Brocade will no longer provide security updates as End of Life (EOL) was January 18, 2013.

Transcription

1 Component: SSH CVSS Score: N/A No CVE: ncircle vulnerability scanner reports insecure SSH HMAC algorithms enabled. Advises disabling MD5 HMAC algorithms and any HMAC algorithms < 96 bit strength. Reference Table 3 of NIST SP Note: if product supports weak algorithms, solution should be to discontinue support for weak algorithms or provide configuration option to disable weak algorithms. If mechanism is provided to disable weak algorithms, mechanism should be supported regardless of FIPS state. Not Impacted Not Impacted Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Impacted - May affects some Linux tools like ssh, but not vadx software. We should advise customers to use Linux tools with caution. Page 1

2 Component: OpenSSH CVSS Score: 4.6 CVE : scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. Fabric Brocade IronView Network Brocade Network Advisor Brocade Services Director Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 2

3 Component: SSL CVSS Score: 2.6 CVE : The default SSL cipher configuration in Apache Tomcat through , through , and through uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts. Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 3

4 Component: Apache CVSS Score: 4.3 CVE : Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server through and through and the (2) mod_imagemap module in the Apache HTTP Server through allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 4

5 Component: Apache CVSS Score: 4.3 CVE : Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 5

6 Component: Apache CVSS Score: 4.3 CVE : Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server through 2.2.6, through , and through , when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Fabric Brocade IronView Network and/or impacted Brocade will no longer provide security updates as End of Life (EOL) and/or impacted Brocade will no longer provide security updates for Data Center Fabric (DCFM) after 10.4 Patch since March 28, Apache version used in FOS is above the impacted version. and/or impacted Brocade will no longer provide security updates after IronView Network version 3.3 since May 30, Page 6

7 Component: Appache CVSS Score: 5.0 CVE : The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before Fabric Brocade IronView Network Not Impacted Not Impacted Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 7

8 Component: Apache CVSS Score: 4.3 CVE : mod_proxy_ftp in Apache 2.2.x before dev, 2.0.x before dev, and 1.3.x before dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 8

9 Component: OpenSSH CVSS Score: 6.5 CVE : OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the.ssh/rc session file. Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 9

10 Component: SSH CVSS Score: 2.6 CVE : Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through , 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/os and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through J and 4.0-K through K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors. Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Impacted May affects some Linux tools like linux version ssh utility, but not VADX software. We should advise customers to use Linux tools with caution. Page 10

11 Component: OpenSSH CVSS Score: 2.1 CVE : ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes sshrand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call. Fabric Brocade IronView Network Fabric (DCFM) after 10.4 Patch since March 28, Network version 3.3 since May 30, Page 11

12 Disclaimer THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Document Revision Changes 1.0 Initial Publication 2.0 Adding ServerIron ADX content. Page 12