Security vulnerabilities have been discovered in OpenSSL, which is used by IBM Security Network Protection.
CVEID: CVE-2016-8610**
DESCRIPTION:** The SSL/TLS protocol is vulnerable to a denial of service, caused by an error when processing ALERT packets during a SSL handshake. By sending specially-crafted plain-text ALERT packets, a remote attacker could exploit this vulnerability to consume all available CPU resources. Note: This vulnerability is called “SSL-Death-Alert”.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118296 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-3731**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121312 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.3
Product
| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Protection| Firmware version 5.3.1| Download Firmware 5.3.1.13 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.
IBM Security Network Protection| Firmware version 5.3.3| Download Firmware 5.3.3.3 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm security network protection | eq | 5.3.1 | |
ibm security network protection | eq | 5.3.3 |