Security Bulletin
Summary
OpenSSL vulnerabilities were discllossed by the OpenSSL Project in October and November of 2018. IBM Spectrum Protect Plus uses OpenSSL and has addressed the applicable CVEs.
20 February 2020 - Changed fixing level from 10.1.5 to 10.1.5 patch1.
21 February 2020 - Provided link to 10.1.5 patch1.
Vulnerability Details
DESCRIPTION: The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152086 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-0734
DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152085 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-5407
DESCRIPTION: Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152484 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
Affected Product(s) | Version(s) |
IBM Spectrum Protect Plus | 10.1.0-10.1.5 |
Remediation/Fixes
Spectrum Protect Plus Release |
First Fixing VRM Level |
Platform | Link to Fix |
10.1 | 10.1.5 patch1 | Linux | https://www.ibm.com/support/pages/node/1072392 |
Workarounds and Mitigations
Get Notified about Future Security Bulletins
References
Change History
14 February 2020: Initial Publication
20 February 2020 - Changed fixing level from 10.1.5 to 10.1.5 patch1
21 February 2020 - Added download for 10.1.5 patch1
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
21 February 2020
UID
ibm12495343