Security Bulletin
Summary
OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM Tealeaf Customer Experience. IBM Tealeaf Customer Experience has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2016-6304
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by multiple memory leaks in t1_lib.c during session renegotiation. By sending an overly large OCSP Status Request extension, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117110 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-6305
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in SSL_peek(). By sending specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause the service to hang.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117111 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-2177
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the incorrect use of pointer arithmetic for heap-buffer boundary checks. By leveraging unexpected malloc behavior, a remote attacker could exploit this vulnerability to trigger an integer overflow and cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-2178
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DSA implementation that allows the following of a non-constant time codepath for certain operations. An attacker could exploit this vulnerability using a cache-timing attack to recover the private DSA key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-6307
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory allocation error in the logic prior to the excessive message length check. By initiating multiple connection attempts, a remote authenticated attacker could send an overly large message to exhaust all available memory resources.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117113 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Tealeaf Customer Experience 8.7-9.0.2
Remediation/Fixes
Workarounds and Mitigations
Network access to Tealeaf systems should be limited as much as possible.
You can contact the Technical Support team for further guidance.
Get Notified about Future Security Bulletins
References
Change History
16 December 2016: Original version published.
19 May 2017: Add additional releases and update links.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Security Bulletin History
Submitted for review by Charles Hornig (chornig@us.ibm.com) at 15:04:02 on 11/28/2016.
Security Bulletin Reviewer review completed with comments ''''review complete'''' by Guncha Malik (gmalik@in.ibm.com) at 03:25:22 EST on 11/29/2016.
PSIRT Operations review rejected with comments ''''Remediation Plan specifies ''''Code Fix'''' for v8.7 and v8.8, but Security Bulletin indicates customers should upgrade for versions before 8.7 (no mention of 8.8 in fact). The remediation plan (in addition to security bulletin updates) should be changed to ''''Mitigation'''' for releases requiring an upgrade (i.e. 8.7).
Next line about ''''versions before 9.0.2'''' is also confusing after reading the previous line about ''''9.0.0, 9.0.0A and versions before 8.7''''.
PSIRT Ops Note: Missing code fix details provided (Case: #2, Customers Affected: <15). Legal will review.'''' by Wendell J. Bouknight (bouknigh@us.ibm.com) at 10:57:29 EST on 11/29/2016.
Security Bulletin Reviewer review completed with comments ''''review complete'''' by Guncha Malik (gmalik@in.ibm.com) at 13:17:50 EST on 12/07/2016.
PSIRT Operations review completed with comments ''''Noted that bulletin has placeholder for future links to fixes for 9.0.2 release now scheduled for March 2017. Legal to review missing code fix case #2'''' by Shryl A. Tidmore (stidmore@us.ibm.com) at 18:43:51 EST on 12/08/2016.
Reviewing Attorney reviewed as more information needed with comments ''''Remediation plan indicates a code fix will be delivered for 8.6 and 8.7 but bulletin instructs customers to contact Support rather than pointing to a fix. Please clarify.'''' by VANESSA A. WITT (vanewitt@us.ibm.com) at 12:15:16 EST on 12/09/2016.
Modified and submitted for review by Charles Hornig (chornig@us.ibm.com) at 15:48:53 on 12/09/2016.
Security Bulletin Reviewer review rejected with comments ''As per security bulletin, fixes will be released only for 9.0.2/ 9.0.2A while the remediation plan indicates fixes will be delivered on v8.7, v8.7, v9.0.1 (9.0.1A) and v9.0.2 (9.0.2A). Please update the bulletin to be in sync with the remediation plan.'' by Guncha Malik (gmalik@in.ibm.com) at 00:53:49 EST on 12/10/2016.
Modified and submitted for review by Charles Hornig (chornig@us.ibm.com) at 12:39:28 on 12/13/2016.
Security Bulletin Reviewer review completed with comments ''review complete. Bulletin will be updated once the fixes for other planned versions are available.'' by Guncha Malik (gmalik@in.ibm.com) at 12:50:41 EST on 12/13/2016.
PSIRT Operations reviewed as more information needed with comments ''Noted that Legal needs to agree to the request for bulletin completion/publication prior to availability of all fixes. Returning this as a similar conversation is needed for 86623.'' by Wendell J. Bouknight (bouknigh@us.ibm.com) at 13:47:56 EST on 12/13/2016.
Modified and submitted for review by Charles Hornig (chornig@us.ibm.com) at 16:13:06 on 12/13/2016.
Security Bulletin Reviewer review completed with comments ''review complete'' by Guncha Malik (gmalik@in.ibm.com) at 12:06:54 EST on 12/14/2016.
Security Bulletin Reviewer review completed with comments ''PSIRT Ops pushing record forward through process due to restart bug.'' by Shryl A. Tidmore (stidmore@us.ibm.com) at 17:12:27 EST on 12/14/2016.
PSIRT Operations review completed with comments ''Noted meeting was held with legal, passing on to legal for final review.'' by Shryl A. Tidmore (stidmore@us.ibm.com) at 17:15:28 EST on 12/14/2016.
Reviewing Attorney review completed with comments ''Review complete; bulletin will be updated when additional fixes are available in 1Q2017'' by VANESSA A. WITT (vanewitt@us.ibm.com) at 11:44:40 EST on 12/15/2016.
Security Bulletin Reviews Complete by deadmin (deadmin) at 11:44:42 EST on 12/15/2016.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21994861