IBM Support

Security Bulletin: Multiple security vulnerabilities have been identified in Open SSL, which is shipped with IBM Tivoli Network Manager IP Edition.

Created by Anonymous (not verified) on
Published URL:
https://www.ibm.com/support/pages/node/303657
303657

Security Bulletin


Summary

Open SSL is shipped with IBM Tivoli Network Manager IP Edition version 3.9. Information about security vulnerabilities affecting Open SSL has been published here.

Vulnerability Details

CVEID: CVE-2017-3735
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Tivoli Network Manager IP Edition v3.9 Fix Pack 4 & Fix Pack 5.

Remediation/Fixes

IBM Tivoli Network Manager IP Edition 3.9

IJ02240Please call IBM service and reference APAR IJ02240, to obtain a fix.

Workarounds and Mitigations

Note that only IBM Tivoli Network Manager IP Edition v3.9 customers using SSL based (HTTPS supporting) perl collectors are affected by the security issues described herein.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Please also note the end of support announcement from 12 September 2017 for selected Netcool product versions.
You can find detailed information on whether the product version you have installed in your environment is affected by this end of service announcement by following the Netcool End of Support Knowledge Collection. If your product version is affected, IBM recommend to upgrade your product version to the latest supported version of your product.
Please contact your IBM account manager for any question you might have or for any assistance you may require for upgrading an end of service announced offering.

Change History

Feb 12 2018 - Initial version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSSHRK","label":"Tivoli Network Manager IP Edition"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"3.9","Edition":"FP4;FP5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 June 2023

UID

swg22013041

Page Feedback