5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.9 High
EPSS
Percentile
98.8%
Security vulnerabilities discovered in OpenSSL have been fixed in recent releases of several IBM System x and Flex Systems products. You may have already applied the updates containing these fixes.
Security vulnerabilities discovered in OpenSSL have been fixed in recent releases of several IBM System x and Flex Systems products. You may have already applied the updates containing these fixes.
Vulnerability Details:
CVE-ID: CVE-2013-6449
Description: OpenSSL is vulnerable to a denial of service, caused by an error in the ssl_get_algorithm2 function. A remote attacker could exploit this vulnerability using specially-crafted traffic from a TLS 1.2 client to cause the daemon to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/90068> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2013-4353 __
Description: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious S/MIME messages. By sending a specially-crafted TLS handshake, a remote attacker could exploit this vulnerability to cause a connecting client to crash.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/90201> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2013-6450
Description: OpenSSL is vulnerable to a denial of service, caused by the failure to properly maintain data structures for digest and encryption contexts by the DTLS retransmission implementation. A remote attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/90069>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
* UIM Deployment Pack 5.0.1 and earlier
BladeCenter Advanced Management Module (AMM) Affected Firmware Versions:
Chassis Management Module (CMM) Affected Firmware Versions (CVE-2013-4353 and CVE-2013-6449):
Flex System Integrated Management Module 2 (IMM2) Affected Firmware Versions:
System x IMM2 Affected Firmware Versions:
IBM recommends downloading and applying the following updates from IBM Fix Central. Please visit the IBM ToolsCenter product home page (http://www.ibm.com/support/entry/portal/docdisplay?lndocid=tool-center) and the IBM Upward Integration Modules (UIM) product home page (http://www.ibm.com/support/entry/portal/docdisplay?lndocid=SYST-MANAGE) for the downloads and details regarding those products.
Product | Firmware version |
---|---|
BladeCenter Advanced Management Module (AMM) – IBM BladeCenter T Chassis | Update to v3.66D (BBET66D) |
BladeCenter Advanced Management Module (AMM) – BladeCenter OEM Chassis | Update to v3.66D (BPEO66D) |
BladeCenter Advanced Management Module (AMM) – All other IBM BladeCenter Chassis | Update to v3.66D (BPET66D) |
Flex System Chassis Management Module (CMM) | Update to CMM version 1.50.1 (2PET12I). If you are currently using CMM v1.50.0 (2PET12D), then you may instead update to CMM v1.50.0 (12PET12E), which has no code changes from 2PET12E except for these fixes. |
Flex System Integrated Management Module 2 (IMM2) (Flex System x220, x222, x240, or x440 Compute Node) | Update to IMM2 v3.79 (1A0056G). If you are currently using IMM2 v2.60 (1AOO42Y), then you may instead update to IMM2 v2.61 (1AOO44V), which has no code changes from v2.60 except for these fixes. |
iDataPlex dx360 M4 | Update IMM2 to v3.73 (1AOO56D) |
NeXtScale nx360 M4 | Update IMM2 to v3.83 (1AOO56I) |
System x3100 M4 | Update IMM2 to v3.73 (1AOO56D) |
System x3250 M4 | Update IMM2 to v3.73 (1AOO56D) |
System x3250 M5 | Update IMM2 to v3.83 (1AOO56I) |
System x3300 M4 | Update IMM2 to v3.84 (1AOO56J) |
System x3500 M4 | Update IMM2 to v3.73 (1AOO56D) |
System x3530 M4 | Update IMM2 to v3.77 (1AOO56H) |
System x3550 M4 | Update IMM2 to v3.73 (1AOO56D) |
System x3630 M4 | Update IMM2 to v3.77 (1AOO56H) |
System x3650 M4 | Update IMM2 to v3.73 (1AOO56D) |
System x3650 M4 BD | Update IMM2 to v3.75 (1AOO56F) |
System x3650 M4 HD | Update IMM2 to v3.86 (1AOO56L) |
System x3750 M4 | Update IMM2 to v3.73 (1AOO56D) |
System x3850 X6 | Update IMM2 to v3.82 (1AOO56E) |
System x3950 X6 | Update IMM2 to v3.82 (1AOO56E) |
IBM ToolsCenter Suite
IBM Advanced Settings Utility (ASU)
IBM Dynamic System Analysis (DSA)
IBM UpdateXress System Packs Installer (USXPI)
| Update to version 9.52
IBM Upward Integration Modules (UIM) for VMware vSphere | Update to version 3.0.2.
IBM Upward Integration Modules (UIM) for Microsoft System Center, including the following components:
None known
Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
6 June 2014: Original Copy Published
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.