Security vulnerabilities have been discovered in OpenSSL used with IBM Security Network Protection.
CVEID:CVE-2014-3569
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.
CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99706 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
CVEID:CVE-2014-3570
**DESCRIPTION:**An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.
CVSS Base Score: 2.6
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99710 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N
CVEID:CVE-2014-3571
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99703 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
CVEID:CVE-2014-3572
**DESCRIPTION:**OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99705 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N
CVEID:CVE-2014-8275
**DESCRIPTION:**OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 1.2
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N
CVEID:CVE-2015-0204
**DESCRIPTION:**OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N
CVEID:CVE-2015-0205
**DESCRIPTION:**OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.
CVSS Base Score: 2.1
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99708 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N
CVEID:CVE-2015-0206
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99704 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Products: IBM Security Network Protection (XGS) models 3100, 4100, 5100, 7100
Firmware versions: 5.2, 5.3
IBM has provided fixes for all supported versions. Follow the installation instructions in the README files included with the fix.
None