-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0377
  Security Bulletin: IBM InfoSphere Balanced Warehouse C3000, C4000, and
             D5100 are affected by vulnerabilities in OpenSSL
               (CVE-2013-4353, CVE-2013-6450, CVE-2013-6449)
                               21 March 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Balanced Warehouse
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-6450 CVE-2013-6449 CVE-2013-4353

Reference:         ESB-2014.0375
                   ESB-2014.0301
                   ESB-2014.0252
                   ESB-2014.0224
                   ESB-2014.0007

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21665678

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM InfoSphere Balanced Warehouse C3000, C4000, and D5100 
are affected by vulnerabilities in OpenSSL (CVE-2013-4353, CVE-2013-6450, 
CVE-2013-6449)

Security Bulletin

Document information

More support for:
InfoSphere Balanced Warehouse

Software version:
9.7

Operating system(s):
Linux

Reference #:
1665678

Modified date:
2014-03-12

Summary

The IBM InfoSphere Balanced Warehouse C3000, C4000, and D5100 are shipped with 
SUSE Linux Enterprise Server Edition operating system software. There are 
three security vulnerabilities that have been identified in the OpenSSL 
libraries that are part of the operating system software for these systems.

Vulnerability Details

CVE ID: CVE-2013-4353

DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by a NULL pointer 
dereference when handling malicious S/MIME messages. By sending a 
specially-crafted TLS handshake, a remote attacker could exploit this 
vulnerability to cause a connecting client to crash.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90201 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVE ID: CVE-2013-6450

DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by the failure to 
properly maintain data structures for digest and encryption contexts by the 
DTLS retransmission implementation. A remote attacker could exploit this 
vulnerability to cause the daemon to crash.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90069 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)


CVE ID: CVE-2013-6449

DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by an error in the 
ssl_get_algorithm2 function. A remote attacker could exploit this 
vulnerability using specially-crafted traffic from a TLS 1.2 client to cause 
the daemon to crash.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90068 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM InfoSphere Balanced Warehouse C3000 for Linux
IBM InfoSphere Balanced Warehouse C4000 for Linux
IBM InfoSphere Balanced Warehouse D5100

Remediation/Fixes

Contact IBM Support to request the required SUSE Linux Enterprise Server 10 
fix. Install the fix using the instructions listed in the following table.

Product                     Operating System        Download Link
IBM InfoSphere Balanced     SUSE Linux Enterprise   Contact IBM Support to 
Warehouse C3000 for Linux   Server 10 SP4           request the fix. Install 
IBM InfoSphere Balanced                             the fix using the update 
Warehouse C4000 for Linux                           instructions.
IBM InfoSphere Balanced 
Warehouse D5100

Contacting IBM Support:

   Open an electronic Service Request with IBM Support.
   In the United States and Canada, call 1-800-IBM-SERV.
   For countries outside of the United States, see: Directory of worldwide 
   contacts.

Workarounds and Mitigations

None

References

Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

March 12, 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.
Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUyuwKxLndAQH1ShLAQLbiQ/+N4NibEEAqK/7Uq2EnFw5/mAF+4lZewoQ
3kDs/iMB7fde/bzJM3MAD+oCjGx5pBY81YMVjpbOlJhpVMs24N6ywikBooI0oXF/
X7pc3edVO8iWKMdV8b6+8f94ZE8lI97ctBQgxfY7JWXeoOMwo6x/PAJjLR4h2amO
VBWnkViCzaD9iNMrJuIBr0q5d+TbEXM3H3OSbDxIepPzGe+KrKvhapNUVYqvJoiE
Lsz2SIM2HEOP1EAmOAY8syM0722OQkTeCP37PPbOteG3TCu15usXNDdFkL4GhpLT
070mPRf8QFH9Qsc98zwGVWLDrhPeK9AB+QVHpGBiBgcPrXO1ooXXHplA/Po+318a
/9/zeA6oDLBFXnVppeFH4BcN0gMw18aCwsEnAQdMWmbXvvLXdrzk9kuTWWhMnN5h
nay1aYkQzgcvdgxUIXqjc9Ml/jrIuU3aG1lROASc+SSgdF2lB9tLj250KGqmzME6
joHbwvXavxuiGuGxe0Pk6GYE0s+SgX6OQ+hhWOYYGiqaJgyQi9evdvfmT6s/DvkL
T/a07GfwqP0r87Q9GPifTnzWWSV0atLdic20y7Bt0VbcqqXrPlwHa4am894Qr0OP
xExzHwb6JMkH3JHWVENuUT7G5k0qEiMVs7IN1ZnvvLKgIt8wt77e6Emcl+HGiFcO
oOE8I9MDddQ=
=veDz
-----END PGP SIGNATURE-----