OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL is used by IBM PureApplication System. IBM PureApplication System has addressed the applicable CVEs.
CVEID: CVE-2015-0209 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the d2i_ECPrivateKey or EVP_PKCS82PKEY function. An attacker could exploit this vulnerability using a malformed Elliptic Curve (EC) private-key file to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101674> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2015-0286 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the ASN1_TYPE_cmp function when attempting to compare ASN.1 boolean types. An attacker could exploit this vulnerability to crash any certificate verification operation and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101666> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0287 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101668> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0288 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the
X509_to_X509_REQ function. An attacker could exploit this vulnerability to trigger a NULL pointer dereference.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101675> or the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0289 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle missing outer ContentInfo by the PKCS#7 parsing code. An attacker could exploit this vulnerability using a malformed ASN.1-encoded PKCS#7 blob to trigger a NULL pointer dereference.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101669> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0292 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error when processing base64 encoded data. An attacker could exploit this vulnerability using specially-crafted base 64 data to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101670> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2015-0293 DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending a specially-crafted SSLv2 CLIENT-MASTER-KEY message, a remote attacker could exploit this vulnerability to trigger an assertion.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101671> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM PureApplication System V1.0
IBM PureApplication System V1.1
IBM PureApplication System V2.0
IBM PureApplication System V2.1
The solution is to upgrade the IBM PureApplication System to the following fix level:
IBM PureApplication System V2.1
Upgrade to IBM PureApplication System V2.1.0.1
IBM PureApplication System V2.0
Upgrade to IBM PureApplication System V2.0.0.1 Interim Fix 4
IBM PureApplication System V1.1 and earlier:
Contact IBM customer support for upgrade options.
None