Lucene search

IBMD4E2D8FCD61AA410F6ED226AD7BAD0664F91840EA7EA04B3CC72EB0D6BE39D4B

HistorySep 10, 2024 - 3:18 p.m.

Security Bulletin: Vulnerabilities in openssl library (CVE-2023-3446, CVE-2023-3817, CVE-2023-5678) affect Power HMC.

2024-09-1015:18:10

www.ibm.com

openssl

vulnerabilities

power hmc

version v10.2.1030.0

version v10.3.1050.0

cve-2023-3446

cve-2023-3817

cve-2023-5678

denial of service

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

High

JSON

Summary

The openssl library is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2023-3446
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw when using the DH_check(), DH_check_ex() or EVP_PKEY_param_check() functions to check a DH key or DH parameters. By sending a specially crafted request using long DH keys or parameters, a remote attacker could exploit this vulnerability to cause long delays, and results in a denial of service condition.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261026 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-3817
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw when using the DH_check(), DH_check_ex() or EVP_PKEY_param_check() functions to check a DH key or DH parameters. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause long delays, and results in a denial of service condition.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262046 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-5678
**DESCRIPTION:**Openssl is vulnerable to a denial of service, caused by a flaw when using DH_generate_key() function to generate an X9.42 DH key. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270771 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
HMC V10.2.1030.0	V10.2.1030.0
HMC V10.3.1050.0	V10.3.1050.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>

Product

VRMF

APAR

Remediation/Fix

—|—|—|—

Power HMC

V10.2.1040.0 SP2 x86

MB04466

MF71701

Power HMC

V10.2.1040.0 SP2 ppc

MB04467

MF71702

Power HMC

V10.3.1060.0 x86

MB04468

MF71703

Power HMC

V10.3.1060.0 ppc

MB04469

MF71704

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmhardware_management_consoleMatchany

VendorProductVersionCPE
ibmhardware_management_consoleanycpe:2.3:a:ibm:hardware_management_console:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	hardware_management_console	any	cpe:2.3:a:ibm:hardware_management_console:any:::::::*

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

High

JSON

Related for D4E2D8FCD61AA410F6ED226AD7BAD0664F91840EA7EA04B3CC72EB0D6BE39D4B