Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1963
A security vulnerability has been identified in OpenSSL, which is shipped
with IBM Tivoli Network Manager IP Edition (CVE-2018-5407)
3 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Network Manager IP Edition
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
z/OS
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-5407
Reference: ASB-2019.0060
ESB-2019.1648
ESB-2019.1615
ESB-2019.1286
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10884276
- --------------------------BEGIN INCLUDED TEXT--------------------
A security vulnerability has been identified in OpenSSL, which is shipped with
IBM Tivoli Network Manager IP Edition (CVE-2018-5407)
Product: Tivoli Network Manager IP Edition
Software version: 3.9
Operating system(s): AIX, Linux, Solaris, Windows, z/OS
Reference #: 0884276
Security Bulletin
Summary
OpenSSL is shipped with IBM Tivoli Network Manager IP Edition version 3.9.
Information about a security vulnerability affecting Open SSL has been
published here.
Vulnerability Details
CVEID: CVE-2018-5407
DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could
allow a local attacker to obtain sensitive information, caused by execution
engine sharing on Simultaneous Multithreading (SMT) architecture. By using the
PortSmash new side-channel attack, an attacker could run a malicious process
next to legitimate processes using the architectures parallel thread running
capabilities to leak encrypted data from the CPU's internal processes. Note:
This vulnerability is known as PortSmash.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152484 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM Tivoli Network Manager IP Edition v3.9 Fix Pack 4 & Fix Pack 5.
Remediation/Fixes
+-------------------+--------------------+--------------------------------------------------------------+
|IBM Tivoli Network |APAR IJ15786 |Please contact IBM support and reference APAR IJ15786 , to |
|Manager IP Edition | |obtain a fix. |
|3.9 FP4 and FP5 | | |
+-------------------+--------------------+--------------------------------------------------------------+
Workarounds and Mitigations
Only customers on ITNM v3.9 FP4 or FP5 who have Java SSL Collectors enabled may
be affected. These collectors are not enabled by default.
Change History
29 May 2019 - Initial Version Published.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXPRqeGaOgq3Tt24GAQj7Vg//a2bbp2BFlURJPugU6nWY+Sc3tzYnEew6
Vis3MF50paW0RK573Ku65SrkIP9JybMqHjC8c2M6Hox/3iquLrSrVPhE/vu1IzoX
jWQ+2ZWda7r5aoqGX5vWF+b4wVeFafFznF5kZpDO4V+0fEm5QW/UDS8tg8APoitE
K7xZ6pQybfn8u8Qt+0aTcorA961Gosiqe3kqqPy4xW3YDRcVfz3YA0u8Hktkzv5m
ZR28XIt0z+btONW9w9TGhU9eSgAAEpQu94VUUQZm9M3OO5R/4SvgkIrNeybDpOrI
F1kGDyqHvdOu5mmAsj9kgfEb1cPZw80k0e5xpB8omwBMc+DadrYV0kh5AhoMHyw/
U6SBafVLPPJ8KRmhg1F5CG/HQQdTAsCRfAvZirxOSA5mAB4Sf0Al2STksHLdO3L+
4et/wzs2gHwPLslMOw37tR1CY2Rln5kViV0dohHPhFXi2nWcJ9Gmfz4MDP9KuFpc
bg8ACcVbqgTzraAKCkhR86OJr4jfpAgid8sn8j4z7XqaeX371YzNdzW8Ufm1C+ov
2eXwZS3l2I+EDNtEbc10euOyKhVDQcDrypOJraf17vV4/ofjm8xSgl75BTycrEp0
2zR034lYvk/6tiTcm80/ovloAA8c3llSeMKAxldXL/7Mr2nMtXNAOWbSkMv24twX
mA4Q3e3dSIc=
=qpAT
-----END PGP SIGNATURE-----