-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2182
Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Master
              Data Management ( CVE-2014-3513, CVE-2014-3567)
                             19 November 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Master Data Management
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3567 CVE-2014-3513 

Reference:         ASB-2014.0127
                   ESB-2014.2177
                   ESB-2014.2169
                   ESB-2014.1910
                   ESB-2014.1872
                   ESB-2014.1871
                   ESB-2014.1858

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21690523

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Master
Data Management ( CVE-2014-3513, CVE-2014-3567)

Document information

More support for:
InfoSphere Master Data Management

Software version:
9.0, 9.2, 9.5, 9.7, 10.0, 10.1, 11.0, 11.3, 11.4

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Software edition:
Advanced Edition, Standard Edition

Reference #:
1690523

Modified date:
2014-11-18

Security Bulletin

Summary

OpenSSL vulnerabilities along with SSL 3 Fallback protection
(TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 by the OpenSSL
Project. OpenSSL is used by IBM InfoSphere Master Data Management. IBM
InfoSphere Master Data Management has addressed the applicable CVEs and
included the SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) provided
by OpenSSL.

Vulnerability Details

CVE-ID: CVE-2014-3513
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by
a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP)
extension parsing code. By sending multiple specially-crafted handshake
messages, an attacker could exploit this vulnerability to exhaust all
available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97035 for
more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3567

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by
a memory leak when handling failed session ticket integrity checks. By
sending an overly large number of invalid session tickets, an attacker
could exploit this vulnerability to exhaust all available memory of an
SSL/TLS or DTLS server.

CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97036 for
more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

These vulnerabilities are known to affect the following offerings:

IBM Initiate Master Data Service versions 8.5, 9.0, 9.2, 9.5, 9.7, 10.0,
10.1 (impacts Master Data Engine component, Message Brokers component and
Enterprise Integrator Toolkitcomponent)

IBM Initiate Master Data Service Patient Hub versions 9.5, 9.7 (impacts
Master Data Engine component, Message Brokers component and Enterprise
Integrator Toolkitcomponent)

IBM Initiate Master Data Service Provider Hub versions 9.5, 9.7 (impacts
Master Data Engine component, Message Brokers component and Enterprise
Integrator Toolkitcomponent)

IBM InfoSphere Master Data Management Patient Hub version 10.0 (impacts
Master Data Engine component, Message Brokers component and Enterprise
Integrator Toolkitcomponent)

IBM InfoSphere Master Data Management Provider Hub version 10.0 (impacts
Master Data Engine component, Message Brokers component and Enterprise
Integrator Toolkit component)

IBM InfoSphere Master Data Management Standard/Advanced Edition version
11.0 (impacts Message Brokers component and Enterprise Integrator Toolkit
component)

IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.3
(impacts Message Brokers component)

IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.4
(impacts Message Brokers component)

Remediation/Fixes

For IBM Initiate Master Data Service V8.5:
Apply Fix 8.5.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix
central.

For IBM Initiate Master Data Service V9.0:
Apply Fix 9.0.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix
central.

For IBM Initiate Master Data Service V9.2:
Apply Fix 9.2.0.111414_IM_ Initiate_MasterDataService_ALL_ifix from fix
central.

For IBM Initiate Master Data Service V9.5:
Apply Fix 9.5.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from
fix central.

For IBM Initiate Master Data Service Patient Hub V9.5:
Apply Fix 9.5.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service Provider Hub V9.5:
Apply Fix 9.5.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service V9.7:
Apply Fix 9.7.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from
fix central.

For IBM Initiate Master Data Service Patient Hub V9.7:
Apply Fix 9.7.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service Provider Hub V9.7:
Apply Fix 9.7.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service V10.0:
Apply Fix 10.0.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from
fix central.

For IBM InfoSphere Master Data Management Patient Hub V10.0:
Apply Fix 10.0.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.

For IBM InfoSphere Master Data Management Provider Hub V10.0:
Apply Fix 10.0.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central.

For IBM Initiate Master Data Service V10.1:
Apply Fix 10.1.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from
fix central.

For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.0:
Apply Fix 11.0.0.2-MDM-SE-AE-FP02IF000_FC from fix central.

For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.3:
Apply Fix 11.3.0.1-MDM-SE-AE-FP01IF000_FC from fix central.

For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.4:
Apply Fix 11.4.0.0-MDM-IF001 fromfix central.

Workarounds and Mitigations

None known

References
Complete CVSS Guide
On-line Calculator V2

OpenSSL Project vulnerability website (for detail on what versions are
affected)
OpenSSL Advisory on above listed CVEs

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Subscribe to Security Bulletins

Change History

15 November 2014: Original Version Published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVGwe8xLndAQH1ShLAQJWKhAAvDJgiT4DhbvL5mqF52+pZMjfq3DzIRt6
2fjqgOy3GeHUdp6YqQT3eJ9TbaKIolxaZ854K+P19lpUWsPtCgDI0iNBIOnZeocj
pE4kjZQw0Tnqq6003lv9SqG+ekUNyFq9HlIaxh9bFcKxqMWr96U4j24KsvBx2LGu
5dCdj9+G7yzGwFxEJp+//htQc+S+g5q1Blp61o1wLTFh5zoxUPET2/rKp5/Jhg6T
UnfnIMyyS/AK+f2Sjry0+oF52de4Q+x3ykPOYtz63v8Gu8xJ3KaE34FPQIisSL0w
v75e3co1LjRNWj6njXJJ+yucVaDifrxYynlBydH2hVyKgZc6NOO2qPR7ugGB/HZk
P2oGFklUJfnogFLoUdqoBU+WOp3JZbTAAilOdOCcaII4uIIMpmGl7ML4w3h0tnDy
IUQlBzIppIsjdv8+AAZcEmqUfvQwuqRH/JMtIWX/TM6LIzQYJfAr0ZENnd80Y9vD
h18YIrOrggXJ0CbU2zaLzh6+s+jd5CjKQkhtfmI02P1Cyw81nnJhDESsu79/vOR1
3OUOVtcY+jcYAn29N/XZRz8ECA58jCEp8vs9AGb/vmSEbztIMo9DwGodkWkmRrdj
8RdIha5QO15O8LN68oACe6Ns0H1tE7aszl05kLgHc4LBCOIMll1ozGo2pVVuD34L
waL/fYf/njE=
=W6Ns
-----END PGP SIGNATURE-----