Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2417
Security Bulletin: WebSphere MQ for HP NonStop Server is
affected by OpenSSL vulnerability CVE-2021-4160
17 May 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere MQ for HP NonStop Server
Publisher: IBM
Operating System: HPE NonStop
Resolution: Patch/Upgrade
CVE Names: CVE-2021-4160 CVE-2016-0701
Original Bulletin:
https://www.ibm.com/support/pages/node/6585726
Comment: CVSS (Max): 6.7 CVE-2021-4160 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability
CVE-2021-4160
Document Information
Document number : 6585726
Modified date : 12 May 2022
Product : WebSphere MQ
Component : Server
Software version : 5.3.1
Operating system(s): HPE NonStop
Edition : 5.3.1.0,5.3.1.1,5.3.1.2,5.3.1.3,5.3.1.4,5.3.1.5,5.3.1.6,5.3.1.7,5.3.1.8,5.3.1.9,5.3.1.10,5.3.1.11,5.3.1.12,5.3.1.13,5.3.1.14,5.3.1.15
Summary
WebSphere MQ for HP NonStop Server may be using weaker than expected security
due to an algorithmic problem within OpenSSL.
Vulnerability Details
CVEID: CVE-2021-4160
DESCRIPTION: OpenSSL could provide weaker than expected security, caused by a
carry propagation flaw in the MIPS32 and MIPS64 squaring procedure. An attacker
could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 6.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
218394 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Products and Versions
+----------------------------------------------------------+----------+
|Affected Product(s) |Version(s)|
+----------------------------------------------------------+----------+
|WebSphere MQ V5.3 for HP NonStop Server (MIPS and Itanium)|53.1.x |
+----------------------------------------------------------+----------+
Remediation/Fixes
+---------------------------------------------------------------+---------+--------+-----------------------+
|WebSphere MQ V5.3.1 for HPE NonStop (Itanium) Fixpack 17 |5.3.1.17 |IT40195 |Install patch IT40195 |
+---------------------------------------------------------------+---------+--------+-----------------------+
Workarounds and Mitigations
None
Change History
11 May 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYoMvQskNZI30y1K9AQgclA/+NoyEZeKOE4+z1YPb4JHPJL/U5mxABalf
vJhSRaN+Rp5BWc/llP3EOmIFHi6q9BLX1fv0JJg3HmbvuJaom0WtQD1Fn1k6wMuH
jWgwA9SM7bGn3iyl08bXjt2dp1kxzl2In/kWMZChlwZQzVVE333+cg0nWZq/AnEP
bcMLAjpQBF0wV+t+ZyrY9NdBS+B0n+iAC5wGMLAsSd8G49X9QrMAnh5mJey0eZX9
Dr7mvKK3GKdF7hpIb+5HJIjBsHYrQ2CKsz1ubs3zV8M6h3TMli9Q6OwRdu+TmgR4
aexgUx6/T+hOW+n/tagzb9y3hSrBrgN7IoFrjOov30Y8fgJR7IYSNhXJDDw8DcLc
ICFCx2dqsgEvIM/KOl9OAVCQ9zWVfXvEuqwvf6MJ6jZfhEVDeBpLQYsbhIDPTAEm
rfvEiNMYC2BOZJaxQeyLEJ7eQ/XJ1ouE8pzhk9bpBYpP2E2CuGOM8tcXtWAQkc4c
QZy2G+tYSez+X1T/7zhSQCnLZSZUVMMmWfub15wyLJPNCF2PDx1E7Oxi8SnhnaZI
TBygBFl/ev1EbMfqWqMJWKyFQT3e/yq/OE8ssZiNqI/1RXl6WqDURq00hUCXF8s3
MKx6CxU2lGrvi53g3/pRXVSpLBwonp3NrpeZ6Kvhg2vpiKZOqDuwseSQm3JTdp5y
jRgu/JgU2Ho=
=p8Qs
-----END PGP SIGNATURE-----