Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93586> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-ID: CVE-2014-0198
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the do_ssl3_write() function. If SSL_MODE_RELEASE_BUFFERS is enabled, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93000> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2010-5298
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl3_read_bytes function. If SSL_MODE_RELEASE_BUFFERS is enabled, an attacker could exploit this vulnerability using an SSL connection in a multithreaded environment to inject data into an SSL stream and cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92632> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CVE-ID: CVE-2014-3470
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the implementation of anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93589> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
A subset of IBM Tivoli Storage FlashCopy Manager 4.1 components are affected by the OpenSSL vulnerabilities CVE- when used with a DS8000 or SVC or NetApp or IBM N-series storage device. The components are:
UNIX and LINUX
VMware:
These FlashCopy Manager 4.1 and 3.2 components are vulnerable only when they initiate and maintain a communication session with a DS8000 or SVC or NetApp or IBM N series storage device. The vulnerability does not exist during communication sessions with other types of storage devices or when an external program attempts to initiate an OpenSSL session with FlashCopy Manager.
Note: FlashCopy Manager 3.2 is only affected by CVE-2014-0224 and CVE-2014-3470.
The following are NOT affected and do NOT require an update:
Product
| First Fxing VRMF Level| Remediation/First Fix
—|—|—
FlashCopy Manager 4.1 UNIX and Linux| 4.1.1.0| <http://www-01.ibm.com/support/docview.wss?uid=swg24038212>
FlashCopy Manager 4.1 VMware| 4.1.1.0| <http://www-01.ibm.com/support/docview.wss?uid=swg24038212>
FlashCopy Manager 3.2 UNIX and Linux|
| Upgrade to FlashCopy Manager 4.1.1
FlashCopy Manager 3.2 VMware|
| Upgrade to FlashCopy Manager 4.1.1
Apply the already-available device fix to the DS8000 or SVC devices for the first CVE, and upgrade to the fixing FCM 4.1 level if using NetApp or N-Series devices.