OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by Sterling Connect:Enterprise for UNIX. Sterling Connect:Enterprise for UNIX has addressed the applicable CVE, the “DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability.
CVEID: CVE-2016-0800
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions. By using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle, an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers. This vulnerability is also known as the DROWN attack.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111139> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Sterling Connect:Enterprise For UNIX (CEU) 2.5.0.0 - 2.5.0.3 iFix 9
Sterling Connect:Enterprise For UNIX (CEU) 2.4.4.0 - 2.4.4.0 iFix 5
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
Sterling Connect:Enterprise For UNIX | 2.5.0.3 | IT14843 | Fix Central |
Sterling Connect:Enterprise For UNIX | 2.4.4.0 | IT14843 | Contact Support for this fix to be placed on ECuRep |
Note: A fix for CVE-2015-3196 was provided in OpenSSL versions 1.0.1p and 1.0.2d and was previously addressed by Sterling Connect:Enterprise for UNIX.
IBM recommends that the same certificate should ONLY be shared with identical server configuration and software.
If the same certificate were shared with different server(s) configuration or software, IBM recommends replacing the different server(s) with unique certificates to protect against the DROWN exposure.
Customers who do the following are not vulnerable:
CPE | Name | Operator | Version |
---|---|---|---|
ibm sterling connect:enterprise for unix | eq | 2.5 | |
ibm sterling connect:enterprise for unix | eq | 2.4 |