-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0487
       HMC OpenSSL Upgrade to Address Cryptographic Vulnerabilities
                               8 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM HMC OpenSSL
Publisher:         IBM
Operating System:  OS/400
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Read-only Data Access           -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-2131 CVE-2012-2110 CVE-2012-0884
                   CVE-2012-0050 CVE-2012-0027 CVE-2011-4619
                   CVE-2011-4577 CVE-2011-4576 CVE-2011-4108
                   CVE-2011-3210 CVE-2011-3207 CVE-2011-0014
                   CVE-2010-4252 CVE-2010-3864 CVE-2010-1633
                   CVE-2010-0742  

Reference:         ASB-2012.0172
                   ASB-2012.0021
                   ASB-2010.0135
                   ESB-2013.0475
                   ESB-2013.0411
                   ESB-2013.0365
                   ESB-2013.0309

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=nas12088ececb530423186257b410072035e

- --------------------------BEGIN INCLUDED TEXT--------------------

HMC OpenSSL Upgrade to Address Cryptographic Vulnerabilities

Technote

Document information

i family

Operating system(s):
OS/400

Reference #:
666105211

Modified date:
2013-04-04

HMC releases prior to V7R7.7.0 use OpenSSL versions that had errors in 
cryptographic libraries that could allow remote attackers to conduct buffer 
overflow attacks, and cause a denial of service (memory corruption).

Vulnerability Details

CVE ID: CVE-2012-2131 CVE-2012-2110 CVE-2012-0884 CVE-2012-0050 CVE-2011-4108 
CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2012-0027 CVE-2011-3207 
CVE-2011-3210 CVE-2011-0014 CVE-2010-4252 CVE-2010-3864 CVE-2010-0742 
CVE-2010-1633

Description:
HMC V7R7.7.0 includes a newer version of OpenSSL that resolves a number of key
security exposures, and improves the entropy by mixing the time into the 
entropy pool .

CVSS:

CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-4577
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72131 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2011-3210
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69614 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the 
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) 

Affected Platforms: Power Hardware Management Console (HMC)
V7R7.6.0 and all prior releases, with or without Service Packs and / or fixes.

Remediation: Upgrade to V7R7.7.0 (MH01343), plus mandatory efixes MH01355 and 
MH01345.

HMC Service Packs and eFixes are available through FixCentral.
The FixCentral retrieval process for Power HMC starts at 
http://www-933.ibm.com/support/fixcentral/ .

The links below are for the README files for the listed fixes.
http://www-933.ibm.com/support/fixcentral/firmware/readme?fixid=MH01343
http://www-933.ibm.com/support/fixcentral/firmware/readme?fixid=MH01355
http://www-933.ibm.com/support/fixcentral/firmware/readme?fixid=MH01345

Work-around(s): The only recommended solution is to upgrade to HMC V7R7.7.0.

References:

    o Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html )
    o On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 )
    o CVE-2012-2131 http://xforce.iss.net/xforce/xfdb/75099
    o CVE-2012-2110 http://xforce.iss.net/xforce/xfdb/74926
    o CVE-2012-0884 http://xforce.iss.net/xforce/xfdb/73916
    o CVE-2012-0050 http://xforce.iss.net/xforce/xfdb/72458
    o CVE-2011-4108 http://xforce.iss.net/xforce/xfdb/72128
    o CVE-2011-4576 http://xforce.iss.net/xforce/xfdb/72130
    o CVE-2011-4577 http://xforce.iss.net/xforce/xfdb/72131
    o CVE-2011-4619 http://xforce.iss.net/xforce/xfdb/72132
    o CVE-2011-3210 http://xforce.iss.net/xforce/xfdb/69614
    o CVE-2011-0014 http://xforce.iss.net/xforce/xfdb/68221
    o CVE-2010-3864 http://xforce.iss.net/xforce/xfdb/63293 

Related Information:

o IBM Secure Engineering Web Portal
o IBM Product Security Incident Response Blog

Change History:
26 March 2013: first draft.

Notes:

1. The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.
2. According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY 
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

System i Support

IBM disclaims all warranties, whether express or implied, including, but not
limited to, the implied warranties of merchantability and fitness for a 
particular purpose. By furnishing this document, IBM grants no licenses to any
related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 
2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 IBM 
Corporation. Any trademarks and product or brand names referenced in this 
document are the property of their respective owners. Consult the Terms of
use link for trademark information. 

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of 
IBM trademarks is available on the Web at "Copyright and trademark information"
at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUWIshO4yVqjM2NGpAQIiQw/9HDJJUmUnGL5MX5WP7MHhoAMsfyclSb/x
Zg4FHPOdVNS5EDhnYzx61TvSEzDa6U8JH9CGYmsE3ohrI7ZI7mFZi7wOiXXznFeG
xeiIRRev1yeXJlXAZGPJmD3YbiQ0Q2yruwMQ/Y83C8zp3XuFhERklKYdlnZqPyMK
Wx+GX+OdGl7hqq6SgqZfyeIfaCMdf8AydgzhnU6bQuwhAvcCUtbfMV+oY2B9j8dn
NpncydRGBeut+xtQOTesufWjVuvw0JOO72ZVNJwC6nf0xag3q/ZrYMUAOeK31gcg
+gMUdqb/r3To2KFdFt+NaS2sSOe4wUXD7L4tq/wfvQShi27o2XK9jB/ulbnrUX45
M6kqGfDrGp7T/HbqWhhGyvwHf0VCy1x/7kwHG4Ytu5abin30cVqLXzuFkq7KoA3e
8jua5KTKPnF6R2GHmaIutkZ+D+hilA/Q0ymapanakUUsBcjdewOVBlfWnP97PTQp
LYTbU8cu4ogKBfUFAlhUwlRSJjGsGp2CuzpgAtHd/Qaqm4GiYM4BcAj/tVBUKxHu
04jlwI0MMS0998xUha7qkL/R76WYiacA0neAaq3Ivsq8kWyTUhZfOV299NHSODN/
RlR0roFFFClouY+U/KnA3MstwEyd+s/GdJ0MWo0Lpr1YHTxlPq83HayHSqU/vzGi
BVAu88x6XhU=
=C6if
-----END PGP SIGNATURE-----