APAR status
Closed as program error.
Error description
CVEID: CVE-2022-4304 Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. CVEID: CVE-2023-0215 Description: OpenSSL is vulnerable to a denial of service, caused by a use-after-free error related to the incorrect handling of streaming ASN.1 data by the BIO_new_NDEF function. A remote attacker could exploit this vulnerability to cause a denial of service. CVEID: CVE-2023-0286 Description: OpenSSL is vulnerable to a denial of service, caused by a type confusion error related to X.400 address processing inside an X.509 GeneralName. By passing arbitrary pointers to a memcmp call, a remote attacker could exploit this vulnerability to read memory contents or cause a denial of service. CVEs: (details as of the time of ADV creation) CVEID: CVE-2023-0466 Description: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509_VERIFY_PARAM_add0_policy function. By using invalid certificate policies, an attacker could exploit this vulnerability to bypass certificate verification. CVEID: CVE-2023-0465 Description: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw when using a non-default option to verify certificates. By using invalid certificate policies in leaf certificates, an attacker could exploit this vulnerability to bypass policy checking. CVEID: CVE-2023-0464 Description: OpenSSL is vulnerable to a denial of service, caused by an error related to the verification of X.509 certificate chains that include policy constraints. By creating a specially crafted certificate chain that triggers exponential use of computational resources, a remote attacker could exploit this vulnerability to cause a denial of service.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Storage Insights users * * * **************************************************************** * PROBLEM DESCRIPTION: * * SECURITY APAR FOR: * * CVE-2022-4304, CVE-2023-0215, * * CVE-2023-0286, CVE-2023-0466, * * CVE-2023-0465, CVE-2023-0464 * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
The fix for this APAR is contained in the following release: IBM Storage Insights 3Q23 [ 54X-IBM-SI ] ( 3Q 2023 / July ) To protect IBM Storage Insights against emerging security vulnerabilities, the service was updated to protected against vulnerabilities. An upgrade of your IBM Storage Insights Data Collector(s) will apply this fix. If you do not have automatic upgrade enabled, please upgrade your Data Collector(s) manually to apply the fix.
Temporary fix
Comments
APAR Information
APAR number
IT44183
Reported component name
STORAGE INSIGHT
Reported component ID
5608TPCSI
Reported release
54X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-07-18
Closed date
2023-07-25
Last modified date
2023-07-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STORAGE INSIGHT
Fixed component ID
5608TPCSI
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSYS7R","label":"IBM Spectrum Control Storage Insights"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"54X"}]
Document Information
Modified date:
26 July 2023