Lucene search

IBM7D2E42A485EF177F2E47A7B9BDEED3D9B599459BDFDF8AF78875B48BE447BBFF

HistoryMar 23, 2023 - 2:47 p.m.

Security Bulletin: Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286)

2023-03-2314:47:43

www.ibm.com

openssl

ibm spectrum protect

netapp services

sensitive information disclosure

denial of service

cve-2022-4304

cve-2023-0215

cve-2023-0286

remediation

affected versions

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.006

Percentile

78.0%

JSON

Summary

IBM Spectrum Protect Backup-Archive Client’s use of NetApp Services can be affected by vulnerabilities in OpenSSL. Vulnerabilities include disclosure of sensitive information and denial of service, as described by the CVEs in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2022-4304
**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-0215
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a use-after-free error related to the incorrect handling of streaming ASN.1 data by the BIO_new_NDEF function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246614 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0286
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a type confusion error related to X.400 address processing inside an X.509 GeneralName. By passing arbitrary pointers to a memcmp call, a remote attacker could exploit this vulnerability to read memory contents or cause a denial of service.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)

Affected Products and Versions

Product	Versions
IBM Spectrum Protect Client	8.1.0.0 - 8.1.17.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Affected Versions	Fixing level	Platforms
8.1.0.0 - 8.1.17.0	8.1.17.2	AIX
HP-UX
Linux
Macintosh
Solaris
Windows	<https://www.ibm.com/support/pages/node/6832422>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmspectrum_protectMatch8.1.

VendorProductVersionCPE
ibmspectrum_protect8.1.cpe:2.3:a:ibm:spectrum_protect:8.1.:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	spectrum_protect	8.1.	cpe:2.3:a:ibm:spectrum_protect:8.1.:::::::*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.006

Percentile

78.0%

JSON

Related for 7D2E42A485EF177F2E47A7B9BDEED3D9B599459BDFDF8AF78875B48BE447BBFF