Security vulnerabilities have been discovered in OpenSSL which have an impact on the IBM Power Servers incorporated in the IBM DS8870. While another IBM security bulletin addresses this vulnerability in these IBM Power servers generally (https://www-304.ibm.com/support/docview.wss?uid=nas8N1020034), this bulletin addresses this vulnerability in the specific context of these servers’ use in the DS8870. (This bulletin addresses a vulnerability that is separate and distinct from the DS8870 OpenSSL vulnerability security bulletin published at https://www-304.ibm.com/support/docview.wss?uid=ssg1S1004582.)
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. An attacker can repeatedly expose additional 64k chunks of memory. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. It can be exploited on any system (ie. server, client, agent) receiving connections using the vulnerable OpenSSL library.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
IBM’s standard and recommended configuration for the IBM DS8870 does not connect the service processor ports on the IBM Power servers to any network other than a private network to the DS8870 hardware management console (HMC). As a result, the OpenSSL vulnerability in the DS8870’s Power servers should generally be a limited threat if you have not connected the Power Server service processor ports in your DS8870 to other networks and follow the mitigations identified below.
Affected Products and Versions
DS8870 Release 7.2
This vulnerability is fixed in DS8870 Release 7.3. Please contact your IBM representative to order and install DS8870 Release 7.3.
IBM currently plans to make a fix available for this vulnerability in DS8870 Release 7.2 in a service release scheduled for late June. This bulletin will be updated when this is available.
Although IBM suggests you install a fix for this vulnerability, you can consider the mitigations identified below in determining when and how to implement these fixes in your particular environment.
Workarounds and Mitigations
The following steps can help mitigate, but not eliminate the risks of this vulnerability: Ensure that the DS8870 HMC is installed behind a firewall that limits access to the HMC ports.
Ensure that access to the DS8870 HMC is only by trusted personnel.
Ensure that no Flexible Service Processor (FSP) ports on the Power servers in the DS8870 are connected to a reachable network (this is the standard and recommended DS8870 configuration).
Get Notified about Future Security Bulletins
2014-06-09 Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
17 June 2018