APAR status
Closed as program error.
Error description
DataPower change to prevent SSL TLS Man-in-the-Middle attack. The SSLM MitM attack is also known as CVE-2009-3555. This change is to prevent SSL renegotiations from occurring.
Local fix
Use mutual or client authentication until the new firmware can be installed.
Problem summary
******************************************************* * USERS AFFECTED: All IBM WebSphere DataPower SOA Appliance * Users. ****************************************************** * PROBLEM DESCRIPTION: ***************************************************** * RECOMMENDATION: Apply fixpacks 3.7.1.12, 3.7.2.8, 3.7.3.7, * 3.8.0.1 or superceding fix packs. ****************************************************** A recently discovered vulnerability in the renegotiation feature of the SSL and TLS protocols allows an attacker to inject an arbitrary string into the SSL session. This vulnerability is commonly referred to as the SSL Man-in-the-Middle (MITM) attack or CVE-2009-3555.
Problem conclusion
The DataPower SSL server implementation is not vulnerable to either form of attack when using SSL client authentication, because the implementation requires immediate client authentication in the first SSL handshake (unlike vulnerable SSL server implementations that only require client authentication in a renegotiation handshake after seeing the request URL). However, the DataPower SSL server implementation is vulnerable to the weaker form of attack when client authentication is not used. This weaker form of attack is limited, because it can only steal HTTP headers from the initial HTTP request of the attacked client. Most HTTP clients do not send authentication credentials in the initial HTTP request headers. Most HTTP clients wait until seeing certain HTTP status codes from the HTTP server before sending authentication credentials, and HTTP clients like these would not be vulnerable to this weaker form of attack. To confirm if your appliance uses SSL client authentication, look at the reverse/server Crypto Profile of the SSL Proxy Profile in question. If it contain a Validation Credentials, client authentication is in use. See this technote: http://www.ibm.com/support/docview.wss?uid=swg21410851 for more information.
Temporary fix
Use mutual or client authentication until new firmware is installed.
Comments
APAR Information
APAR number
IC64790
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
373
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-11-24
Closed date
2009-12-18
Last modified date
2010-01-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R371 PSY
UP
R372 PSY
UP
R373 PSY
UP
R380 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.7.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022