Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2520.2
Security Bulletin: TLS padding vulnerability affects WebSphere
Transformation Extender Secure Adapter Collection (CVE-2014-8730)
23 January 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Transformation Extender Secure Adapter Collection
Publisher: IBM
Operating System: AIX
HP Itanium
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Access Privileged Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2014-8730
Reference: ESB-2014.2511
ESB-2014.2485
ESB-2014.2484
ESB-2014.2483
ESB-2014.2482
ESB-2014.2480
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21693140
Revision History: January 23 2015: Updated to reference the available fix
December 24 2014: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: TLS padding vulnerability affects WebSphere Transformation
Extender Secure Adapter Collection (CVE-2014-8730)
Document information
More support for:
WebSphere Transformation Extender
Secure Adapter Collection
Software version:
8.4.1.1, 8.4.1.2
Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Linux zSeries, Solaris, Windows
Reference #:
1693140
Modified date:
2015-01-22
Security Bulletin
Summary
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding
Oracle On Downgraded Legacy Encryption) like attack affects WebSphere
Transformation Extender Secure Adapter Collection.
Vulnerability Details
CVE-ID: CVE-2014-8730
DESCRIPTION:
Product could allow a remote attacker to obtain sensitive information, caused
by the failure to check the contents of the padding bytes when using CBC
cipher suites of some TLS implementations. A remote user with the ability to
conduct a man-in-the-middle attack could exploit this vulnerability via a
POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt
sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99216 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
WebSphere Transformation Extender Secure Adapter Collection 8.4.1.1 and
8.4.1.2
Remediation/Fixes
Download and install the interim fix for APAR PI32341 from IBM Fix Central.
Installing this fix sets the following environment variables by default:
GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
GSK_STRICTCHECK_CBCPADBYTES_SSL=GSK_TRUE
Verify that this configuration change does not cause compatibility issues.
Workarounds and Mitigations
To mitigate the vulnerability before you install the fix, set the environment
variables with the following commands:
For WebSphere Transformation Extender Secure Adapters Collection running on
Windows, the commands are:
set GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
set GSK_STRICTCHECK_CBCPADBYTES_SSL=GSK_TRUE
For WebSphere Transformation Extender Secure Adapters Collection running on
Linux/UNIX/AIX, the commands are:
export GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
export GSK_STRICTCHECK_CBCPADBYTES_SSL=GSK_TRUE
Before you start WTX, set the environment variables in the shell where WTX
runs.
Environment variables defined in a shell are inherited by any child processes.
To set the environment variables automatically, add the commands to the
profile of the user ID that WebSphere Transformation runs under.
Verify that this configuration change does not cause compatibility issues.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
23 December 2014: Original version published.
22 January 2015: Updated to reference the available fix.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVMGoARLndAQH1ShLAQJMsw/+KlV2i8vedA/TpCJGCL0uUx2rMwQQk+ur
9erBThqUitlMS1NLCj8laYOEj0nWPkd7pcJhpJOpLn+UbtKQ9OHGiJy49oeYuY82
a06TGhxj3vdz9dPNyzyEDvLMJahb4ucsTLfTKZUDixehr3wUpesPwLoNYCEhNxjI
Ru5cYXpbfGcFRRx4oux+tikphzhEDcPcNVvdE9vFD0mEuQfyVrsq5XbNul6c6rz4
ea+cTHozY2HHm6dYIC485y343dT7Xpkdayv8ph6i67HmwygAPl23HxNN1CykYh2F
gV/3Gexxm475V+dOYC0bYUr1RKKC2zRFGxiMS4gaeikCoS5jqvGJdzwuf17Zm6pF
71bcyeMwlTrFpvT0d4nK/MMNlfbtp2HGeAmymm4xCbWuogegy38rYgo7HKUIe4xN
zexT7MRYuVN84KC5hACNAOgBDI/EUwEJAtKBqa3o5NM7J3aaHYI4wX9SMXcBKgkS
DIUwYVyIC6t001ed+ur3J60bDAEMTQFzbtH0+8QlZAd13OKNLpD0gZtq/PrzXc1t
sRhkbNZdu2WNKny1SJzTcBt4RFWJz4uJ/D5IiTDHRQP9wJD9hIwc75NyQovVgNDp
55iOw9/ALDgYILDMynELHGb0HQxe6krg1dzLqzH/G2HOUrisCyAjDhCpcbqG4XMN
dCgIpxwtEBo=
=zYih
-----END PGP SIGNATURE-----