-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1359
 Security Bulletin: Multiple vulnerabilities affect IBM Rational ClearCase
                                31 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational ClearCase
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Modify Arbitrary Files         -- Remote/Unauthenticated      
                   Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2108 CVE-2016-0702 CVE-2016-0201
                   CVE-2015-7575 CVE-2015-7420 CVE-2015-4893
                   CVE-2015-4872 CVE-2015-4803 CVE-2015-3196
                   CVE-2015-3194 CVE-2015-1791 CVE-2015-1789
                   CVE-2015-1788  

Reference:         ASB-2016.0043
                   ASB-2016.0004
                   ASB-2015.0103

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21976573
   http://www.ibm.com/support/docview.wss?uid=swg21974270
   http://www.ibm.com/support/docview.wss?uid=swg21976611

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin:  Multiple vulnerabilities in IBM Java Runtime affect IBM
Rational ClearCase (CVE-2015-7575, CVE-2015-4872, CVE-2015-4893,
CVE-2015-4803)

Security Bulletin

Document information

More support for:

Rational ClearCase

ClearCase Remote Client

Software version:

7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5,
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3,
7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11,
7.1.2.12, 7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 7.1.2.17, 7.1.2.18, 8.0,
8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8,
8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15,
8.0.0.16, 8.0.0.17, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5,
8.0.1.6, 8.0.1.7, 8.0.1.8, 8.0.1.9, 8.0.1.10, 9.0.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1976573

Modified date:

2016-05-27

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Technology
Edition, Versions 6, 7 and 8 that are used by IBM Rational ClearCase. These
issues were disclosed as part of the IBM Java SDK updates in October 2015 and
January 2016 and include the vulnerability commonly referred to as "SLOTH".

Vulnerability Details

CVEID:

CVE-2015-7575

DESCRIPTION:

The TLS protocol could allow weaker than expected security caused by a
collision attack when using the MD5 hash function for signing a
ServerKeyExchange message during a TLS handshake. An attacker could exploit
this vulnerability using man-in-the-middle techniques to impersonate a TLS
server and obtain credentials. This vulnerability is commonly referred to as
SLOTH.

CVSS Base Score: 7.1

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109415

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)

CVEID:

CVE-2015-4872

DESCRIPTION:

An unspecified vulnerability related to the Security component has no
confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107361

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:

CVE-2015-4893

DESCRIPTION:

An unspecified vulnerability related to the JAXP component could allow a
remote attacker to cause a denial of service.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107359

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:

CVE-2015-4803

DESCRIPTION:

An unspecified vulnerability related to the JAXP component could allow a
remote attacker to cause a denial of service.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107358

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM Rational ClearCase, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x, 8.0.1.x,
and 9.0 in the following components:

CCRC WAN server/CM Server component, when configured to use SSL

ClearCase remote client: CCRC/CTE GUI, rcleartool, and CMAPI clients, when
using SSL to access a CCRC WAN Server/CM Server

ClearCase version                             Status
9.0                                           Affected only by CVE-2015-7575
8.0.1 through 8.0.1.10                        Affected
8.0 through 8.0.0.17                          Affected
7.1.0.x                                       Affected
7.1.1.x
7.1.2.x
(all versions and fix packs)

Remediation/Fixes

The solution is to install a fix that includes an updated Java Virtual
Machine with fixes for the issues, and to apply fixes for WebSphere
Application Server (WAS).

CCRC Client fixes

Apply the relevant fixes as listed in the table below.

Affected Versions	Applying the fix
9.0			Install Rational ClearCase Fix Pack 1 (9.0.0.01) for 9.0
			
8.0.1 through 8.0.1.10	Install Rational ClearCase Fix Pack 11 (8.0.1.11) for 8.0.1
			
8.0 through 8.0.0.17	Install Rational ClearCase Fix Pack 18 (8.0.0.18) for 8.0
			
7.1.2.x (all fix packs)	Customers on extended support contracts should contact Customer Support.
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)
	
Notes:

If you use CCRC as an extension offering installed into an Eclipse shell (one
not provided as part of a ClearCase release), or you use rcleartool or CMAPI
using a Java Virtual Machine not supplied by IBM as part of Rational
ClearCase, you should update the Java Virtual Machine you use to include a
fix for the above issues. Contact the supplier of your Java Virtual Machine
and/or the supplier of your Eclipse shell.

