IBM Support

Security Bulletin: Vulnerabilities in GSKit affect IBM SPSS Modeler (CVE-2018-1447)

Created by Xiang Feng Liang on
Published URL:
https://www.ibm.com/support/pages/node/568077
568077

Security Bulletin


Summary

Vulnerabilities were discovered in GSKit. IBM SPSS Modeler uses GSKit and addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2018-1447
DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM SPSS Modeler 16 FP2 IF021 and earlier

IBM SPSS Modeler 17 FP1 IF034 and earlier

IBM SPSS Modeler 17.1 IF031 and earlier

IBM SPSS Modeler 18.0 FP1 IF039 and earlier

IBM SPSS Modeler 18.1 IF012 and earlier

IBM SPSS Modeler 18.1.1 IF005 and earlier

Remediation/Fixes

Product

VRMFAPARRemediation/First Fix
IBM SPSS Modeler16.0.0.2PI93549SPSS Modeler 16.0 Fix Pack 2 Interim Fix 021
IBM SPSS Modeler17.0.0.1 PI93549SPSS Modeler 17.0 Fix Pack 1 Interim Fix 034
IBM SPSS Modeler17.1.0.0 PI93549SPSS Modeler 17.1 Interim Fix 031
IBM SPSS Modeler18.0.0.1 PI93549SPSS Modeler 18.0 Fix Pack1 Interim Fix 039
IBM SPSS Modeler18.1.0.0 PI93549SPSS Modeler 18.1 Interim Fix 012
IBM SPSS Modeler18.1.1.0 PI93549SPSS Modeler 18.1 Interim Fix 005

Workarounds and Mitigations

None


Important note: IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

15 March 2018: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS3RA7","label":"IBM SPSS Modeler"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"17.0;16.0;17.1;18.0;18.1;18.1.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg22014575

Page Feedback