Technical Description

IBM has released new APARs to address two vulnerabilities identified in OpenSSL for IBM Hardware Management Console (HMS). The first issue could be exploited to conduct MITM (Man in the Middle) attacks and force a client and a server to negotiate the SSL 2.0 protocol instead of SSL 3.0 or TLS 1.0. The second flaw is due to an error in the Hyper-Threading Technology (HTT), which may cause certain information to be disclosed to local users. For additional information, see : VUPEN/ADV-2005-2036 and VUPEN/ADV-2005-0540

Affected Products

IBM Hardware Management Console (HMC)

Solution

HMC Version 3 Release 3.6 - Apply APAR IY79212 :
http://techsupport.services.ibm.com/server/hmc/power4/download/v33.Update.html
HMC Version 4 Release 5 - Apply APAR MB01276 :
http://techsupport.services.ibm.com/server/hmc/power5/download/v45.Update.html
HMC Version 5 Release 1.0 - Apply APAR MB01275 :
http://techsupport.services.ibm.com/server/hmc/power5/download/v51.Update.html

References

http://www.vupen.com/english/advisories/2005/3002
http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754
http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_474
http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_604

ChangeLog

2005-12-20 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.