CCRC WAN server fixes

1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC
profile directory (either the profile you specified when installing
ClearCase, or <ccase-home>/common/ccrcprofile), then execute the script:
bin/versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows). The output includes 
a section "IBM WebSphere Application Server". Make note of the version listed 
in this section.

2. Review the following WAS security bulletin:

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere
Application Server January 2016 CPU

and apply the latest available fix for the version of WAS used for CCRC WAN
server.

Note:

there may be newer security fixes for WebSphere Application Server. Follow
the link below (in the section "Get Notified about Future Security
Bulletins") to subscribe to WebSphere product support alerts for additional
Java SDK fixes.

Affected Versions	Applying the fix
8.0.0.x			Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary.
8.0.1.x
9.0 			

7.1.2.x (all fix packs)	Customers on extended support contracts should contact customer support.
7.1.1.x (all fix packs)
7.1.0.x (all fix packs) 

For 7.0.x and 7.1.x and earlier releases, IBM recommends upgrading to a
fixed, supported version/release/platform of the product.

Workarounds and Mitigations

For CVE-2015-7575, the following workaround is available for ClearCase 9.0,
which uses Java 7 or Java 8 (depending on platform).

If you are unable to apply the fix pack, you may use this temporary change on
every CTE/CMAPI/rcleartool client.

The administrator can address the issue on clients by updating the file
/opt/rational/common/java/jre/lib/security/java.security (UNIX) or
RationalSDLC\common\JAVA\jre\lib\security\java.security (Windows) as follows 
(both steps are required):

- - Add MD5 to the jdk.certpath.disabledAlgorithms property - e.g.
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024,MD5

- - Add MD5withRSA to the jdk.tls.disabledAlgorithms property - e.g.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA

Java 6 (used by ClearCase 8.0 and 8.0.1) requires code changes in the JSSE
component in addition to the java.security file modifications, so upgrading
the JDK is the only solution.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this 
portal. IBM suggests reviewing the CVSS scores and applying all security or 
integrity fixes as soon as possible to minimize any potential risk. 

References

Complete CVSS v2 Guide

On-line Calculator v2

Complete CVSS v3 Guide

On-line Calculator v3

IBM Java SDK October 2015 Security Bulletin

IBM Java SDK January 2016 Security Bulletin

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

* 17 March 2016: Originally published

* 26 April 2016: Updated with test fix for ClearCase 9.0

* 27 May 2016: Updated to refer to fix packs

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: A vulnerability in the GSKit component of IBM Rational
ClearCase (CVE-2016-0201)

Security Bulletin

Document information

More support for:

Rational ClearCase

Integrations: IBM

Software version:

7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 7.1.2.13, 7.1.2.14, 7.1.2.15,
7.1.2.16, 7.1.2.17, 7.1.2.18, 7.1.2.19, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3,
8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11,
8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15, 8.0.0.16, 8.0.0.17, 8.0.1, 8.0.1.1,
8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8, 8.0.1.9,
8.0.1.10

Operating system(s):

Windows

Reference #:

1974270

Modified date:

2016-05-27

Summary

A vulnerability has been addressed in the GSKit component of IBM Rational
ClearCase.

Vulnerability Details

CVEID:

CVE-2016-0201

DESCRIPTION:

IBM GSKit could allow a remote attacker to obtain sensitive information,
caused by an MD5 collision. An attacker could exploit this vulnerability to
obtain authentication credentials.

CVSS Base Score: 5.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109310

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

CCRC WAN Server:

Rational ClearCase versions from 7.1.2.9 through 7.1.2.18, 8.0 through
8.0.0.17, and 8.0.1 through 8.0.1.10, all platforms.

CMI and OSLC integrations:

Rational ClearCase versions from 7.1.2.9 through 7.1.2.18, 8.0.0.4 through
8.0.0.17, and 8.0.1 through 8.0.1.10, Windows only.

The IBM GSKit is used if ClearCase on Windows platforms is configured to
integrate with IBM Rational ClearQuest, Rational Team Concert, or Jira with
communication over SSL (https). This applies to any integration using Change
Management Interface (CMI), and to non-CMI based UCM-enabled CQ integration
via OSLC. If your ClearCase deployment is not using these integrations, or
not using SSL with the integrations, then your deployment is not sensitive to
this attack.

