Public disclosed vulnerabilities from Apache HttpComponents affects IBM Spectrum LSF: CVE-2012-6153, CVE-2014-3577
Brief Description: Apache HttpComponents CN spoofing
CVE-ID: CVE-2012-6153
Description: Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject’s Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/95328 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Brief Description: Apache HttpComponents certificate spoofing
CVE-ID: CVE-2014-3577
Description: Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject’s Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/95327 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE: CVE-2012-6153
CVE-2014-3577
Reported CVSS: 4.300000190734863 IBM CVSS: 4.300000190734863 CVSS Detail: See full text
IBM Spectrum LSF 10.0.0.4
IBM Spectrum LSF 10.0.0.5
IBM Spectrum LSF 10.0.0.6
IBM Spectrum LSF 10.0.0.7
Product
|
VRMF
|
APAR
|
Remediation / First Fix
—|—|—|—
LSF
|
10.1.0.4
|
None
|
See fix below
LSF
|
10.1.0.5
|
None
|
See fix below
LSF
|
10.1.0.6
|
None
|
See fix below
LSF
|
10.1.0.7
|
None
|
See fix below
Download Fix 512358 from the following location:
http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+LSF&release=All&platform=All&function=fixId&fixids=lsf-10.1-build512358&includeSupersedes=0
Go to the patch install directory: cd $LSF_ENVDIR/…/10.1/install/
Copy the patch file to the install directory $LSF_ENVDIR/…/10.1/install/
Run patchinstall: ./patchinstall <patch>
Run “badmin mbdrestart”