IBM Support

IT10701: JWE DECRYPT ACTION AND GATEWAYSCRIPT CRYPTO AND JOSE MODULES MIGHT BE VULNERABLE TO THE PADDING ORACLE ATTACK

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The JWE decrypt action and GatewayScript crypto and JOSE modules
    might be vulnerable to the padding oracle attack in some
    scenarios.  Any decryption operation that uses these components
    might face this security exposure.
    

Local fix

  • Sign the encrypted data, and put a verify operation before the
    decrypt operation.
    

Problem summary

  • Affects users who decrypt untrusted data using either the JWE
    decrypt action or GatewayScript programs that perform decrypt
    operations that use the crypto or JOSE modules.
    
    The JWE decrypt action and GatewayScript crypto and JOSE modules
     may be vulnerable to the 'padding oracle attack' in some
    scenarios.
    Any decryption operation that uses these components faces this
    security exposure.
    

Problem conclusion

  • Fix is available in 7.2.0.1
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT10701

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    720

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-08-17

  • Closed date

    2015-10-27

  • Last modified date

    2015-10-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DATAPOWER

  • Fixed component ID

    DP1234567

Applicable component levels

  • R720 PSY

       UP



Document information

More support for: IBM DataPower Gateways
General

Software version: 7.2

Reference #: IT10701

Modified date: 27 October 2015