Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1963 A security vulnerability has been identified in OpenSSL, which is shipped with IBM Tivoli Network Manager IP Edition (CVE-2018-5407) 3 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Tivoli Network Manager IP Edition Publisher: IBM Operating System: AIX Linux variants Solaris Windows z/OS Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-5407 Reference: ASB-2019.0060 ESB-2019.1648 ESB-2019.1615 ESB-2019.1286 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10884276 - --------------------------BEGIN INCLUDED TEXT-------------------- A security vulnerability has been identified in OpenSSL, which is shipped with IBM Tivoli Network Manager IP Edition (CVE-2018-5407) Product: Tivoli Network Manager IP Edition Software version: 3.9 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 0884276 Security Bulletin Summary OpenSSL is shipped with IBM Tivoli Network Manager IP Edition version 3.9. Information about a security vulnerability affecting Open SSL has been published here. Vulnerability Details CVEID: CVE-2018-5407 DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architectures parallel thread running capabilities to leak encrypted data from the CPU's internal processes. Note: This vulnerability is known as PortSmash. CVSS Base Score: 5.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152484 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions IBM Tivoli Network Manager IP Edition v3.9 Fix Pack 4 & Fix Pack 5. Remediation/Fixes +-------------------+--------------------+--------------------------------------------------------------+ |IBM Tivoli Network |APAR IJ15786 |Please contact IBM support and reference APAR IJ15786 , to | |Manager IP Edition | |obtain a fix. | |3.9 FP4 and FP5 | | | +-------------------+--------------------+--------------------------------------------------------------+ Workarounds and Mitigations Only customers on ITNM v3.9 FP4 or FP5 who have Java SSL Collectors enabled may be affected. These collectors are not enabled by default. Change History 29 May 2019 - Initial Version Published. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXPRqeGaOgq3Tt24GAQj7Vg//a2bbp2BFlURJPugU6nWY+Sc3tzYnEew6 Vis3MF50paW0RK573Ku65SrkIP9JybMqHjC8c2M6Hox/3iquLrSrVPhE/vu1IzoX jWQ+2ZWda7r5aoqGX5vWF+b4wVeFafFznF5kZpDO4V+0fEm5QW/UDS8tg8APoitE K7xZ6pQybfn8u8Qt+0aTcorA961Gosiqe3kqqPy4xW3YDRcVfz3YA0u8Hktkzv5m ZR28XIt0z+btONW9w9TGhU9eSgAAEpQu94VUUQZm9M3OO5R/4SvgkIrNeybDpOrI F1kGDyqHvdOu5mmAsj9kgfEb1cPZw80k0e5xpB8omwBMc+DadrYV0kh5AhoMHyw/ U6SBafVLPPJ8KRmhg1F5CG/HQQdTAsCRfAvZirxOSA5mAB4Sf0Al2STksHLdO3L+ 4et/wzs2gHwPLslMOw37tR1CY2Rln5kViV0dohHPhFXi2nWcJ9Gmfz4MDP9KuFpc bg8ACcVbqgTzraAKCkhR86OJr4jfpAgid8sn8j4z7XqaeX371YzNdzW8Ufm1C+ov 2eXwZS3l2I+EDNtEbc10euOyKhVDQcDrypOJraf17vV4/ofjm8xSgl75BTycrEp0 2zR034lYvk/6tiTcm80/ovloAA8c3llSeMKAxldXL/7Mr2nMtXNAOWbSkMv24twX mA4Q3e3dSIc= =qpAT -----END PGP SIGNATURE-----