SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   IBM InfoSphere Information Server Vendors:   IBM
(IBM Issues Fix for IBM InfoSphere Information Server) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
SecurityTracker Alert ID:  1040761
SecurityTracker URL:  http://securitytracker.com/id/1040761
CVE Reference:   CVE-2016-0701   (Links to External Site)
Date:  Apr 27 2018
Impact:   Disclosure of authentication information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.1, 11.3, 11.5, 11.7
Description:   Two vulnerabilities were reported in OpenSSL. A remote user can recover keys in certain cases. A remote user can negotiate disabled ciphers. IBM InfoSphere Information Server is affected.

The system may use primes for generating Diffie Hellman (DH) parameters that are not safe when using X9.42 style parameter files [CVE-2016-0701]. A remote user that complete multiple handshakes with the target peer where the peer uses the same private DH exponent may be able to determine the target peer's private DH exponent and then conduct man-in-the-middle attacks against the ostensibly secure connection.

Systems that reuse the private DH exponent or use a static DH ciphersuite are affected.

Systems with the SSL_OP_SINGLE_DH_USE option for ephemeral DH (DHE) in TLS disabled reuse the same private DH exponent for the life of the server process and are affected.

Version 1.0.2 is affected.

The vendor was notified on January 12, 2016

Antonio Sanso (Adobe) reported this vulnerability.

When the SSLv2 protocol is not disabled via SSL_OP_NO_SSLv2 on the target server, a remote user can negotiate SSLv2 ciphers that have been disabled on the target server [CVE-2015-3197]. Versions 1.0.1 and 1.0.2 are affected.

The vendor was notified on December 26, 2015.

Nimrod Aviram and Sebastian Schinzel reported this vulnerability.

Impact:   A remote user can recover keys in certain cases.

A remote user can negotiate disabled ciphers.

Solution:   IBM has issued a fix for CVE-2016-0701 for IBM InfoSphere Information Server.

The IBM advisory is available at:

http://www-01.ibm.com/support/docview.wss?uid=swg22015215

Vendor URL:  www-01.ibm.com/support/docview.wss?uid=swg22015215 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 28 2016 OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC