Security Bulletin: IBM Smart Analytics System 7600, 7700, and 7710 are affected by vulnerabilities in OpenSSL

Flash (Alert)


Abstract

A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software included with the vulnerable systems.

Content

VULNERABILITY DETAILS

CVE IDs:

CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108,
CVE-2011-4576, CVE-2011-4619, CVE-2011-0014, CVE-2010-3864, CVE-2011-4109, CVE-2012-1165, CVE-2012-2333, CVE-2010-4180


DESCRIPTION:

The IBM Smart Analytics System 7600, IBM Smart Analytics System 7700, and IBM Smart Analytics System 7710 are shipped with the AIX operating system. A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software. See the references section for links to the description of each individual vulnerability.


CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)


CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)


CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2011-4109
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72129 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2012-1165
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74100 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2012-2333
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75525 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)

CVE-2010-4180
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63635 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PRODUCTS AND VERSIONS:

IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710


REMEDIATION:

    FIXES:

    Find your product in the table below and use the link in the third column to find the patch provided by IBM. Previously supported Balanced Warehouse environments not listed below require additional investigation to determine vulnerability and the appropriate remediation. Access to the patches on the IBM site is restricted and requires a valid IBM registration ID. For more information about IBM registration IDs, see https://www.ibm.com/account/profile/us?page=regfaqhelp.

    Product Operating System Patch Link
    IBM Smart Analytics System 7600
    IBM Smart Analytics System 7700
    IBM Smart Analytics System 7710
    AIX 6.1 https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US



    Downloading and installing the patches

    1. Log in to the IBM site to obtain the patches. You will need to download a patch for OpenSSL and a patch for OpenSSH.


    2. Download the patch for OpenSSL 0.9.8.x.
      a. Select the OpenSSL version 0.9.8x radio button and click Continue.

      b. In the Download using Download Director tab, identify the Open SSL image with the label "openssl-0.9..8.2400 (OpenSSL 0.9.8.x) for AIX 5.3, AIX 6.1 & 7.1".

      c. Select the OpenSSL Image (openssl-0.9.8.2400.tar.Z) checkbox and the Readme (Readme-0.9.8.2400.txt) checkbox and click Download now.

      The Download Director will download the files to a temporary directory.


    3. Download the patch for OpenSSH Version 6.0.
      a. Select the OpenSSH Version 6.0 radio button and click Continue.

      b. Select the OpenSSH Image (OpenSSH__6.0.0.6101.tar.Z) checkbox and the Readme (Readme-6.0.0.6101.txt) checkbox and click Download now.

      The Download Director will download the files to a temporary directory.


    4. Copy the patches to the management host in the system and uncompress the files.
      a. Log in to the management host as the root user.

      b. Copy the OpenSSL and the OpenSSH patch files to the following directory on the management host:
        /BCU_share/securitypatch

      c. On the management host, issue the following commands to uncompress the OpenSSL and OpenSSH patch files:
        cd /BCU_share/securitypatch
        zcat openssl-0.9.8.2400.tar.Z | tar -xvf -
        zcat OpenSSH_6.0.0.6101.tar.Z | tar -xvf -


    5. Install the patches on each AIX host in the system. Install these fixes during a maintenance window because you will need to reboot each AIX host in the system after the patches are installed.
      a. Back up the /etc/ssh directory on each AIX host in the system.

      b. Verify that you can log in to the remote console for each AIX host through the Hardware Management Console (HMC).

      c. Create a mksysb backup image of each host. Verify that the backup image is both bootable and readable.

      d. On each AIX host, run the following commands to preview the OpenSSL package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch.
        cd /BCU_share/securitypatch/openssl-0.9.8.2400
        installp -apYd . openssl

      e. On each AIX host, run the following command to install the OpenSSL package:
        installp -aXYd . openssl

      f. On each AIX host, run the following commands to preview the OpenSSH package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch.
        cd /BCU_share/securitypatch/OpenSSH_6.0.0.6101
        installp -apYd . openssh

      g. On each AIX host, run the following command to install the OpenSSH package:
        installp -aXYd . openssh

      h. Reboot each AIX host.

    WORKAROUND(S):

    None.

    MITIGATION(S):

    None.

REFERENCES:
RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT:

None.


CHANGE HISTORY:
February 04, 2013: Document created.


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Information Management IBM Smart Analytics System IBM Smart Analytics System 7600
Information Management IBM Smart Analytics System IBM Smart Analytics System 7710

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Smart Analytics System
IBM Smart Analytics System 7700

Software version:

9.7

Operating system(s):

AIX 6.1

Reference #:

1625170

Modified date:

2013-02-27

Translate my page

Machine Translation

Content navigation