Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.3051
Vulnerability in OpenSSL affects Informix Dynamic Server and CSDK
7 December 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Informix Dynamic Server
IBM Informix Client Software Development Kit
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
OS X
Solaris
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-1788
Reference: ASB-2015.0103
ESB-2015.1540
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21972159
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in OpenSSL affects Informix Dynamic Server
and CSDK (CVE-2015-1788)
Security Bulletin
Document information
More support for:
Informix Tools
Informix Client Software Development Kit (CSDK)
Software version:
3.5, 3.7, 4.1
Operating system(s):
AIX, HP-UX, Linux, OS X, Solaris, Windows
Reference #:
1972159
Modified date:
2015-12-04
Summary
An OpenSSL denial of service vulnerability disclosed by the OpenSSL Project
affects GSKit. Informix Dynamic Server uses GSKit and addressed the applicable
CVE.
Vulnerability Details
CVEID: CVE-2015-1788
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error
when processing an ECParameters structure over a specially crafted binary
polynomial field. A remote attacker could exploit this vulnerability to cause
the application to enter into an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/103778 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
Informix Dynamic Server (IDS) 11.50, 11.70, and 12.10.xC1-xC5 and Client
Software Development Kit (CSDK) 3.50, 3.70, and 4.10 xC1-xC5.
Remediation/Fixes
Upgrade to IDS version 12.10.xC6, otherwise replace GSKit as per chart below.
GSKit 8.0.50.52 is available as a separate package for 11.70 and 12.10, and
for CSDK versions 3.70 and 4.10 products. For Informix Dynamic Server 11.50
and CSDK 3.50, GSKit version 7.0.5.6 is available for download.
Informix Dynamic Server
Product Remediation/ First Fix Download options, based on GSKit
version and OS
12.10.xC1 Install GSKit 8.0.50.52 Linux(32) Linux(64)
through Linux(pSeries32) Linux(pSeriesLE64)
12.10.xC5 Linux (zSeries32) Linux(zSeries64)
Linux(ARM32) Linux(ARM64)
- --------------
Windows(32) Windows(64)
11.70
(all versions) AIX (pSeries32) AIX (pSeries64)
Solaris (Intel32) Solaris (Intel64)
Solaris (SPARC32) Solaris (SPARC64)
HP-UX(IA-32) HP-UX(IA-64)
MacOSX(64)
11.50 Install GSKit 7.0.5.6 Linux(32) Linux (64)
(all versions) Linux (zSeries32) Linux (zSeries64)
Linux(IA-64) Linux (pSeries64)
Windows(32) Windows (64)
AIX (pSeries32) AIX (pSeries64)
Solaris (Intel32) Solaris (Intel-64)
Solaris (SPARC32) Solaris (SPARC64)
HP-UX (RISC32) HP-UX (RISC64)
HP-UX (IA-32) HP-UX (IA-64)
CSDK
Product Remediation/First Fix Download options, based on GSKit
version and OS
4.10.xC1 Install GSKit 8.0.50.52 Linux(32) Linux(64)
through Linux(pSeries32) Linux(pSeriesLE64)
4.10.xFC5 Linux (zSeries32) Linux(zSeries64)
Linux(ARM32) Linux(ARM64)
- ---------------
Windows(32) Windows(64)
3.70
(all versions) AIX (pSeries32) AIX (pSeries64)
Solaris (Intel32) Solaris (Intel64)
Solaris (SPARC32) Solaris (SPARC64)
HP-UX(IA-32) HP-UX(IA-64)
MacOSX(64)
3.50 Install GSKit 7.0.5.6 Linux(32) Linux (64)
(all versions) Linux (zSeries32) Linux (zSeries64)
Linux(IA-64) Linux (pSeries64)
Windows(32) Windows (64)
AIX (pSeries32) AIX (pSeries64)
Solaris (Intel32) Solaris (Intel-64)
Solaris (SPARC32) Solaris (SPARC64)
HP-UX (RISC32) HP-UX (RISC64)
HP-UX (IA-32) HP-UX (IA-64)
IBM recommends upgrading to a fixed, supported version/ release/ platform of
CSDK which includes GSKit 8.0.50.52 or GSKit 7.0.5.6.
*Informix Dynamic Server (IDS 12.10.xC6) is available through Passport
Advantage online, or your Partnerworld Provider
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
">System z Security web site. Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.
References
Complete CVSS v2 Guide
On-line Calculator v2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
3 December 2015 Publish Date
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVmUcgn6ZAP0PgtI9AQIe4A/6A4f/wcLCP53zFUFQ5i87vyeSgfl/3A7Q
YYx9bfTU6OvQmmRXcaa8M4LalvKrRPW3E54bqIQc9ADHm1l3QbkOoNbRJnGqBocZ
U4KbxjgOi7ZbGjdEsiMh7aNCsy7SHiux6CiYckXFTgWL1mmxRyCR4SiovkHCSYts
n/o6VMGsPU/6kAhA4reldIGx+c4mfI4JsgBO9Yhdq5ExE5j8LecOsjZRXnj4Qzcp
G55Agdn4e8d70e1y+bop/GjIcfAaVsjdMCMR0OQj7oabqP50CYVvZtEXvgRjFqSz
9Buxn62D2a6/TnRsfAGe/U/OaBEeTeOOLz948FYWvy8aC0pxcpbHgyTM6+gg0CHw
2rqqvq7IINDumvGQsd/s2crcvabHPlyS1y64z16EYpi5vN/mqTGoEPDNzr1I9fQk
xc4DztRi1PSVnw/Yy1uR2c3la9Fq1gMvs7q1jsuNxUAOyionpSKMdhgoQR/7ncuO
+NnxzYwOYaadfRFBKrs39xHWW9Y6ZV2rlpy1/zc6r5ZG1v9S9dXt15fWACjeZ6+w
ovUD+1Ir7/2mbqRXI0XFpiCLdRw62mhJy8gzgJcr8F19d4U48D9rW2A+klio31Cl
yILFqX0futlPLRjzc1GoJPc6QlK5DvdiY2rmQCgCB+qop5NyPkgDdSJQhYcy7sgx
WtiSvHbdG0I=
=8a5t
-----END PGP SIGNATURE-----