Security Bulletin: Power Systems Firmware affected by vulnerability in OpenSSL (CVE-2016-0797)

Summary

Power Systems Firmware affected by vulnerability in OpenSSL (CVE-2016-0797)

Vulnerability Details

CVEID: CVE-2016-0797**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the BN_hex2bn/BN_dec2bn() function. An attacker could exploit this vulnerability using specially crafted data to cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Firmware Versions(840)
840.00: 01SV840_056_056, 01SC840_056_056
840.10: 01SV840_079_056, 01SC840_079_056 ** **
840.11: 01SV840_087_056, 01SC840_087_056
**
Firmware 840 Affected Products:**
IBM Power System S822 (8284-22A)
IBM Power System S814 (8286-41A)
IBM Power System S824 (8286-42A)
IBM Power System S812L (8247-21L)
IBM Power System S822L (8247-22L)
IBM Power System S824L (8247-42L)
IBM Power System E850 (8408-E8E)
IBM Power System E870 (9119-MME)
IBM Power System E880 (9119-MHE)

Remediation/Fixes

Customers on Version 840(SV/SC), install 840.20: 01SV840_104_056 or higher, 01SC840_104_056 or higher

The fix can be obtained from FixCentral by specifying the Product as described in the Affected Products and Versions section and fix level as specified in this Remediation/Fixes section.