Date: 12 March 2013
References: ASB-2010.0135 ASB-2012.0021 ASB-2012.0172 ESB-2013.0276 ESB-2013.0300 ESB-2013.0309 ESB-2013.0411 ESB-2013.0487
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0365
Security Bulletin: IBM Sterling Connect:Enterprise for UNIX
is affected by multiple vulnerabilities in OpenSSL
12 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Sterling Connect
Publisher: IBM
Operating System: AIX
Solaris
HP-UX
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2131 CVE-2012-2110 CVE-2012-0884
CVE-2012-0050 CVE-2012-0027 CVE-2011-4619
CVE-2011-4577 CVE-2011-4576 CVE-2011-4108
CVE-2011-3210 CVE-2011-3207 CVE-2011-0027
CVE-2011-0014 CVE-2010-4252 CVE-2010-3864
CVE-2010-1633 CVE-2010-0742
Reference: ESB-2013.0309
ESB-2013.0300
ESB-2013.0276
ASB-2012.0172
ASB-2012.0021
ASB-2010.0135
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21627934
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Sterling Connect:Enterprise for UNIX is affected by
multiple vulnerabilities in OpenSSL
Document information
Sterling Connect:Enterprise for UNIX
Software version:
2.4, 2.5
Operating system(s):
AIX, HP-UX, Linux, Solaris
Reference #:
1627934
Modified date:
2013-03-08
Flash (Alert)
Abstract
A number of security vulnerabilities have been discovered in the OpenSSL
libraries included in IBM Sterling Connect:Enterprise for UNIX.
Content
VULNERABILITY DETAILS:
CVE IDs:
CVE-2012-2131 CVE-2012-2110 CVE-2012-0884 CVE-2012-0050 CVE-2011-4108
CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2012-0027 CVE-2011-3207
CVE-2011-3210 CVE-2011-0014 CVE-2010-4252 CVE-2010-3864 CVE-2010-0742
CVE-2010-1633
DESCRIPTION:
IBM Sterling Connect:Enterprise for UNIX uses OpenSSL libraries for
cryptography and a number of security vulnerabilities have been discovered in
the OpenSSL libraries.
CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2011-4577
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72131 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2012-0027
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72133 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-3207
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69613 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-3210
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69614 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2010-4252
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63636 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2010-0742
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/59039 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2010-1633
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/59040 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
AFFECTED VERSIONS:
All versions prior to and including IBM Sterling Connect:Enterprise for UNIX
2.5.0.
REMEDIATION:
The recommended solution is to apply the fix for each version as soon as
practical. See below for information on the available fixes.
· Version 2.5.0: apply Fix Pack 2.5.01.
· Version 2.4.0.4: apply the iFix for RTC 366869.
WORKAROUND(S):
· None known; apply fixes
MITIGATION(S):
· None known
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2012-2131
· X-Force Database: http://xforce.iss.net/xforce/xfdb/75099
· CVE-2012-2110
· X-Force Database: http://xforce.iss.net/xforce/xfdb/74926
· CVE-2012-0884
· X-Force Database: http://xforce.iss.net/xforce/xfdb/73916
· CVE-2012-0050
· X-Force Database: http://xforce.iss.net/xforce/xfdb/72458
· CVE-2011-4108
· X-Force Database: http://xforce.iss.net/xforce/xfdb/72128
· CVE-2011-4576
· X-Force Database: http://xforce.iss.net/xforce/xfdb/72130
· CVE-2011-4577
· X-Force Database: http://xforce.iss.net/xforce/xfdb/72131
· CVE-2011-4619
· X-Force Database: http://xforce.iss.net/xforce/xfdb/72132
· CVE-2011-0027
· X-Force Database: http://xforce.iss.net/xforce/xfdb/72133
· CVE-2011-3207
· X-Force Database: http://xforce.iss.net/xforce/xfdb/69613
· CVE-2011-3210
· X-Force Database: http://xforce.iss.net/xforce/xfdb/69614
· CVE-2011-0014
· X-Force Database: http://xforce.iss.net/xforce/xfdb/68221
· CVE-2010-3864
· X-Force Database: http://xforce.iss.net/xforce/xfdb/63293
· CVE-2010-4252
· X-Force Database: http://xforce.iss.net/xforce/xfdb/63636
· CVE-2010-0742
· X-Force Database: http://xforce.iss.net/xforce/xfdb/59039
·CVE-2010-1633
· X-Force Database: http://xforce.iss.net/xforce/xfdb/59040
RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of
IBM trademarks is available on the Web at "Copyright and trademark information"
at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUT6qgu4yVqjM2NGpAQIwxBAAroFDp3YUDaz0vYfeYwVoxr4bgjy6FLGX
DwQF8u+nGfQ8A+4CpsPBfflQ7UnEC575MgMb14qqGiDzXG5tyxuiLd9qU6AeI++J
15+TYXrMAHh6l8sK+/LxdVqu8hjUZ0y9oJPSM8bsWiqplZwNSl7sUf+3+dayIOpS
GxNRGc/Z6VnYUbZq/VhaO0ygBzUZWvAYeT8gXYUKbDpnrptFtfgcmuDQL9dnLe1K
YNkOsUdNn0zwRZHo72k0XAFv668Gw1DMj6/HDt7JfhTG+31DGFZyrQMlimryJxaG
tmhyrCLqZohG8KhuScRocAgYsias8WbMBG8CF+ZdN1Uej5oQ+ZssFNFnzNvmyXEv
yGZpSxc2uu3bi2nTnrYK9JLxkoE73iPTxfHl3xnJputxA6E2e/D/AUg68hAAIgDq
aHtCbJWX+WPG+sxstKUAfmM3AodXLrNYNhPptPA5X9qWD8n9QAWPAkkPpZb8wqMa
ERSt7hejk5tivkiPdh5xqMqUdoAUh7fqHb9ySAoqG1ZzBpDKXRNkLiCbcuMiwi19
SWLxTrwFUQCIvwZqxF5S+J9OHgIM/yc6s4Zlq0A0W3fJi1v2ztbKFBLc86gUccb+
I8xr8CPJKKR+sHTUwSR+c0dWFkTTOHnMDvbb7mmvZKq3MqXt20+VLq0ZrAt9dSR9
7NfQwj/FUgo=
=8x3d
-----END PGP SIGNATURE-----
|