Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1631 Vulnerability patched in IBM DataPower Gateways 31 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM DataPower Gateways Publisher: IBM Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-3736 Reference: ESB-2018.1127 ESB-2017.3217 ESB-2017.3028 ESB-2017.2822 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22016334 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin Summary A potential vulnerability has been reported by the OpenSSL project. IBM DataPower Gateways has addressed the applicable CVE. Document information Software version: 7.2, 7.5, 7.5.1, 7.5.2, 7.6, 7.7 Operating system(s): Firmware Software edition: Edition Independent Reference #: 2016334 Modified date: 30 May 2018 Vulnerability Details Relevant CVE Information: CVEID: CVE-2017-3736 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions 7.2.0.0-7.2.0.19, 7.5.0.0-7.5.0.14, 7.5.1.0-7.5.1.13, 7.5.2.0-7.5.2.13, 7.6.0.0-7.6.0.6 Remediation/Fixes Fix is available in versions 7.2.0.20, 7.5.0.13, 7.5.1.14, 7.5.2.14, 7.6.0.7, and 7.7.0.0. Refer to APAR IT24881 for URLs to download the fix. You should verify applying this fix does not cause any compatibility issues. For DataPower customers using versions 6.x and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product Workarounds and Mitigations None Change History 25 May 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWw8wiWaOgq3Tt24GAQgxLBAArkOE+QV7CP4Ryawug8GQe3bNlgFcgfy9 reADBdkrUb56I3THMDnULZbKjBXnWPswvk3FSTiNNkRZ4xYoCHW5RVmsQYM+GWHR L6IQNNugLxiOiDvEmusnyk0nwjBQWLX+mG3Fb9HeaMN4jLUBMqaN9kCqUKfO0d5V Kx9VAq+ozqh8GqHWSUU3sfKY7Fo+h5qA7cNRdgIVXjem8kcQ/gvgzNtE9H81CZ60 ugFI672fIDMlHINcAk1YmjzAK8rMTA7pcs00zh8Rzz868jGpoUG4/+E+y4MGZMvj k/791ijXzI1OBhtycJf/stdFBd+K4CnYJYwEPlIwvgZVNoAwsIDekTO/dqYuRGDd QlpoQul3Y17QWdE/4n0obGwf48wNGk4n5ydGrsGo0aNGYvw1PKEOoCLeO+hmmXmV JgT27ZFrAO+M3FVLEpzAEMYP6xL8pv6fN+NOiaKKC8Ki0q2h4Aaq0b0aGSTcAikk +gWzNM7El1Hdcpd2YQnioir2kCfBp5NLY6RSGRh3pSnyfs8UFiT1YmSY1KKcRAXK xaKu/BDu00F/FZg73osnTcC9y5H20/I1wmDZC2otEvMYe40/SEGm4g6XvqXXDHKv bSQfa47hsxdrJCI/VtXRibeR/uUrZXYisl1hI3byO5BLgMcR7wIM7nhvMSEzbSFA JauSIUY5JS4= =Cmhl -----END PGP SIGNATURE-----