Operating System:

[WIN][UNIX/Linux][LINUX]

Published:

03 October 2014

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2014.1762 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1762
     Sterling B2B Integrator and Sterling File Gateway are affected by
           vulnerabilities in OpenSSL Libraries (CVE-2014-3508,
               CVE-2014-3509, CVE-2014-3510, CVE-2014-3511)
                              3 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Sterling B2B Integrator
                   IBM Sterling File Gateway
Publisher:         IBM
Operating System:  Linux variants
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
                   Reduced Security       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3511 CVE-2014-3510 CVE-2014-3509
                   CVE-2014-3508  

Reference:         ASB-2014.0113
                   ASB-2014.0102
                   ASB-2014.0096
                   ESB-2014.1750
                   ESB-2014.1707
                   ESB-2014.1646

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21684913

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin Sterling B2B Integrator and Sterling File Gateway are 
affected by vulnerabilities in OpenSSL Libraries (CVE-2014-3508, 
CVE-2014-3509, CVE-2014-3510, CVE-2014-3511)

Document information

More support for:

Sterling B2B Integrator

Software version:

5.1, 5.2

Operating system(s):

All

Software edition:

All Editions

Reference #:

1684913

Modified date:

2014-10-02

Security Bulletin

Summary

Security vulnerabilities have been discovered in OpenSSL that were reported on
August 6th, 2014 by the OpenSSL Project.

SWIFTNet adapters of IBM Sterling B2B Integrator and IBM Sterling File Gateway
use OpenSSL libraries for cryptography, and thus are affected by the following
security vulnerabilities discovered in OpenSSL libraries versions 0.9.8 and 
1.0.1.

Vulnerability Details

CVE-ID: CVE-2014-3509

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a race 
condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded 
client connects to a malicious server using a resumed session, a remote 
attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95159 for more 
information

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3511

DESCRIPTION: OpenSSL could allow a remote attacker to bypass security 
restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol
versions by the OpenSSL SSL/TLS server code when handling a badly fragmented 
ClientHello message. An attacker could exploit this vulnerability using 
man-in-the-middle techniques to force a downgrade to TLS 1.0.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95162 for more 
information

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2014-3510

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL 
pointer dereference in anonymous ECDH ciphersuites. A remote attacker could 
exploit this vulnerability using a malicious handshake to cause the client to
crash.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95164 for more 
information

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3508

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive 
information, caused by an error in OBJ_obj2txt. If applications echo pretty 
printing output, an attacker could exploit this vulnerability to read 
information from the stack.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95165 for more 
information

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2

IBM Sterling B2B Integrator 5.1 or IBM Sterling File Gateway 2.1

Remediation/Fixes

PRODUCT					REMEDIATION/FIX

IBM Sterling B2B Integrator 5.2 or 	SWIFTNet Customers must upgrade their 
IBM Sterling File Gateway 2.2           current version of OpenSSL to version 
                                        0.9.8zb or 1.0.1i

IBM Sterling B2B Integrator 5.1 or      SWIFTNet Customers must upgrade their 
IBM Sterling File Gateway 2.1		current version of OpenSSL to version 
					0.9.8zb


Workarounds and Mitigations

None Known

References

Complete CVSS Guide

On-line Calculator V2

OpenSSL vulnerability

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

2 October 2014: Initial version.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVC3/ABLndAQH1ShLAQJbng//Vk/znTIm+xfFrmy71AGSxVI50Mlkeq5G
fmZTpRdLCusVzEmi6D/wNp4wKQ/MZfjGs9l+tgvuWuQGhdKz406x1pvMFLV+zNBh
iX+E97Xc4FNkWqBXI0aW/w5mKzGYQhIhxQ0vWQeQ/sHlNv0GNDmk0hk0skUSHHqA
Pr0VaKb+bRubtkZCsWbTjvggHE+BhJ0txOQGKRzgWfkuN1OJroJozbx4iRdi+UYS
CKLgjPbNsidZkpprn0hGH5UvQnq/kLr2ON3s1Uygf5saxxcHbhLXXHKPzV8ydTa8
R0GNOmze35hk4VpbhnrkZx75Ev0Ol+0V+4l4do0Q3TZVAPzkdLyTZt15UTjritqP
c5vxZgVNkwIlUK6lX9qHmTH8NvuUyfUizbWaokvnomsdSm+PQc20MDQYwKjNbpdL
cmRplPRztFG/bgtOs0GcEyfJDUs3xReSUmVvbgCbcFGfusLe/2p1D5MQV3/2leMI
geR08ApfeaE0CfQ0sbcE5ZqQHUv4U6l8y6iKvaLAWGSMyO5UbO3A94OE9ox7DMsb
7ElH7yRG2sFfmTnNtq2oNmDrtbp3LTL5Nf+XDPkNZ8RTjUEchw1JEgy6AMmVi86j
8GGyN2iFjf2rNtmmgxmlYTLe6J2EgVUWEx+ZEHF3Mz1nQJW6zFzfeof/N6unGhSZ
DNzyU9baKwQ=
=CJ4Q
-----END PGP SIGNATURE-----