Security vulnerabilities have been discovered in OpenSSL.
CVE-ID: CVE-2014-0224 DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak
keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using
a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586***for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-ID: CVE-2014-0221 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a recursion error in the
DTLS client. By sending an invalid DTLS handshake, a remote attacker could exploit this vulnerability
to cause the application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See** **http://xforce.iss.net/xforce/xfdb/93587 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-0195 DESCRIPTION: OpenSSL is vulnerable to a buffer overflow. By sending invalid DTLS packet
fragments, a remote attacker could exploit this vulnerability to overrun the client or server and execute
arbitrary code on a DTLS client or server.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2014-0198 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference
in the do_ssl3_write() function. If SSL_MODE_RELEASE_BUFFERS is enabled, a remote attacker
could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2010-5298 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a race condition in the
ssl3_read_bytes function. If SSL_MODE_RELEASE_BUFFERS is enabled, an attacker could exploit
this vulnerability using an SSL connection in a multithreaded environment to inject data into an SSL
stream and cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See** **http://xforce.iss.net/xforce/xfdb/92632 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CVE-ID: CVE-2014-3470 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the implementation of
anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability to cause a denial of
service.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
HMC V7 Release 7.6.0
HMC V7 Release 7.7.0
HMC V7 Release 7.8.0
HMC V7 Release 7.9.0
HMC V8 Release 8.1.0
HMC Service Packs and eFixes are available through FixCentral. The FixCentral retrieval process for
Power HMC starts at http://www-933.ibm.com/support/fixcentral/
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
Power HMC | HMC V7R760.3 | MB03815 | MH01438 |
Power HMC | HMC V7R770.2 | MB03811 | MH01433 |
Power HMC | HMC V7R770.3 | MB03816 | MH01439 |
Power HMC | HMC V7R780.1 | MB03812 | MH01434 |
Power HMC | HMC V7R790 | MB03813 | MH01435 |
Power HMC | HMC V8R810 | MB03810 | MH01436 |
None known