Key Information Vulnerability Overview Multiple vulnerabilities exist in the IBM GSKit component of IBM Spectrum Protect, affecting Virtual Environments: Data Protection for VMware. Vulnerability Details CVE-2016-0702: OpenSSL contains a side-channel attack vulnerability that may lead to disclosure of sensitive information. CVE-2018-1447: GSKit CMS KDB logic fails to properly salt, weakening password protection. CVE-2016-0705: OpenSSL has a double-free error when parsing DSA private keys, leading to denial of service. CVE-2017-3732: OpenSSL's x86_64 Montgomery squaring operation contains a carry propagation error, potentially leading to information leakage. CVE-2017-3736: OpenSSL's bn_sqr8x_internal() function has a carry propagation error, potentially leading to information leakage. CVE-2018-1428: Encryption algorithms used by IBM GSKit are weaker than expected, potentially allowing sensitive information to be decrypted. CVE-2018-1427: IBM GSKit contains an environment variable overflow error, potentially leading to denial of service. CVE-2018-1426: IBM GSKit reuses PRNG state during fork() system calls when loading multiple ICC instances, potentially causing session IDs and key material to be duplicated. Affected Products and Versions Versions 8.1.0.0 to 8.1.4.0 Versions 7.1.0.0 to 7.1.8.0 Remediation Fix links and upgrade recommendations provided for different versions and platforms Workarounds and Mitigations No information available Change History March 29, 2018 - Initial version released April 6, 2018 - Minor update for versions 6.4 and below