Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0760
Security Bulletin: OpenSSL vulnerability issues for IBM Cloudburst
31 May 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cloudburst
Publisher: IBM
Operating System: AIX
SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0169 CVE-2013-0166 CVE-2012-2686
CVE-2012-2131 CVE-2012-2110 CVE-2012-0884
CVE-2012-0050 CVE-2012-0027 CVE-2011-4619
CVE-2011-4577 CVE-2011-4576 CVE-2011-4108
CVE-2011-3210 CVE-2011-3207 CVE-2011-0014
CVE-2010-4252 CVE-2010-3864 CVE-2010-1633
CVE-2010-0742
Reference: ESB-2013.0183
ESB-2012.0388
ESB-2012.0269
ESB-2012.0074
ESB-2012.0027
ESB-2011.0916
ESB-2011.0169
ASB-2010.0135
ESB-2010.1048.2
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21638669
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: OpenSSL vulnerability issues for IBM Cloudburst
Flash (Alert)
Document information
IBM CloudBurst
Software version:
All Versions
Operating system(s):
AIX 6.1, Linux SUSE - xSeries
Reference #:
1638669
Modified date:
2013-05-29
Abstract
Multiple vulnerability issues have been identified for OpenSSL versions lower
than 1.0.x. IBM Cloudburst uses OpenSSL version 0.9.8 as a part of its base
operating system for Tivoli virtual machines.
Content
VULNERABILITY DETAILS
DESCRIPTION:
Multiple vulnerability issues have been identified for OpenSSL package
versions lower than 1.0.x. IBM Cloudburst for VMware includes OpenSSL version
0.9.8 as a part of Suse Linux Enterprise Server, which is used as a base
operating system for Tivoli virtual machines. IBM Cloudburst for Power includes
OpenSSL version 0.9.8 as a part of AIX, which is used as a base operating
system for Tivoli virtual machines.
CVE IDs:
CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108,
CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2011-3207,
CVE-2011-3210, CVE-2011-0014, CVE-2010-4252, CVE-2010-3864, CVE-2010-0742,
CVE-2010-1633, CVE-2013-0169, CVE-2013-0166, CVE-2012-2686
CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2011-4577
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72131 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2012-0027
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72133 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-3207
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69613 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-3210
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69614 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVE-2010-4252
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63636 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2010-0742
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/59039 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2010-1633
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/59040 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVE-2013-0169
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2013-0166
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81904 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2012-2686
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81903 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected products and versions
Cloudburst 1.2
Cloudburst 2.1
Cloudburst 2.1.1
Remediation
Cloudburst 2.1.1
You need first to upgrade Suse Linux Enterprise Server 10 SP 3 provided with
IBM Cloudburst to the version 11 SP 2.
Download Suse Linux Enterprise Server 11 SP 1 from IBM Support Portal
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm/Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=Linux&function=fixId&fixids=SLES-11-SP1-DVD-x86_64-GM-DVD1_image&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc
and upgrade your Suse Linux Enterprise Server according to the readme file
attached to the above maintenance package.
Download Suse Linux Enterprise Server 11 SP 2 from IBM Support Portal
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm/Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=Linux&function=fixId&fixids=SLES-11-SP1-DVD-x86_64-GM-DVD1_image&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc
and upgrade your Suse Linux Enterprise Server according to the readme file
attached to the above maintenance package.
When your Suse Linux Enterprise Server is upgraded to the version 11 SP 2,
apply the patch available under the link:
http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=All&function=fixId&fixids=java_ssl_updates&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp
Cloudburst 2.1
For Cloudburst 2.1 for Power, apply the patch available under the link:
http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Service+Delivery+Manager&release=All&platform=All&function=fixId&fixids=AIX-openssl-0.9.8.2500&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp
For Cloudburst 2.1 on VMware, you need to proceed in the same way as described
in the above section for Cloudburst 2.1.1
Cloudburst 1.2
The recommendation is to upgrade to Cloudburst 2.1. Then you continue with the
patching procedure described above. If you are not able to upgrade to
Cloudburst 2.1, contact IBM support for a patch.
Workaround
none
Mitigations
none
References:
* Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html )
* On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 )
* CVE-2012-2131 http://xforce.iss.net/xforce/xfdb/75099
* CVE-2012-2110 http://xforce.iss.net/xforce/xfdb/74926
* CVE-2012-0884 http://xforce.iss.net/xforce/xfdb/73916
* CVE-2012-0050 http://xforce.iss.net/xforce/xfdb/72458
* CVE-2011-4108 http://xforce.iss.net/xforce/xfdb/72128
* CVE-2011-4576 http://xforce.iss.net/xforce/xfdb/72130
* CVE-2011-4577 http://xforce.iss.net/xforce/xfdb/72131
* CVE-2011-4619 http://xforce.iss.net/xforce/xfdb/72132
* CVE-2012-0027 http://xforce.iss.net/xforce/xfdb/72133
* CVE-2011-3207 http://xforce.iss.net/xforce/xfdb/69613
* CVE-2011-3210 http://xforce.iss.net/xforce/xfdb/69614
* CVE-2011-0014 http://xforce.iss.net/xforce/xfdb/68221
* CVE-2010-4252 http://xforce.iss.net/xforce/xfdb/63636
* CVE-2010-3864 http://xforce.iss.net/xforce/xfdb/63293
* CVE-2010-0742 http://xforce.iss.net/xforce/xfdb/59039
* CVE-2010-1633 http://xforce.iss.net/xforce/xfdb/59040
* CVE-2013-0169 http://xforce.iss.net/xforce/xfdb/81902
* CVE-2013-0166 http://xforce.iss.net/xforce/xfdb/81904
* CVE-2012-2686 http://xforce.iss.net/xforce/xfdb/81903
Related Information:
* IBM Secure Engineering Web Portal
* IBM Product Security Incident Response Blog
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUagMxO4yVqjM2NGpAQLRXhAAnntNfunNeWut01+QvLUgYfPxo9ukB8lw
0fuokfgOMV6JzKhEpR2AVxDaOALKSDZU3SZEl33wr5U3v1tX9kdN0oceRo9M86qJ
m0JhryEge8YdOvwvyFiAIiuI7wplWRn4acEa6rq2Dux3iWzGMnwvhcnwwHI/jzH7
4kNJGaWJoi5jbj696JUQnaXC6Ae1EVB6RGRb+M46Egp9X9eIFJQX9X6GNKhajtTK
MF3RrciuUsmI+bP1QSpIoy1pbqCNz+oH4CrfM5GT7rb/G6ZvkqECra54M1El3zm1
aGPkcyn+8goShMEFo7HXLxp2e8wHJu0ThSIdbgSNLbV4KcnhSHK7y0/XlL/oZ9pT
MLIXEez0OzxKxDiFXTKKI/ddhNTI0xsnBeB7Oj8XDaHyn6tkZtwAY59FVpF1o3tp
WSL462Sx8dHXlRBRGrtQbxhrXGKNMzEUHIgqZJq4iVdB7AUzuqPytgv+aOCGqn+A
hrzUDlnU/yPZA8dQBQVDLxxUrSA6tn6uILTdDCSUtvmmTlCwCfs2wWodg0yk4Yft
hN+G3z8yL3hYQh05ZFQBmytpl61mwW62Qrk3md2NiV7zejggzS4Dc2yXvuRakcpk
aj3wIUvsX32rpDBJDwuI0WyS3CROR/3sZWvecCI/k83lbZ+Qj9ukK98m6JT0ulJy
+3oqphU82o4=
=OKm+
-----END PGP SIGNATURE-----