IBM Support

Security Bulletin: Multiple vulnerabilities impact DS8000 HMC

Security Bulletin


Summary

There are multiple vulnerabilities in the DS8000 HMC which are covered in this bulletin.
These include:
* The Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566).
* Multiple vulnerabilities in OpenSSL that were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by DS8000 HMC.
* Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition that is used by DS8000 HMC. These issues were disclosed as part of the IBM Java SDK updates in January 2015.
* Multiple vulnerabilities in Network Time Protocol (NTP) that is used by DS8000 HMC

Vulnerability Details


Before applying the patches or versions noted in this advisory, please read the additional notes - there are potential impacts to clients which connect to the updated servers since SSLv3 is disabled. You should verify that disabling SSLv3 does not cause compatibility issues.

While this advisory covers mainly CVE-2014-3566, product updates included also address the list of CVEs below:


OpenSSL

CVEID: CVE-2014-3513
DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3566
DESCRIPTION:
Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-3567
DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97036 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3568
DESCRIPTION:
OpenSSL could allow a remote attacker bypass security restrictions. When configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)




CVEID: CVE-2014-3569
DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99706 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3570
DESCRIPTION:
An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99710 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-3572
DESCRIPTION:
OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99705 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-8275
DESCRIPTION:
OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 1.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0205
DESCRIPTION:
OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99708 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:N)




IBM® Runtime Environment Java™ Technology Edition

CVE-ID: CVE-2014-3566
DESCRIPTION:
Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6593
DESCRIPTION:
An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-8892
DESCRIPTION:
A vulnerability in the IBM implementation of the Java Virtual Machine may, under very limited circumstances, allow untrusted code running under a security manager to bypass permission checks and view sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99011 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0410
DESCRIPTION:
An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

NTP


CVEID: CVE-2014-9293
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the improper generation of a key by the config_auth function when an auth key is not configured. A remote attacker could exploit this vulnerability using brute force techniques to guess the generated key.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99576 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-9294
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the use of a weak RNG seed by ntp-keygen.c. A remote attacker could exploit this vulnerability using brute force techniques to defeat cryptographic protection mechanisms.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99577 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-9297
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100004 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-9298
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to obtain sensitive information, caused by the improper validation of the length value in extension field pointers. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

DS8870 R7.2 and above, DS8800/DS8700 R6.3 SP 9 and above.

Remediation/Fixes

The patch noted below is applicable to the following versions of code

DS8870 R7.2 Versions 87.2x.xx.x and above
DS8870 R7.3 Versions 87.3x.xx.x and above
DS8870 R7.4 Versions 87.4x.xx.x and above
DS8800 R6.3 Versions 86.31.142.0 and above
DS8700 R6.3 Versions 76.31.121.0 and above

DS8870/DS8800/DS8700 customers on prior versions wishing to remedy these CVEs will need to upgrade to one of the applicable versions listed above, or update to the VRMF indicated in the Full Product Upate section below when available. Note that no update bundle is available for R7.2 and customers will need to apply the patch or upgrade to a later level.

The fix is available as a full update as well as patch as noted below.

Patch Release



ProductVRMFAPARRemediation/First Fix
DS8870 R7.4N/ACVE_2014-3566-POODLE_PATCH_v1.1.iso03/23/2015
DS8870 R7.3N/ACVE_2014-3566-POODLE_PATCH_v1.1.iso03/23/2015
DS8870 R7.2N/ACVE_2014-3566-POODLE_PATCH_v1.1.iso03/23/2015
DS8800 R6.3 N/ACVE_2014-3566-POODLE_PATCH_v1.1.iso03/23/2015
DS8700 R6.3N/ACVE_2014-3566-POODLE_PATCH_v1.1.iso03/23/2015


Full Product Update

The VRMF of the applicable service stream will be updated as these become available. The release dates are given below:

ProductVRMFAPARRemediation/First Fix
DS8870 R7.487.41.17.0N/A05/04/2015
DS8870 R7.387.31.23.0N/A04/10/2015
DS8800 R6.3 86.31.167.0N/A04/10/2015
DS8700 R6.376.31.143.0N/A04/10/2015


NOTE:

The fix disables the use of SSLv3 on the server and the ESSNI client. Users of ESSNI and other clients which connect to servers should validate before propagating fixes which disable SSLv3. Please consult the release notes in the full product versions.

You should verify that disabling SSLv3 does not cause any compatibility issues.


DS8870 R7.0 and R7.1, DS8800/DS8700 prior to R6.3 SP 9 (86.31.142.0/76.31.121.0), all versions of DS8100/DS8300 and all unpatched servers at the levels noted above only support SSLv3 on several ports, and therefore, ALL clients which connect to these servers must enable SSLv3 to successfully function.

In order to support both servers which use SSLv3 and those which disable SSLv3, the latest version of the ESSNI client ( with SSLv3 enabled) MUST be used. Also older ESSNI clients which download versions of JAVA which disable SSLv3 must also enable SSLv3. Please consult the appropriate JAVA release documentation for instructions.

The list below indicates some of the products which may require updated ESSNI client and enablement of client side SSLv3, and where caution and verification is recommended prior to applying the patch or upgrade.
  • IBM Tivoli Storage FlashCopy® Manager (FCM) Version 4.1 or later
  • IBM Tivoli Storage Manager for Advanced Copy Services
  • IBM Tivoli Monitoring (SAN Monitoring)
  • IBM Tivoli Storage Productivity Center.
  • IBM System Storage® Support for Microsoft Volume Shadow Copy Service and Virtual Disk Service
  • HP Storage Essentials
  • Symantec CommandCentral
  • SolarWinds (Tek-Tools) Storage Profiler
  • EMC ControlCenter
  • IntelliMagic Vision and IntelliMagic Direction

Please consult the applicable product documentation/release notes for instructions.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

Added additional OpenSSL CVEs
Removed duplicate entry under Java
Updated available release numbers and dates for service stream Full Product Updates
Added detail to the summary.
Removed CVE-2014-8891 which is not applicable.
Added release dates and version for 7.4 Updated note section
Updated ISO version. This version maintains prior patches to simplify installation and verification.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"ST8NCA","label":"Disk systems->DS8870"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"","label":"N\/A"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"ST8NCA","label":"Disk systems->DS8870"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STXN8P","label":"IBM DS8800"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STUVMB","label":"Disk systems->DS8700"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
24 May 2022

UID

ssg1S1005137