CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
95.7%
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Wed Aug 1 09:25:58 CDT 2012
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc
VULNERABILITY SUMMARY
VULNERABILITY: Multiple OpenSSL vulnerabilities
PLATFORMS: AIX 5.3, 6.1, 7.1, and earlier releases
VIOS 2.X
SOLUTION: Apply the fix as described below.
THREAT: See below
CVE Numbers: CVE-2012-0884
CVE-2012-1165
CVE-2012-2110
CVE-2012-2131
CVE-2012-2333
DETAILED INFORMATION
I. DESCRIPTION ( From cve.mitre.org)
CVE-2012-0884
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7
in OpenSSL does not properly restrict certain oracle behavior, which
makes it easier for context-dependent attackers to decrypt data via
a Million Message Attack (MMA) adaptive chosen ciphertext attack.
CVE-2012-1165
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL allows
remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted S/MIME message, a different
vulnerability than CVE-2006-7250.
CVE-2012-2110
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL does
not properly interpret integer data, which allows remote attackers to
conduct buffer overflow attacks, and cause a denial of service
(memory corruption) or possibly have unspecified other impact, via
crafted DER data, as demonstrated by an X.509 certificate or an RSA
public key.
CVE-2012-2131
Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL
allow remote attackers to conduct buffer overflow attacks, and cause a
denial of service (memory corruption) or possibly have unspecified other
impact, via crafted DER data, as demonstrated by an X.509 certificate or
an RSA public key. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2012-2110.
CVE-2012-2333
Integer underflow in OpenSSL when TLS 1.1, TLS 1.2, or DTLS is used
with CBC encryption, allows remote attackers to cause a denial of
service (buffer over-read) or possibly have unspecified other impact
via a crafted TLS packet that is not properly handled during a certain
explicit IV calculation.
Please see the following for more information:
https://vulners.com/cve/CVE-2012-0884
https://vulners.com/cve/CVE-2012-1165
https://vulners.com/cve/CVE-2012-2110
https://vulners.com/cve/CVE-2012-2131
https://vulners.com/cve/CVE-2012-2333
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L openssl.base
On VIO Server:
oem_setup_env
lslpp -L openssl.base
The following fileset levels are vulnerable:
AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1801
AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1801
VIOS 2.X: all versions less than or equal 0.9.8.1801
IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
OpenSSH 5.0 or later, depending on the OpenSSL version according to
following compatibility matrix:
AIX OpenSSL OpenSSH
------------------------------------------------------------------
5.3,6.1,7.1 OpenSSL 0.9.8.18xx OpenSSH 5.8.0.61xx
5.3,6.1,7.1 OpenSSL-fips 12.9.8.18xx OpenSSH 5.8.0.61xx
VIOS OpenSSL OpenSSH
------------------------------------------------------------------
2.X OpenSSL 0.9.8.18xx OpenSSH 5.8.0.61xx
AIX OpenSSH can be downloaded from:
OpenSSH 5.0:
http://sourceforge.net/projects/openssh-aix
OpenSSH 5.8.0.61xx
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
III. FIXES
A fix is available, and it can be downloaded from:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
To extract the fixes from the tar file:
zcat openssl-0.9.8.1802.tar.Z | tar xvf -
or
zcat openssl-fips-12.9.8.1802.tar.Z | tar xvf -
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview the fix installation:
installp -apYd . openssl
To install the fix package:
installp -aXYd . openssl
IV. WORKAROUNDS
There are no workarounds.
V. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www.ibm.com/systems/support
and click on the "My notifications" link.
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
[email protected]
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
[email protected]
B. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt
C. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFQGUgw4fmd+Ci/qhIRAntWAJ91cc2j3KRo7dyf2pJvO5PQQWnFhgCglCr7
BZQ4mgB+gDWQiy3UZujbZH4=
=3+Iy
-----END PGP SIGNATURE-----