Security Bulletin
Summary
The updates indicated below have been released to address the following vulnerabilities:
CVE-2016-2107 MITM attack in OpenSSL,
CVE-2016-5547 Denial of service in IBM Runtime Environment Java™
CVE-2017-1123 Escalation of privilege in the DS8000 HMC
Vulnerability Details
CVEID: CVE-2016-2107
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server supports AES-NI. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt traffic.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2016-5547
CVEID: CVE-2016-5547
DESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120871 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-1123
DESCRIPTION: A vulnerability in the IBM DS8000 Hardware Management Console (HMC), could allow a user logged into the HMC Service Interface, to gain elevated privilege.
CVSS Base Score: 9.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121249 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
DS8800 R8.2 up to 88.22.33.00
DS8800 R8.1 up to 88.11.45.00
DS8800 R8.0 all versions 88.0x.xx.xx
DS8870 R7.x all versions 87.xx.xx.xx
DS8800 R6.x all versions 86.xx.xx.xx
Remediation/Fixes
Patches contained in CVE_1Q2018_v1.0
All the above vulnerabilities are remediated by requesting the application of CVE_1Q2018_v1.0 through the normal hardware support channels. Please read the notes below carefully before applying this set of patches.
This patch release is cumulative and supersedes all prior security patches.
The remediation fixes are supported in the levels noted below. Note that R8.3 is not impacted. Customers who have levels below the supported levels should update to at least the current recommended level before applying the patches.
For the current recommended code levels, please consult:
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456
Levels supported for the application of CVE_1Q2018_v1.0
| Model | Level | VRM supported | Notes |
| DS888x | R8.2 | 88.20.0.0-88.23.27.0 | Levels above 88.23.27.0 are not impacted. |
| DS888x | R8.1 | 88.11.45.0 Only | Other levels must update to a supported level |
| DS8870 | R7.5 | 87.51.63.0 and above | |
| DS8800 | R6.3 | 86.31.195.0 and above |
IMPORTANT NOTES - PLEASE READ
- After applying CVE_1Q2018_v1.0 customers, following code updates MUST be to at least the recommended code level. Updating to lower levels is not supported.
- Application of CVE_1Q2018_v1.0 will disable prior patches which re-enabled SSLv3. Enablement of SSLv3 is no longer supported and all instances of TPC , DSLCI and other utilities MUST be updated to levels which support TLS1.2 before applying the corrective patch
- See the table below for supported DSLCI levels. Before installing these levels, please ensure that the client Java has been updated to the current supported levels and at least to Java 7.
- A side effect of this patch is to strengthen cipher configurations and to remove the use of triple DES (3DES) as a cipher .
- IBM strongly recommends disabling the use of the legacy DSCLI (port 1750) either by following the instructions at http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005735 or by enabling NIST-800-131a mode following the instructions given in http://www.redbooks.ibm.com/redpapers/pdfs/redp5069.pdf.
- This patch release also contains updates to configurations related to general hardening of the system for supported ciphers, firewall rules, NTP restrictions, SSH, and call home CA certificates.
DSCLI Client Levels
| DS8000 Level | DSCLI level minimum/preferred |
| R8.x | 7.8.23.87 / 7.8.31.126 |
| R6.3 and R7.5 | 7.8.23.87 / 7.8.24.11 |
https://www.ibm.com/support/fixcentral/options
CVE-2017-1123
Since this vulnerability has a very high CVSS score, a separate patch is being made available, which is installable on any level of impacted microcode at, or above the minimum supported level.
Customers who elect to patch ONLY this vulnerability should request that CVE_2017-1123_V1.0 be applied to their system(s). IBM does however, recommend that the complete set of patches be applied.
The following levels of code (and higher levels) are NOT exposed to CVE-2017-1123. All levels of code below these levels ( eg DS8880 R8.0 88.0x.xx.xx) are exposed.
| Model | Level | VRM | Notes |
| DS888x | R8.3 | Not affected | |
| DS888x | R8.2 | 88.22.33.0 | R8.0 and R8.1 are affected |
| DS888x | R8.1 | 88.11.45.0 | |
| DS8870 | R7.5 | 87.51.77.0 | |
| DS8800 | R6.3 | 86.31.215.0 |
Workarounds and Mitigations
NA
Get Notified about Future Security Bulletins
References
Change History
Use Java naming to match download page
Update naming convention
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
24 May 2022
UID
ssg1S1009613