APAR status
Closed as program error.
Error description
CVEID: CVE-2023-2650 Description: OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVEID: CVE-2023-0464 Description: OpenSSL is vulnerable to a denial of service, caused by an error related to the verification of X.509 certificate chains that include policy constraints. By creating a specially crafted certificate chain that triggers exponential use of computational resources, a remote attacker could exploit this vulnerability to cause a denial of service.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Storage Insights users * * * **************************************************************** * PROBLEM DESCRIPTION: * * SECURITY APAR FOR: * * CVE-2023-2650 CVE-2023-0464 * * * * See security bulletin for details: * * https://www.ibm.com/support/pages/node/7031031 * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
The fix for this APAR is contained in the following release: IBM Storage Insights 3Q23 [ 54X-IBM-SI ] ( 3Q 2023 / August ) To protect IBM Storage Insights against emerging security vulnerabilities, the service was updated to protected against vulnerabilities. An upgrade of your IBM Storage Insights Data Collector(s) will apply this fix. If you do not have automatic upgrade enabled, please upgrade your Data Collector(s) manually to apply the fix.
Temporary fix
Comments
APAR Information
APAR number
IT44435
Reported component name
STORAGE INSIGHT
Reported component ID
5608TPCSI
Reported release
54X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-08-25
Closed date
2023-08-29
Last modified date
2023-09-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STORAGE INSIGHT
Fixed component ID
5608TPCSI
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSYS7R","label":"IBM Spectrum Control Storage Insights"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"54X"}]
Document Information
Modified date:
08 September 2023