IC76651: AVOID POTENTIAL ATTACK AGAINST XML ENCRYPTION.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • A vulnerability exists in XML Encryption and other uses of
    CBC-mode encryption, related to the handling of error messages
    issued by or subsequent to decryption.
    

Local fix

  • To prevent this attack without installing this APAR, you can:
    
    
    -  Digitally sign the encrypted request message using XML
    Digital Signatures or Message Authentication/Integrity Codes
    (MACs).
    -  Ensure that all responses after encountering an error are
    indistinguishable from each other, which is a simpler approach.
    Providing indistinguishable errors hardens a service against
    this attack with minimal configuration changes.
    
    Please refer to the TechNote on this APAR for specific details
    

Problem summary

  • Error messages emitted during or subsequent to decryption
    can reveal cryptographic state.
    

Problem conclusion

  • A new property, "rewrite-errors" is added to XML Firewall,
    MPGW and WS-Proxy to control whether errors subsequent to
    decryption are replaced by a generic fault.  By default, this
    property is enabled.
    
    
    The property can be controlled via the WebGUI, on the "XML
    Threat Protection" tab of the configuration screen for each of
    the above services.
    
    This fix is available in 3.7.3.19, 3.8.0.13, 3.8.1.12, 3.8.2.4,
    and 4.0.1.0.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC76651

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    381

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-05-27

  • Closed date

    2011-06-20

  • Last modified date

    2011-06-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DATAPOWER

  • Fixed component ID

    DP1234567

Applicable component levels

  • R373 PSY

       UP

  • R380 PSY

       UP

  • R381 PSY

       UP

  • R382 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere DataPower SOA Appliances
General

Software version:

3.8.1

Reference #:

IC76651

Modified date:

2011-06-29

Translate my page

Machine Translation

Content navigation