Security Bulletin
Summary
OpenSSL vulnerabilities along with SSL 3 Fallback protection (TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by IBM InfoSphere Master Data Management. IBM InfoSphere Master Data Management has addressed the applicable CVEs and included the SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) provided by OpenSSL.
Vulnerability Details
CVE-ID: CVE-2014-3513
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97035 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3567
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97036 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
These vulnerabilities are known to affect the following offerings:
·IBM Initiate Master Data Service versions 8.5, 9.0, 9.2, 9.5, 9.7, 10.0, 10.1 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)
·IBM Initiate Master Data Service Patient Hub versions 9.5, 9.7 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)
·IBM Initiate Master Data Service Provider Hub versions 9.5, 9.7 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)
·IBM InfoSphere Master Data Management Patient Hub version 10.0 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkitcomponent)
·IBM InfoSphere Master Data Management Provider Hub version 10.0 (impacts Master Data Engine component, Message Brokers component and Enterprise Integrator Toolkit component)
· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.0 (impacts Message Brokers component and Enterprise Integrator Toolkit component)
· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.3 (impacts Message Brokers component)
· IBM InfoSphere Master Data Management Standard/Advanced Edition version 11.4 (impacts Message Brokers component)
Remediation/Fixes
For IBM Initiate Master Data Service V8.5:
· Apply Fix 8.5.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix central.
For IBM Initiate Master Data Service V9.0:
· Apply Fix 9.0.0.111414_IM_Initiate_MasterDataService_ALL_ifix from fix central.
For IBM Initiate Master Data Service V9.2:
· Apply Fix 9.2.0.111414_IM_ Initiate_MasterDataService_ALL_ifix from fix central.
For IBM Initiate Master Data Service V9.5:
· Apply Fix 9.5.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.
For IBM Initiate Master Data Service Patient Hub V9.5:
· Apply Fix 9.5.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.
For IBM Initiate Master Data Service Provider Hub V9.5:
· Apply Fix 9.5.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central.
For IBM Initiate Master Data Service V9.7:
· Apply Fix 9.7.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.
For IBM Initiate Master Data Service Patient Hub V9.7:
· Apply Fix 9.7.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.
For IBM Initiate Master Data Service Provider Hub V9.7:
· Apply Fix 9.7.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central.
For IBM Initiate Master Data Service V10.0:
· Apply Fix 10.0.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.
For IBM InfoSphere Master Data Management Patient Hub V10.0:
· Apply Fix 10.0.103114_IM_Initiate_Patient_ALL_RefreshPack from fix central.
For IBM InfoSphere Master Data Management Provider Hub V10.0:
· Apply Fix 10.0.103114_IM_Initiate_Provider_ALL_RefreshPack from fix central.
For IBM Initiate Master Data Service V10.1:
· Apply Fix 10.1.103114_IM_Initiate_MasterDataService_ALL_RefreshPack from fix central.
For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.0:
· Apply Fix 11.0.0.2-MDM-SE-AE-FP02IF000_FC from fix central.
For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.3:
· Apply Fix 11.3.0.1-MDM-SE-AE-FP01IF000_FC from fix central.
For IBM InfoSphere Master Data Management Standard/Advanced Edition V11.4:
· Apply Fix 11.4.0.0-MDM-IF001 fromfix central.
Workarounds and Mitigations
None known
Get Notified about Future Security Bulletins
References
OpenSSL Project vulnerability website(for detail on what versions are affected)
OpenSSL Advisory on above listed CVEs
Change History
15 November 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
27 April 2022
UID
swg21690523