Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1142 Security Bulletin: IBM Flex System Manager (FSM) is affected by vulnerability (CVE-2013-5211) 10 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Flex System Manager (FSM) Publisher: IBM Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-5211 Reference: ESB-2014.0992 ESB-2014.0334.3 ESB-2014.0123.2 ESB-2014.0055 ESB-2014.0046.2 Original Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095892 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Flex System Manager (FSM) is affected by vulnerability (CVE-2013-5211) Applicable countries and regions Abstract IBM Flex System Manager (FSM) is affected by a ntp vulnerability that could result in a denial of service Content Vulnerability Details: CVE-ID: CVE-2013-5211 Description: IBM Flex System Manager allows a remote attacker to use a valid NTP server to cause a potential denial of service attack by forging ntp requests. CVSS Base Score: 5.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90143 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Affected products and versions - From the FSM command line enter lsconfig -V to determine the level of FSM installed. Flex System Manager 1.1.x.x Flex System Manager 1.2.0.x Flex System Manager 1.2.1.x Flex System Manager 1.3.0.x Flex System Manager 1.3.1.x NON-AFFECTED PRODUCTS and VERSIONS Flex System Manager 1.3.2.x Remediation: Product VRMF APAR Remediation Flex System Manager 1.1.x.x IT00278 Upgrade to FSM 1.3.2.0, or open a PMR with support to request an APAR Flex System Manager 1.2.0.x IT00278 fsmfix1.2.0.0_IT00252 Flex System Manager 1.2.1.x IT00278 fsmfix1.2.1.0_IT00252 Flex System Manager 1.3.0.x IT00278 fsmfix1.3.0.0_IT00252 Flex System Manager 1.3.1.x IT00278 fsmfix1.3.1.0_IT00252 Workaround(s) & Mitigation(s): None Known References: Complete CVSS Guide On-line Calculator V2 OpenSSL Project vulnerability website Related Information: IBM Secure Engineering Web Portal Acknowledgement None Change History 01 July 2014: Original Copy Published * The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Applicable countries and regions Worldwide - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU74IzRLndAQH1ShLAQJExRAAoD0gett9UJVMSQEmQVgIaFpRFeP2ppDo R1kKKTzSiJGr6mTqSQYCA0GDgOQV6X92ZFbc+khejDhaqooo4oVRywEgNx/hBdNd nzMp2UujM774ylS/tGBBIUfNe1BWOZ1OoQzg32DOdWOKQBlEvgbmrfb8K4wSJClW CPKMFz74EwndXLvT4CkYqYAWFNCb+m3ZG/wRYbch15ny5VenOpoxSw1tqtrpiQif 4y5CC3usmm+OQdihZY8nsfhVUW4qkgX3M/25kp4MMYsKTJDnZuZIGW5ZxCQOH4a8 Da7sCLJDtRyvbT55BrDzPy6un8TCNipgWW0mAwSFO2OJxfcLzea/8QfZe7uTiUDE FylyMTn9nYka1rrmjBy4Y9oe7zv/cqZqX4onYDXounSgOdcfUmPFE4QkEUQ67bUd ZEKjiIwykhhkRTPj11CFqcOezhbRi5Ttq1ZML2HKM5MVwsKOyyMSFbrieAiD38zj QGaRG/D5PHdaW+YQqhaBW2QyWsHGPm1Ub8i5Kf3kZJhptiCGEFT/RE2XCIc/ZAuD 1Pxnsk9ZWoo+EpnNJj+77r27dOfMXNZyHCQiSXh7KCQi53Cem/Gbk/ESZFp3WRcs Ywn4v53dvlOBV5ni2m8aU8vhXgWHAdkpBtf7i0LPdMysGFd8b9HgCJg53G0VUOis 2T0M+hCAZwg= =4AOH -----END PGP SIGNATURE-----