IC76651: AVOID POTENTIAL ATTACK AGAINST XML ENCRYPTION.
Closed as program error.
A vulnerability exists in XML Encryption and other uses of CBC-mode encryption, related to the handling of error messages issued by or subsequent to decryption.
To prevent this attack without installing this APAR, you can: - Digitally sign the encrypted request message using XML Digital Signatures or Message Authentication/Integrity Codes (MACs). - Ensure that all responses after encountering an error are indistinguishable from each other, which is a simpler approach. Providing indistinguishable errors hardens a service against this attack with minimal configuration changes. Please refer to the TechNote on this APAR for specific details
Error messages emitted during or subsequent to decryption can reveal cryptographic state.
A new property, "rewrite-errors" is added to XML Firewall, MPGW and WS-Proxy to control whether errors subsequent to decryption are replaced by a generic fault. By default, this property is enabled. The property can be controlled via the WebGUI, on the "XML Threat Protection" tab of the configuration screen for each of the above services. This fix is available in 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11.
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels