IBM Support

Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation

Created by Amit Mane on
Published URL:
https://www.ibm.com/support/pages/node/609313
609313

Security Bulletin


Summary

OpenSSL vulnerabilities were disclosed on Dec 16, 2016 by the OpenSSL Project. OpenSSL is used by IBM Worklight and IBM MobileFirst Platform Foundation. IBM Worklight and IBM MobileFirst Platform Foundation have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2017-3730DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending specially crafted parameters for a DHE or ECDHE key exchange, a remote attacker could exploit this vulnerability to cause the application to crash.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121311 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3731DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121312 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3732DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a propagation error in the BN_mod_exp() function. An attacker could exploit this vulnerability to obtain information about the private key.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-7055DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in a Broadwell-specific Montgomery multiplication procedure. By sending specially crafted data, a remote attacker could exploit this vulnerability to trigger errors in public-key operations in configurations where multiple remote clients select an affected EC algorithm and cause a denial of service.CVSS Base Score: 5.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118748 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM MobileFirst Platform Foundation 8.0.0.0
IBM MobileFirst Platform Foundation 7.1.0.0
IBM MobileFirst Platform Foundation 7.0.0.0
IBM MobileFirst Platform Foundation 6.3.0.0
IBM Worklight Enterprise Edition 6.2.0.1
IBM Worklight Enterprise Edition 6.1.0.2

Remediation/Fixes

Product

VRMFAPARRemediation/First Fix
IBM Worklight6.xPI86907Download the latest iFix for IBM Worklight Enterprise Edition on FixCentral
Download the latest iFix for IBM Worklight Consumer Edition on FixCentral
IBM Mobile Foundation6.xDownload the latest iFix for IBM Mobile Foundation Enterprise Edition on FixCentral
Download the latest iFix for IBM Mobile Foundation Consumer Edition on FixCentral
IBM MobileFirst Platform Foundation6.x and 7.xDownload the latest iFix for IBM MobileFirst Platform Foundation on FixCentral
IBM MobileFirst Platform Foundation8.0PI86907Download the latest iFix for IBM MobileFirst Platform Foundation on FixCentral

Note: CVE-2017-3730 does not affect OpenSSL version 1.0.2. Please refer link below for further details –
https://www.openssl.org/news/secadv/20170126.txt

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

22/09/2017 - Publish

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSVNUQ","label":"IBM MobileFirst Platform Foundation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"","label":"Apple iOS"},{"code":"","label":"Google Android"}],"Version":"6.3;7.0;7.1;6.1;6.2;8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg2C1000345