There are multiple vulnerabilities in OpenSSL that is used by IBM Sterling Connect:Direct for Microsoft Windows. These issues were disclosed on August 6, 2014 by the OpenSSL Project.
CVE-ID: CVE-2014-3508
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in OBJ_obj2txt. If applications echo pretty printing output, an attacker could exploit this vulnerability to read information from the stack.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95165> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-3511
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95162> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
IBM Sterling Connect:Direct for Microsoft Windows 4.5.00, 4.5.01 and 4.6.0
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM Sterling Connect:Direct for Microsoft Windows| 4.5.00| IT04643| Apply 4.5.00 patch 054, available on IWM
IBM Sterling Connect:Direct for Microsoft Windows| 4.5.01| IT04643| Apply 4.5.01 patch 020, available on IWM
IBM Sterling Connect:Direct for Microsoft Windows| 4.6.0| IT04643| Apply 4.6.0.5, available on Fix Central
None known