IBM Netezza Performance Portal 2.0.0.3 weak SSL ciphers

2014.03.26
Credit: IBM
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-0848
CWE: CWE-310


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Summary The default configuration of the Apache web server used by IBM Netezza Performance Portal uses weak SSL ciphers. Vulnerability Details CVE ID: CVE-2014-0848 CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90723 for the current score CVSS Environmental Score*: Undefined: CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N) Affected Products and Versions IBM Netezza Performance Portal 2.0 Remediation/Fixes Install IBM Netezza Performance Portal 2.0.0.4 available from here. Workarounds and Mitigations To avoid this issue, you must log in as the root user to the server where the Netezza Performance Portal is installed and edit the /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf/httpd.conf configuration files. Search for the SSLCipherSuite variable, which by default has the value: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW Change the variable definition to the following value: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:! After editing and saving both files, restart the web server by running the service httpd restart command as the root user. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 12-March-2014: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Related information

References:

http://xforce.iss.net/xforce/xfdb/90723
http://www-01.ibm.com/support/docview.wss?uid=swg21665278


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top