IBM Support

Heartbleed bug in OpenSSL cryptographic SW library - IBM System x

Troubleshooting


Problem

[This abstract has been truncated due to length constraints] OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k ofprivate memory and retrieve secret keys. An attacker can repeatedly expose additional 64k chunks of memory. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. It can be exploited on any system (that is: server, client, agent) receiving connections using the vulnerable OpenSSL library. CVSS Base Score: 5.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N) Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score. CVE-ID: CVE-2014

Resolving The Problem

Source

RETAIN tip: H212568

Symptom

OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. An attacker can repeatedly expose additional 64k chunks of memory. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. It can be exploited on any system (that is: server, client, agent) receiving connections using the vulnerable OpenSSL library.

CVSS Base Score: 5.0
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Warning: We strongly encourage you to take action as soon as
possible as potential implications to your environment may be

more serious than indicated by the CVSS score.

CVE-ID: CVE-2014-0076

OpenSSL could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic Curve Digital Signature Algorithm). An attacker could exploit this vulnerability using the FLUSH+RELOAD cache side-channel attack to recover ECDSA nonces. This vulnerability can only be exploited locally, authentication is not required and the exploit is not complex. An exploit can only partially affects confidentially, but not integrity or availability.

CVSS Base Score: 2.1
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/91990
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected configurations

The system may be any of the following IBM servers:

  • System x3850 X6, type 3837 (4-socket, 3-year warranty), any model
  • System x3850 X6, type 3839 (4-socket, 4-year warranty), any model

This tip is not software specific.

This tip is not option specific.

The following system firmware level(s) are affected: IMM versions prior to 3.82 (Build ID: 1a0056e)

The system has the symptom described above.

Solution

This behavior was corrected in the Integrated Management Module (IMM) release in version 3.82 (Build ID: 1aoo56e). If users have installation issues, contact the appropriate Support Center for the user's geography. In the United States, contact 1-800-IBM-SERV(1-800-426-7378).

The IBM Directory of Worldwide Contacts is available at the following URL:

 

http://www.ibm.com/planetwide/

Additional information

The bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server.

Encryption is used to protect secrets that may harm user's privacy or security if they leak. In order to coordinate recovery from this bug, IBM has classified the compromised secrets to four (4) categories:

  1. primary key material
  2. secondary key material
  3. protected content
  4. collateral

IBM PSIT team has published an IBM response at PSIRT blog. It includes list of products that are not affected by this issue.

 

https://www.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cve_2014_0160?lang=en_us
(where PSIRT = Product Security Incident Response Team)

Document Location

Worldwide

Operating System

System x:Operating system independent / None

[{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"QUOEVPK","label":"System x->System x3850 X6->3837"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"QUOFECN","label":"System x->System x3850 X6->3839"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
30 January 2019

UID

ibm1MIGR-5095335

Page Feedback