Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0501 Security Bulletin: IBM Endpoint Manager 9.1.1065 – OpenSSL Vulnerability Update (CVE-2014-0160) 15 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Tivoli Endpoint Manager Publisher: IBM Operating System: Red Hat Ubuntu HP-UX AIX VMware ESX Server Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 Reference: ASB-2014.0042 ESB-2014.0457 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21670161 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Endpoint Manager 9.1.1065 – OpenSSL Vulnerability Update (CVE-2014-0160) Document information More support for: Tivoli Endpoint Manager Software version: Version Independent Operating system(s): Platform Independent Reference #: 1670161 Modified date: 2014-04-11 Flash (Alert) Abstract A security vulnerability has been discovered in OpenSSL that affects some products in the IBM Endpoint Manager portfolio. Content Vulnerability Details CVE-ID: CVE-2014-0160 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not integrity or availability. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score. *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Affected Products and Versions Platform 9.1.1065 SUA 9.1/SCA 1.4 OSD 3.3 Remote Control Remediation/Fixes IEM Platform IMMEDIATE ACTIONS: If you are using Endpoint Manager 9.0 or earlier, you are unaffected. You should delay upgrading to 9.1 until a patch is released. We have removed the 9.1 upgrade fixlets from BES Support. If you are using Endpoint Manager 9.1, you can mitigate your exposure to this vulnerability by taking the following steps until a 9.1 patch is released: 1) Limit network access to the root server to only trusted hosts. 2) Rotate the server signing key on the root server on a regular basis [a]. 3) If any custom HTTPS keys are being used in the root server or web reports, those keys should also be rotated. 4) Avoid sending any sensitive data via mailboxes or secure parameters to relays or the root server. 5) Consider temporarily disconnecting any internet-facing relays. The IBM Endpoint Manager team is working on a patch release that will fix this vulnerability. We will make this patch available as soon as possible, and we recommend that you make plans to upgrade from 9.1 to the patch release as soon as becomes available. [a] http://www-01.ibm.com/support/docview.wss?uid=swg21669587 Software Use Analysis / Security Compliance Analytics If you are using SUA 1.x, SUA 2.x/9.x, or SCA with IEM version earlier than 9.1, you are unaffected. If you are using SUA 2.2 Patch 3 (only if deployed on IEM platform 9.1), SUA 9.1 or SCA (if deployed on IEM platform 9.1), you can mitigate your exposure to this vulnerability by taking the following steps: If you have already downloaded the product, we recommend that you not install it, and delete the packages. If you have already installed it, follow the recommendations outlined in the security vulnerability note and apply a patch as soon as it becomes available. Packages with the vulnerability have been already removed from the IBM site. A patch will be published shortly. OS Deployment MDT Bundle Creator 3.3 is affected by this vulnerability only when using an https proxy to download packages. Not using a proxy, or downloading the files ahead of time and caching will remove the use of OpenSSL and the related vulnerability. A patch will be released very shortly that disables the proxy functionality as a remediation measure. Remote Control All Endpoint Manager integrated versions of Remote Control are affected by this vulnerability. Hotfixes will be released as soon as they are available. Unaffected Products The following products are not affected by this vulnerability: - - Mobile Device Management - - Software Distribution - - Server Automation - - Patch Management - - Power Management - - Core Protection - - Security Configuration Management Operating System Patch Content OS Patch streams are being closely monitored and patches will be released as quickly as possible. Released Fixlets Red Hat Enterprise Linux 6 CentOS 6 Ubuntu Not Vulnerable Solaris SUSE Linux Enterprise Server Windows Pending Update from OS Vendor ESXi 5 AIX HP-UX Reference Complete CVSS Guide On-line Calculator V2 OpenSSL Project vulnerability website Heartbleed Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History 11 April 2014: Original Copy Published Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU0yErhLndAQH1ShLAQInyhAAt3R7npikpPsdXdqzmsKdYfZ9WZMNlHZw ZtP1SrcIelSVTm7m8z4JcuNXpRTTDkxnsDW1tfdH0UR6pY8OimtWNAiUw25mMQiS qLfBh//RtCRWr3EUEAfb2uBPDYPyGcAU3E1MEkMOa5A79AyrJLY7j2D7kDLvfa71 jpZa25TY8CMcfXJRmNmX2uAe/W87y/tjUZkjlgTSRh0w7eMftDPXT/AJcAdIF2uu CvMazWl1+rlQseFoAO0Gb+/MrKNcQn0hPhBCdZXOh0kHyxGI3ehshugJSC5Go22o ye4L8/xuCi924l3+YQ5t93VRtv9EMYfthIYswnXlVk8b8I7aAYiMj53DZClf3Ryz +HtrrRFxb2+vD4y0w5j3Herz0r7twSRPwkXIYXucPL0lQia3YkA4eCugKDEF3kq3 0xU8mwLZvm3sPuei2J1bywOqCPfuN0X3IZk0YwDpIFCl/Sk8vtXcB3FNzfOnM+1r QckrKT/VA04WuN3K59Woq107TqzWXrwfSmv9/PgJazjpFa1c7s7tRCr0lCU3Ok67 SS1CDAjipqd6aYR6Er417Dx00H0Rj6B7rnQw7wPnQiw3OpF23a8KbKggUAkl/DdM wa4Dhho1r0+RZVtxWBBjbYc/Q1smsSHsZzEwfNfo/oOLjQWnETkFmK5FSOZeaE+i BOY3Zp4UC5M= =kuSD -----END PGP SIGNATURE-----