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: OpenSSL vulnerability issues for IBM Cloudburst Flash (Alert) Document information IBM CloudBurst Software version: All Versions Operating system(s): AIX 6.1, Linux SUSE - xSeries Reference #: 1638669 Modified date: 2013-05-29 Abstract Multiple vulnerability issues have been identified for OpenSSL versions lower than 1.0.x. IBM Cloudburst uses OpenSSL version 0.9.8 as a part of its base operating system for Tivoli virtual machines. Content VULNERABILITY DETAILS DESCRIPTION: Multiple vulnerability issues have been identified for OpenSSL package versions lower than 1.0.x. IBM Cloudburst for VMware includes OpenSSL version 0.9.8 as a part of Suse Linux Enterprise Server, which is used as a base operating system for Tivoli virtual machines. IBM Cloudburst for Power includes OpenSSL version 0.9.8 as a part of AIX, which is used as a base operating system for Tivoli virtual machines. CVE IDs: CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2011-3207, CVE-2011-3210, CVE-2011-0014, CVE-2010-4252, CVE-2010-3864, CVE-2010-0742, CVE-2010-1633, CVE-2013-0169, CVE-2013-0166, CVE-2012-2686 CVE-2012-2131 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2012-2110 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2012-0884 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2012-0050 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2011-4108 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2011-4576 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2011-4577 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72131 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2011-4619 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2012-0027 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72133 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2011-3207 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69613 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2011-3210 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69614 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2011-0014 CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) CVE-2010-4252 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63636 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2010-3864 CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2010-0742 CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/59039 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2010-1633 CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/59040 for the current score CVSS Environmental Score*: Unknown CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N) CVE-2013-0169 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2013-0166 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81904 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2012-2686 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81903 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Affected products and versions Cloudburst 1.2 Cloudburst 2.1 Cloudburst 2.1.1 Remediation Cloudburst 2.1.1 You need first to upgrade Suse Linux Enterprise Server 10 SP 3 provided with IBM Cloudburst to the version 11 SP 2. Download Suse Linux Enterprise Server 11 SP 1 from IBM Support Portal http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm/Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=Linux&function=fixId&fixids=SLES-11-SP1-DVD-x86_64-GM-DVD1_image&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc and upgrade your Suse Linux Enterprise Server according to the readme file attached to the above maintenance package. Download Suse Linux Enterprise Server 11 SP 2 from IBM Support Portal http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm/Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=Linux&function=fixId&fixids=SLES-11-SP1-DVD-x86_64-GM-DVD1_image&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc and upgrade your Suse Linux Enterprise Server according to the readme file attached to the above maintenance package. When your Suse Linux Enterprise Server is upgraded to the version 11 SP 2, apply the patch available under the link: http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=All&function=fixId&fixids=java_ssl_updates&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp Cloudburst 2.1 For Cloudburst 2.1 for Power, apply the patch available under the link: http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=All&function=fixId&fixids=AIX-openssl-0.9.8.2500&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp For Cloudburst 2.1 on VMware, you need to proceed in the same way as described in the above section for Cloudburst 2.1.1 Cloudburst 1.2 The recommendation is to upgrade to Cloudburst 2.1. Then you continue with the patching procedure described above. If you are not able to upgrade to Cloudburst 2.1, contact IBM support for a patch. Workaround none Mitigations none References: * Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html ) * On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 ) * CVE-2012-2131 http://xforce.iss.net/xforce/xfdb/75099 * CVE-2012-2110 http://xforce.iss.net/xforce/xfdb/74926 * CVE-2012-0884 http://xforce.iss.net/xforce/xfdb/73916 * CVE-2012-0050 http://xforce.iss.net/xforce/xfdb/72458 * CVE-2011-4108 http://xforce.iss.net/xforce/xfdb/72128 * CVE-2011-4576 http://xforce.iss.net/xforce/xfdb/72130 * CVE-2011-4577 http://xforce.iss.net/xforce/xfdb/72131 * CVE-2011-4619 http://xforce.iss.net/xforce/xfdb/72132 * CVE-2012-0027 http://xforce.iss.net/xforce/xfdb/72133 * CVE-2011-3207 http://xforce.iss.net/xforce/xfdb/69613 * CVE-2011-3210 http://xforce.iss.net/xforce/xfdb/69614 * CVE-2011-0014 http://xforce.iss.net/xforce/xfdb/68221 * CVE-2010-4252 http://xforce.iss.net/xforce/xfdb/63636 * CVE-2010-3864 http://xforce.iss.net/xforce/xfdb/63293 * CVE-2010-0742 http://xforce.iss.net/xforce/xfdb/59039 * CVE-2010-1633 http://xforce.iss.net/xforce/xfdb/59040 * CVE-2013-0169 http://xforce.iss.net/xforce/xfdb/81902 * CVE-2013-0166 http://xforce.iss.net/xforce/xfdb/81904 * CVE-2012-2686 http://xforce.iss.net/xforce/xfdb/81903 Related Information: * IBM Secure Engineering Web Portal * IBM Product Security Incident Response Blog - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUagMxO4yVqjM2NGpAQLRXhAAnntNfunNeWut01+QvLUgYfPxo9ukB8lw 0fuokfgOMV6JzKhEpR2AVxDaOALKSDZU3SZEl33wr5U3v1tX9kdN0oceRo9M86qJ m0JhryEge8YdOvwvyFiAIiuI7wplWRn4acEa6rq2Dux3iWzGMnwvhcnwwHI/jzH7 4kNJGaWJoi5jbj696JUQnaXC6Ae1EVB6RGRb+M46Egp9X9eIFJQX9X6GNKhajtTK MF3RrciuUsmI+bP1QSpIoy1pbqCNz+oH4CrfM5GT7rb/G6ZvkqECra54M1El3zm1 aGPkcyn+8goShMEFo7HXLxp2e8wHJu0ThSIdbgSNLbV4KcnhSHK7y0/XlL/oZ9pT MLIXEez0OzxKxDiFXTKKI/ddhNTI0xsnBeB7Oj8XDaHyn6tkZtwAY59FVpF1o3tp WSL462Sx8dHXlRBRGrtQbxhrXGKNMzEUHIgqZJq4iVdB7AUzuqPytgv+aOCGqn+A hrzUDlnU/yPZA8dQBQVDLxxUrSA6tn6uILTdDCSUtvmmTlCwCfs2wWodg0yk4Yft hN+G3z8yL3hYQh05ZFQBmytpl61mwW62Qrk3md2NiV7zejggzS4Dc2yXvuRakcpk aj3wIUvsX32rpDBJDwuI0WyS3CROR/3sZWvecCI/k83lbZ+Qj9ukK98m6JT0ulJy +3oqphU82o4= =OKm+ -----END PGP SIGNATURE-----