Security Bulletin: libgcrypt vulnerability affects IBM MQ Appliance (CVE-2016-6313)

Summary

A vulnerability discovered in the libgcrypt PRNG (Pseudo-Random Number Generator) affects IBM MQ Appliance.

Vulnerability Details

CVEID: CVE-2016-6313**
DESCRIPTION:** GnuPG could provide weaker than expected security, caused by an error in the mixing functions when obtaining 4640 bits from the random number generator. A local attacker could exploit this vulnerability to predict the next 160 bits of output.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116169&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

The following versions are affected:

• IBM MQ Appliance 8.0
  • Maintenance levels between 8.0.0.0 and 8.0.0.5
• IBM MQ Appliance 9.0.x Continuous Delivery Release (CDR)
  • Continuous delivery update 9.0.1 only

Remediation/Fixes

IBM MQ Appliance 8.0

Apply fixpack 8.0.0.6 or later maintenance.

IBM MQ Appliance 9.0.x Continuous Delivery Release (CDR)

Apply continuous delivery update 9.0.2 or later.

Workarounds and Mitigations

None