The UCM-enabled CQ integration without using OSLC (SQUID) is not sensitive to
this attack.

CMI and OSLC integrations

ClearCase Windows Client or WAN server Version                             Status
8.0.1 through 8.0.1.10                                                     Affected if you use CMI or OSLC integrations, or CCRC WAN server
8.0.0.4 through 8.0.0.17                                                   Affected if you use CMI or OSLC integrations, or CCRC WAN server
8.0 through 8.0.0.3                                                        Affected only if you use CCRC WAN server
7.1.2.9 through 7.1.2.18                                                   Affected if you use CMI or OSLC integrations, or CCRC WAN server
7.1.2 through 7.1.2.8                                                      Not affected
7.1.0.x, 7.1.1.x                                                           Not affected

Remediation/Fixes

CCRC WAN Server:

Apply an IHS fix for the issue:

1. Determine the IHS version used by your CCRC WAN server. Navigate to the IBM
HTTP Server installation directory (typically /opt/ibm/HTTPServer or 
C:\Program Files (x86)\IBM\HTTPServer), then execute the script: 
bin/versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows). The output 
includes a section "IBM HTTP Server for WebSphere Application Server". Make 
note of the version listed in this section.

2. Review the following IHS security bulletin for the available fixes:

Security Bulletin:Vulnerabilities in the GSKit component of IBM HTTP Server
(CVE-2016-0201 and CVE-2015-7420)

Note:

there may be newer security fixes for IBM HTTP Server. Follow the link below
(in the section "Get Notified about Future Security Bulletins") to subscribe
to WebSphere product support alerts for additional security fixes.

3. Apply the relevant fixes to your IBM HTTP Server installation used on your
CCRC WAN server host. No ClearCase-specific steps are necessary.

CMI and OSLC integrations

The solution is to install a newer, fixed version of the GSKit runtime 
component. 

Affected Versions                             Applying the fix
8.0.1 through 8.0.1.10                        Install Rational ClearCase Fix Pack 11 (8.0.1.11) for 8.0.1
8.0.0.4 through 8.0.0.17                      Install Rational ClearCase Fix Pack 18 (8.0.0.18) for 8.0
7.1.2.x (all fix packs)                       Customers on extended support contracts should contact Customer Support.
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)

For affected 7.1.x and 7.0.x releases, IBM recommends upgrading to a fixed,
supported version of the product.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

* 28 January 2016: Original version published

* 27 May 2016: Revised for new fix packs

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase
(CVE-2015-3194, CVE-2015-3196, CVE-2016-0702)

Security Bulletin

Document information

More support for:

Rational ClearCase

Perl: ratlperl

Software version:

7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5,
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3,
7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11,
7.1.2.12, 7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 7.1.2.17, 7.1.2.18,
7.1.2.19, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7,
8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15,
8.0.0.16, 8.0.0.17, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5,
8.0.1.6, 8.0.1.7, 8.0.1.8, 8.0.1.9, 8.0.1.10, 9.0.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1976611

Modified date:

2016-05-27

Summary

OpenSSL vulnerabilities were disclosed on December 3, 2015 and March 1, 2016
by the OpenSSL Project. OpenSSL is used by IBM Rational ClearCase. IBM
Rational ClearCase has addressed the applicable CVEs.

Vulnerability Details

CVEID:

CVE-2015-3194

DESCRIPTION:

OpenSSL is vulnerable to a denial of service, caused by a NULL pointer
dereference when verifying certificates via a malformed routine. An attacker
could exploit this vulnerability using signature verification routines with
an absent PSS parameter to cause any certificate verification operation to
crash.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/108503

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2015-3196

DESCRIPTION:

OpenSSL is vulnerable to a denial of service, caused by a race condition when
PSK identity hints are received by a multi-threaded client and the SSL_CTX
structure is updated with the incorrect value. An attacker could exploit this
vulnerability to possibly corrupt memory and cause a denial of service.

CVSS Base Score: 3.7

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/108505

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2016-0702

DESCRIPTION:

OpenSSL could allow a local attacker to obtain sensitive information, caused
by a side-channel attack against a system based on the Intel Sandy-Bridge
microarchitecture. An attacker could exploit this vulnerability to recover
RSA keys.

