Security Bulletin
Summary
The IBM PureData System for Operational Analytics is affected by multiple vulnerabilities in SSLv3 and OpenSSL.
Vulnerability Details
CVEID: CVE-2014-3566
DESCRIPTION: Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-3513
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3567
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97036 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3568
DESCRIPTION: OpenSSL could allow a remote attacker bypass security restrictions. When configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM PureData System for Operational Analytics V1.0 (A1791)
IBM PureData System for Operational Analytics V1.1 (A1801)
Remediation/Fixes
For each affected component in the table, download the recommended fix, and install using the link in the Installation instructions column.
For more information about IBM IDs, see the Help and FAQ.
| IBM PureData for Operational Analytics A1801 | |||
| Affected Component | Recommended Fix | Download Link | Installation instructions |
| IBM InfoSphere Optim Performance Manager 5.3.1 | Install InfoSphere Optim Performance Manager Interim Fix 8377 | IBM Fix Central: Interim Fix 8377 | Installing an interim fix for InfoSphere Optim Performance Manager |
| IBM System Storage SAN48B (Brocade) | Upgrade to 7.2.1e | Brocade: FOS 7.2.1e | Installing an IBM System Storage SAN switch firmware update in an IBM Smart Analytics System or IBM PureData System for Operational Analytics environment |
| IBM PureData System for Operational Analytics Control Console | Update IBM PureData System for Operational Analytics Control Console to 3.4.0.1 | Updating the IBM Java SDK used by the IBM PureData System for Operational Analytics Console | |
| Update Java 6 to 6.0.0.485 | IBM developerWorks: Java 6 | Updating the IBM Java SDK used by the IBM PureData System for Operational Analytics Console | |
For assistance, contact IBM Support:
- In the United States and Canada dial 1-800-IBM-SERV
- View the support contacts for other countries outside of the United States.
- Electronically open a Service Request with IBM Support.
Get Notified about Future Security Bulletins
References
Change History
July 27, 2015: Original Version Published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21959135