Flashes (Alerts)
Abstract
A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software included with the vulnerable systems.
Content
VULNERABILITY DETAILS
CVE IDs:
CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108,
CVE-2011-4576, CVE-2011-4619, CVE-2011-0014, CVE-2010-3864, CVE-2011-4109, CVE-2012-1165, CVE-2012-2333, CVE-2010-4180
DESCRIPTION:
The IBM Smart Analytics System 7600, IBM Smart Analytics System 7700, and IBM Smart Analytics System 7710 are shipped with the AIX operating system. A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software. See the references section for links to the description of each individual vulnerability.
CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75099 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74926 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73916 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/72458 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/72128 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/72130 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/72132 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/68221 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/63293 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2011-4109
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/72129 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2012-1165
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74100 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2012-2333
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75525 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)
CVE-2010-4180
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/63635 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710
REMEDIATION:
FIXES:
Find your product in the table below and use the link in the third column to find the patch provided by IBM. Previously supported Balanced Warehouse environments not listed below require additional investigation to determine vulnerability and the appropriate remediation. Access to the patches on the IBM site is restricted and requires a valid IBM registration ID. For more information about IBM registration IDs, see https://www.ibm.com/account/profile/us?page=regfaqhelp.
| Product | Operating System | Patch Link |
| IBM Smart Analytics System 7600 IBM Smart Analytics System 7700 IBM Smart Analytics System 7710 | AIX 6.1 | https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US |
Downloading and installing the patches
1. Log in to the IBM site to obtain the patches. You will need to download a patch for OpenSSL and a patch for OpenSSH.
a. Navigate to the following URL:
https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US
b. Log in using your IBM registration ID and password.
2. Download the patch for OpenSSL 0.9.8.x.
a. Select the OpenSSL version 0.9.8x radio button and click Continue.
b. In the Download using Download Director tab, identify the Open SSL image with the label "openssl-0.9..8.2400 (OpenSSL 0.9.8.x) for AIX 5.3, AIX 6.1 & 7.1".
c. Select the OpenSSL Image (openssl-0.9.8.2400.tar.Z) checkbox and the Readme (Readme-0.9.8.2400.txt) checkbox and click Download now.
The Download Director will download the files to a temporary directory.
3. Download the patch for OpenSSH Version 6.0.
a. Select the OpenSSH Version 6.0 radio button and click Continue.
b. Select the OpenSSH Image(OpenSSH__6.0.0.6101.tar.Z) checkbox and the Readme (Readme-6.0.0.6101.txt) checkbox and click Download now.
The Download Director will download the files to a temporary directory.
4. Copy the patches to the management host in the system and uncompress the files.
a. Log in to the management host as the root user.
b. Copy the OpenSSL and the OpenSSH patch files to the following directory on the management host:
/BCU_share/securitypatch
c. On the management host, issue the following commands to uncompress the OpenSSL and OpenSSH patch files:
cd /BCU_share/securitypatch
zcat openssl-0.9.8.2400.tar.Z | tar -xvf -
zcat OpenSSH_6.0.0.6101.tar.Z | tar -xvf -
5. Install the patches on each AIX host in the system. Install these fixes during a maintenance window because you will need to reboot each AIX host in the system after the patches are installed.
a. Back up the /etc/ssh directory on each AIX host in the system.
b. Verify that you can log in to the remote console for each AIX host through the Hardware Management Console (HMC).
c. Create a mksysb backup image of each host. Verify that the backup image is both bootable and readable.
d. On each AIX host, run the following commands to preview the OpenSSL package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch.
cd /BCU_share/securitypatch/openssl-0.9.8.2400
installp -apYd . openssl
e. On each AIX host, run the following command to install the OpenSSL package:
installp -aXYd . openssl
f. On each AIX host, run the following commands to preview the OpenSSH package. During the preview, an automated prerequisite check is run and will verify that the AIX host can be updated with the patch.
cd /BCU_share/securitypatch/OpenSSH_6.0.0.6101
installp -apYd . openssh
g. On each AIX host, run the following command to install the OpenSSH package:
installp -aXYd . openssh
h. Reboot each AIX host.
WORKAROUND(S):
None.
MITIGATION(S):
None.
REFERENCES:
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT:
None.
CHANGE HISTORY:
February 04, 2013: Document created.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21625170