CVSS Base Score: 2.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/111144

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Rational ClearCase versions:

Version                             Status
9.0                                 Affected only by CVE-2016-0702
8.0.1 through 8.0.1.10              Affected
8.0 through 8.0.0.17                Affected
7.1.0.x, 7.1.1.x (all versions)     Affected
7.1.2 through 7.1.2.18

Not all deployments of Rational ClearCase use OpenSSL in a way that is affected
by these vulnerabilities.

You are vulnerable if your use of Rational ClearCase includes any of these 
configurations: 

1. You use the base ClearCase/ClearQuest integration client on any platform,
configured to use SSL to communicate with a ClearQuest server.

2. You use the UCM/ClearQuest integration on UNIX/Linux clients, configured to
use SSL to communicate with a ClearQuest server.

Note:

Windows clients using the UCM/ClearQuest integration are not vulnerable.

3. On UNIX/Linux clients, you use the Change Management Integrations for base
ClearCase with ClearQuest or Rational Team Concert (RTC), or for UCM with
ClearQuest or RTC, or for Jira, when configured to use SSL to communicate
with the server.

Note:

Windows clients using the CMI integration are not vulnerable.

4. You use ratlperl, ccperl, or cqperl to run your own perl scripts, and
those scripts use SSL connections.

Remediation/Fixes

Apply a fix pack as listed in the table below. The fix pack includes OpenSSL
1.0.1s.

Affected Versions                             Applying the fix
9.0                                           Install Rational ClearCase Fix Pack 1 (9.0.0.01) for 9.0
8.0.1 through 8.0.1.10                        Install Rational ClearCase Fix Pack 11 (8.0.1.11) for 8.0.1
8.0 through 8.0.0.17                          Install Rational ClearCase Fix Pack 18 (8.0.0.18) for 8.0
7.1.2.x (all fix packs)                       Customers on extended support contracts should contact Customer Support.
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)

Note:

A fix for CVE-2016-2108 was provided in OpenSSL version 1.0.1o and a fix for
CVE-2015-3196 was provided in OpenSSL version 1.0.1p. Both issues were
previously addressed by the fixes listed in

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase
(CVE-2015-1788, CVE-2015-1789, CVE-2015-1791)

For 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed,
supported version/release/platform of the product.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

OpenSSL Project vulnerability website

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

* 27 May 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV00F2H6ZAP0PgtI9AQLm6g//Z19dmqtlbKX1mKGSYFxBm182O8dtOEcl
rXrnXJpvWJHQpMcKI7iT8XbO9RkdIbvGNf7oevw+HzWEKhNE8zjlRg7ihRYbbRXq
KaQnsyMnRqoHfYAqgnLeHhBV9PY0kZ8XkCJfeAqwJwVP+AMvwxOxVQEZhkgpvTKZ
mWddswRDnPLd70QeZS/STEcBUdwUWDTAPzCjUQ/RuJGUPF9jVfgKl3dbe8xLQRbr
qoqkkGXqLAmn9Zp3oIub4U+o9CKYDmi0YgoXUQnoSo7D09irmxu8rYjVawJqRE4C
2MPUQO4xYYFj1Mqe85LLYOYceu2i+2PsQ1Ux/pj5bsmb0854txfpcxWGu2VC/TDv
ejfkoPUqbgROpp8XA3njikE+eN/hNmmqaM58sZtLrOJKmN1kOPZSFZkf2v2zvKEE
wnmO1Gh1GJZlRgCAoxCxVgEkFFPVRClio5GEapBn55ox/+JvB96k0MwYgJjHAQ+j
kpPqC41B0Zv5wDQkuBAkCoRyyEp9WMtKPBfRG+Pr+DMG9VRBDPwLtW6JDUId48Z2
Gs3MDw1SIKgQc3NFI6jvd30sjjTIrW46PLeE4QoK0dmHpPFhr+x1sJ6U4uwfS2fs
tQhreNdSVprO2IP8GRwkO3T0JTmMLDmR1AkeoZzJwtQDJAKz3xNLgpib7kFBlDiV
bvxhkHkcz7w=
=ICo1
-----END PGP SIGNATURE-----