Security Bulletin: Extreme Cloud Administration Tool (xCAT) is affected by
a vulnerability in OpenSSL (CVE-2014-0160)
A security vulnerability has been discovered in OpenSSL.
Vulnerability Details
CVE-ID: CVE-2014-0160
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the TLS/DTLS heartbeat functionality. An
attacker could exploit this vulnerability to expose 64k of private memory
and retrieve secret keys. This vulnerability can be remotely exploited,
authentication is not required and the exploit is not complex. An exploit
can affect the confidentially, but not integrity or availability.
xCAT is using OpenSSL to implement the TLS protocol designed to provide
secure communication within an xCAT cluster.
xCAT uses the OpenSSL library provided by the operating system. If the
OpenSSL library provided by the operating system has the security
vulnerability, then system administrators need to upgrade their system to a
version of the OpenSSL library that provides the fix for this security
vulnerability and regenerate the OpenSSL keys used by xCAT.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Warning: We strongly encourage you to take action as soon as possible as
potential implications to your environment may be more serious than
indicated by the CVSS score.
Affected Products and Versions
xCAT - all Versions
Remediation/Fixes
Follow the links below for to find information on how to determine whether
your operating system distribution is impacted by this security issue:
AIX:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq?mode=18&ID=3488&myns=pwraix61&mync=E
Red Hat: https://access.redhat.com/site/solutions/781793
SUSE/Novell: http://support.novell.com/security/cve/CVE-2014-0160.html
Other: http://heartbleed.com/
After applying the fix for OpenSSL, follow these instructions to
regenerate the OpenSSL keys used by xCAT.
Run the xcatconfig -c command and follow the instructions for distributing
the SSL credentials in the man xcatconfig ( -c) section.
Warning: Your environment may require additional fixes for other products.
Please replace the SSL certificates and reset the user credentials after
applying the necessary fixes to your environment.
Workarounds and Mitigations
None known
Reference
�h Complete CVSS Guide
�h On-line Calculator V2
�h OpenSSL Project vulnerability website
�h Heartbleed
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR
ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Lissa K. Valletta
8-3/B10
Poughkeepsie, NY 12601
(tie 293) 433-3102
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
