-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1072
 Security Bulletin: Multiple vulnerabilities in Network Time Protocol(NTP)
         affect WebSphere DataPower XC10 Appliance (CVE-2016-5300,
                       CVE-2015-7704, CVE-2015-8138)
                                3 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere DataPower XC10 Appliance
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5300 CVE-2015-8138 CVE-2015-7704
                   CVE-2015-5300  

Reference:         ASB-2016.0046
                   ESB-2016.0177
                   ESB-2015.2694

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21980676

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in Network Time Protocol(NTP)
affect WebSphere DataPower XC10 Appliance (CVE-2016-5300, CVE-2015-7704,
CVE-2015-8138)

Security Bulletin

Document information

More support for:

WebSphere DataPower XC10 Appliance

General

Software version:

2.1, 2.5

Operating system(s):

Firmware

Reference #:

1980676

Modified date:

2016-04-29

Summary

There are multiple vulnerabilities in Network Time Protocol(NTP)
implementation that is used by WebSphere DataPower XC10 Appliance. These
vulnerabilities addressed include the ability to disable the NTP client and
bypass security restrictions to bypass the timestamp validation check.

Vulnerability Details

CVEID:

CVE-2015-5300

DESCRIPTION:

Network Time Protocol (NTP) could allow a remote attacker to bypass security
restrictions, caused by the failure to correctly implement the threshold
limitation for the '-g' option. An attacker could exploit this vulnerability
using man-in-the-middle techniques to intercept NTP traffic and make multiple
steps larger than the panic threshold.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107594

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:

CVE-2015-7704

DESCRIPTION:

Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in the rate-limiting mechanism. By sending spoofed Kiss-o'-Death
packets, an attacker could exploit this vulnerability to disable NTP at a
victim client.

CVSS Base Score: 7.5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107446

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:

CVE-2015-8138

DESCRIPTION:

NTP could allow a remote attacker to bypass security restrictions. By sending
a specially crafted packet with an origin timestamp of zero, an attacker
could exploit this vulnerability to bypass the timestamp validation check.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110025

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

WebSphere DataPower XC10 Appliance Version 2.1

WebSphere DataPower XC10 Appliance Version 2.5

Remediation/Fixes

Apply an interim fix, according to the table below.

Interim fixes are associated with the original APAR that is documented in the
table. Because these APAR references might be updated to more recent APARs,
see the links in the table for the most recent interim fix information.

This interim fix contains a new default SSL certificate, as the previous
default SSL certificate, which was never intended for production use, has an
MD5 signature and is no longer compatible with Java. The result is that
installing this interim fix will make it incompatible with any WebSphere
Datapower XC10 appliances that are running with an MD5 certificate, including
the default SSL certificate that was shipped prior to this interim fix. If
the appliance is configured with a custom keystore and certificate with an
MD5 signature, it must be replaced prior to upgrading to this interim fix or
the 'clear-tls-config' command must be run on the appliance before or after
performing the upgrade. Failing to do so will result in the appliance failing
to start. Note that changing the active certificate for an appliance
collective does require that the cache be reloaded and client truststores
must be configured to trust the new certificate.

Product 							Version 			APAR 		Link to interim fix

WebSphere DataPower XC10 Appliance V2.1 on appliance 9235-92X 	2.1 				IT14471 	Refer to the Version 2.1 table in Recommended fixes for WebSphere DataPower XC10 Appliance.

WebSphere DataPower XC10 Appliance V2.1 on appliance 7199-92X 	2.1 				IT14471 	Refer to the Version 2.1 table in Recommended fixes for WebSphere DataPower XC10 Appliance.

WebSphere DataPower XC10 Appliance V2.5 on appliance 7199-92X	Version 2.5

								Important: See More information IT14471 	Refer to the Version 2.5 table in Recommended fixes for WebSphere DataPower XC10 Appliance.
								link and follow instructions to 
								determine if you have an old or 
								newer SSD driver on your 
								appliance using the show 
								ssd-version command. 	

WebSphere DataPower XC10 Appliance V2.5 virtual image 		2.5 				IT14471 	Refer to the Version 2.5 table in Recommended fixes for WebSphere DataPower XC10 Appliance.
Workarounds and Mitigations

There is no workaround. The interim fix must be applied to correct the
problem.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

29 Apr 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVyg1E36ZAP0PgtI9AQIgrhAAq39wmmL3nu1Kh9dHk6d0cacYsgItvmBJ
sz0gC0iOy1yIiZTzR2mZWfBe9ciGIbRvt4so4Q5q5sR6T6RJXSXzME+4jyJTko5s
VKhwwdiOgDxn5HGv+x9AS0jsGoYTSNW/ZII827Q18LgcsyylHaacKU/QyWGS43Lv
tKrGJuZgT7QU3R0IU9mvAs1NRaq0z/IV8q0vejoxQPpZXZ5hJ/ahEPGnWi6nuBNE
LifoU/3PaolPCSdsA23oK6BPj56uqrVTyf3il0h/ZKPmiLewx0VlHmIBDP6cti5I
q5xI6pmh+OShI+Ip3bu+NL4JStRJFE/vKOufAAdnEgBk6HmoDk1gB3YXcGqb3nsQ
s8Pl8UUfHQTSukcvL0xlLiwZylEns94GDigW1K+z942rZdGaEKtj5a79OhKFFH+w
LAue+arqlRhUlf+wIIBrL2JlyTYNKrDG8q2e6zI1caXTovFD1KDMENXKjQeASA6r
hwrYOqYIIfA1wVJ2ZGRwL8GLbVSPkLnhB7/q5LbqbJIv77S3xq84JK+wUGftgSq2
O8RJmqG5b23dviivdVu7pD3t5vWMzQRZrKbsKLi9BV2AX2e1BghmSVEIBGobegSO
bxitECu5APsV6/u7/6SpU93j10i1DT1PKtPZHwzvp0NAhyI+Q2NqI92esA1uqMx0
ngtJ5fTku20=
=UjbH
-----END PGP SIGNATURE-----