Security Bulletin: Vulnerability in OpenSSL affects ProtecTIER (CVE-2016-2108)

Summary

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by ProtecTIER. ProtecTIER has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-2108 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a buffer underflow when deserializing untrusted ASN.1 structures and later reserializes them. An attacker could exploit this vulnerability to corrupt memory and trigger an out-of-bounds write and execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112853 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

These products are affected by this vulnerability:

· ProtecTIER Enterprise Edition (PID 5639-PTA) - TS7650G

· ProtecTIER Appliance Edition (PID 5639-PTB) - TS7650AP1
· ProtecTIER Entry Edition (PID 5639-PTC) - TS7610 / TS7620
· ProtecTIER Gateway for System Z (PID 5639-FPA)

The code versions impacted are 1.2.x, 2.4.x, 2.5.x, 3.1.x, 3.2.x, 3.3.x and 3.4.x

Remediation/Fixes

<Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
ProtecTIER Enterprise Edition (PID 5639-PTA) - TS7650G| 3.3.x,

3.4.x

|
| https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Tape%2Bvirtualization&product=ibm/Storage_Tape/TS7650G+with+ProtecTIER&release=3.3&platform=All&function=fixId&fixids=PT_MD5_OPENSSL40_PSIRT_V3.3.3.3.x86_64_TS7650G&includeRequisites=1&includeSupersedes=0&downloadMethod=http
ProtecTIER Enterprise Edition (PID 5639-PTA) - TS7650G| 3.2.x|
| Contact support
ProtecTIER Appliance Edition (PID 5639-PTB) - TS7650AP1| 3.3.x,|
| https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Tape%2Bvirtualization&product=ibm/Storage_Tape/TS7650G+with+ProtecTIER&release=3.3&platform=All&function=fixId&fixids=PT_MD5_OPENSSL40_PSIRT_V3.3.3.3.x86_64_TS7650G&includeRequisites=1&includeSupersedes=0&downloadMethod=http
ProtecTIER Appliance Edition (PID 5639-PTB) - TS7650AP1| 3.2.x|
| Contact support
ProtecTIER Entry Edition (PID 5639-PTC) | 3.3.x,

3.4.x

|
| https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Tape%2Bvirtualization&product=ibm/Storage_Tape/TS7650G+with+ProtecTIER&release=3.3&platform=All&function=fixId&fixids=PT_MD5_OPENSSL40_PSIRT_V3.3.3.3.x86_64_TS7650G&includeRequisites=1&includeSupersedes=0&downloadMethod=http
ProtecTIER Entry Edition (PID 5639-PTC) | 3.2.x|
| Contact support

For the releases 1.2.x, 2.4.x, 2.5.x and 3.1.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None