IBM Support

Security Bulletin: Vulnerability in OpenSSL( CVE-2016-0800 ) affect IBM WebSphere MQ on OpenVMS Alpha & Itanium when using HP OpenSSL V1.4 kit

Created by Ranjith E Raman on
Published URL:
https://www.ibm.com/support/pages/node/710909
710909

Security Bulletin


Summary

OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by HP SSL 1.4 on HP OpenVMS. IBM WebSphere MQ on OpenVMS Alpha & Itanium uses HP SSL and has addressed the applicable CVE ( CVE-2016-0800 ) the “DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability.

Vulnerability Details


CVEID: CVE-2016-0800

DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions. By using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle, an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers. This vulnerability is also known as the DROWN attack.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

The vulnerability affects versions 6.0 of IBM WebSphere MQ on OpenVMS Alpha & Itanium.

Remediation/Fixes

Product

VRMFAPARFix
IBM WebSphere MQ on OpenVMS Alpha & Itanium.6.0.2.12 ,
6.0.2.13		IT14528 Download the fix from Fix Central


On HP OpenVMS, IBM recommends upgrading to WMQ version 6.0.2.12 / 6.0.2.13 and applying the fix and also update HP OpenSSL V1.4 kit to latest HP OpenSSL V1.4 kit supplied by HPE ( Supported environment for MQ V6.0 on OpenVMS can be found here ). After applying the fix, server blocks the use of SSLv2 protocol and “SSLv2 client hello” messages for SSL handshake.

IBM recommends that the same certificate should ONLY be shared with identical server configuration and software.
If the same certificate were shared with different server(s) configuration or software, IBM recommends replacing the different server(s) with unique certificates to protect against the DROWN exposure.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

31 March 2016 Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"SSL","Platform":[{"code":"PF021","label":"OpenVMS"}],"Version":"6.0.2","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
21 June 2018

UID

swg21980308

Page Feedback