IBM Support

IBM XIV storage systems (MTM 2810-A14, 2812-A14) and IBM XIV Storage System Gen3 (MTM 2810-114, 2812-114) might use SSLV2 and/or weak keys

Flashes (Alerts)


Abstract

On an IBM XIV storage systems (MTM 2810-A14, 2812-A14) running code level below 10.2.4.e and on an IBM XIV Storage System Gen3 (MTM 2810-114, 2812-114) running code level below 11.1.1, the OpenSSL management interface will preferentially negotiate to use SSLV2 and/or weak keys

Content

VULNERABILITY DETAILS

CVE ID: CVE-2012-2187

DESCRIPTION:


On systems with the specified code levels, the OpenSSL management interface will preferentially negotiate to use SSLV2 and/or weak keys.


CVSS:


CVSS Base Score: 7.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)


AFFECTED PLATFORMS:


IBM XIV Storage System (MTM 2810-A14, 2812-A14) running code level below 10.2.4.e and IBM XIV Storage System Gen3 (MTM 2810-114, 2812-114) running code level below 11.1.1 are affected by this problem.


REMEDIATION:


Code upgrade .


Vendor Fix(es):


For IBM XIV Storage System (MTM 2810-A14, 2812-A14) , upgrade to 10.2.4.e code and have IBM service personnel modify the system configuration to disable both SSLv2 and the support for encryption keys less than 128 bits.

For IBM XIV Storage System Gen3 (MTM 2810-114, 2812-114) , upgrade to 11.1.1 code and have IBM service personnel modify the system configuration to disable both SSLv2 and the support for encryption keys less than 128 bits.




Workaround:


None


Mitigation(s):


Prior to the appropriate code upgrade and modification of the configuration files, ensure that your SSL clients do not require SSLV2 or weak keys.


RELATED INFORMATION:


· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database
· CVE-2012-2187

RELATED INFORMATION:


· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSB2D7","label":"XIV Storage System"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"","label":"N\/A"}],"Version":"Not Applicable","Edition":"N\/A","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
25 September 2022

UID

ssg1S1004218

Page Feedback