OpenSSL is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.
CVEID: CVE-2016-8610**
DESCRIPTION:** The SSL/TLS protocol is vulnerable to a denial of service, caused by an error when processing ALERT packets during a SSL handshake. By sending specially-crafted plain-text ALERT packets, a remote attacker could exploit this vulnerability to consume all available CPU resources. Note: This vulnerability is called “SSL-Death-Alert”.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118296 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-3731**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121312 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Power HMC V8.8.3.0
Power HMC V8.8.4.0
Power HMC V8.8.5.0
Power HMC V8.8.6.0
The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>
Product
|
VRMF
|
APAR
|
Remediation/Fix
—|—|—|—
Power HMC
|
V8.8.3.0 SP3
|
MB04070
|
Power HMC
|
V8.8.4.0 SP2
|
MB04071
|
Power HMC
|
V8.8.5.0 SP2
|
MB04074
|
Power HMC
|
V8.8.6.0 SP1
|
MB04041
|
None