IBM Security Verify

 View Only
  • 1.  openssl CVE-2022-3786 and CVE-2022-3602 (openssl)

    Posted Mon November 21, 2022 01:29 AM

    Hi,

    I noticed the docker images ibmcom/isam-openldap (at least tag 9.0.7.2_IF3) is vulnerable to CVE-2022-3786 and CVE-2022-3602.
    I've been keeping an eye on the docker hub, but didn't see new images become available that fixed these CVEs. Are there plans to release images that address these issues?

    On a side note: I use aquasec/trivy to scan docker images, which can yield interesting results for any image you are using...



    ------------------------------
    Kristof Goossens
    ------------------------------


  • 2.  RE: openssl CVE-2022-3786 and CVE-2022-3602 (openssl)

    Posted Tue November 22, 2022 03:30 AM
    Hi Kristof!

    There's a note in the Overview tab on that Docker Hub page that says:
    IMPORTANT - IBM Security Access Manager will no longer host images on Docker Hub after December 31st, 2022. Images can now be accessed via IBM container registry. More details regarding this new location can be found at the following URL: https://docs.verify.ibm.com/ibm-security-verify-access/docs/containers

    I'm also referring to this IBM Support note: https://www.ibm.com/support/pages/node/6830213

    Example: the below command will pull the verify-access-openldap:10.0.4.0_IF1

    docker pull icr.io/isva/verify-access-openldap:10.0.4.0_IF1

    And remember: the verify-access-openldap image is only designed to be used in test environments. If you want to use openldap in production you should obtain a supported version of openldap.

    Cheers, Peter.




    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 3.  RE: openssl CVE-2022-3786 and CVE-2022-3602 (openssl)

    Posted Fri November 25, 2022 03:22 AM
    Hi Peter,

    Thx for the heads up.

    ------------------------------
    Kristof Goossens
    ------------------------------



  • 4.  RE: openssl CVE-2022-3786 and CVE-2022-3602 (openssl)

    Posted Mon November 28, 2022 12:10 PM
    Dear All,

    Just would like to ask information above mentioned CVE regarding on-premise ISVA images / environments (no docker). We do have 10.0.4.0_IF1 in our systems.

    Are we OK with this or we need to make any actions?

    Also, how is it possible to check Openssl version on on-prem installation (not docker). I see "curl" command and I can run "curl -V" which provide some outcome. Is this the right way? Or?


    I appreciate your reply.

    Thanks.


    ------------------------------
    Janos Laszlo Horvath
    ------------------------------



  • 5.  RE: openssl CVE-2022-3786 and CVE-2022-3602 (openssl)

    Posted Tue November 29, 2022 05:21 PM
    Janos,

    The information which is contained in the CVE is the extent of the information which IBM is allowed to provide.  There is always a fine balance between providing enough information to inform customers when they need a fix, but not providing enough information to allow attackers to use the CVE to attack the software.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------



  • 6.  RE: openssl CVE-2022-3786 and CVE-2022-3602 (openssl)

    Posted Wed November 30, 2022 02:10 AM
    Hello Scott,


    Thanks for reply.  We will consider it.


    ------------------------------
    Janos Laszlo Horvath
    ------------------------------