Fixes are available
Fix packs for DataPower Low Latency Appliance version 3.8.2
Fix packs for DataPower XML Security Gateway appliances version 4.0.1
Fix packs for DataPower XML Accelerator appliances version 4.0.1
Fix packs for DataPower Integration appliances version 4.0.1
Fix packs for DataPower B2B appliances version 4.0.1
Fix packs for DataPower Low Latency Appliance version 4.0.1
Fix packs for DataPower XML Accelerator appliances version 3.8.2
Fix packs for DataPower XML Security Gateway appliances version 3.8.2
Fix packs for DataPower Integration appliances version 3.8.2
Fix packs for DataPower B2B Appliance XB60 version 3.8.2
Closed as program error.
A vulnerability exists in XML Encryption and other uses of CBC-mode encryption, related to the handling of error messages issued by or subsequent to decryption.
To prevent this attack without installing this APAR, you can: - Digitally sign the encrypted request message using XML Digital Signatures or Message Authentication/Integrity Codes (MACs). - Ensure that all responses after encountering an error are indistinguishable from each other, which is a simpler approach. Providing indistinguishable errors hardens a service against this attack with minimal configuration changes. Please refer to the TechNote on this APAR for specific details
Error messages emitted during or subsequent to decryption can reveal cryptographic state.
A new property, "rewrite-errors" is added to XML Firewall, MPGW and WS-Proxy to control whether errors subsequent to decryption are replaced by a generic fault. By default, this property is enabled. The property can be controlled via the WebGUI, on the "XML Threat Protection" tab of the configuration screen for each of the above services. This fix is available in 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52.
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels