A fix is available
APAR status
Closed as program error.
Error description
The JWE decrypt action and GatewayScript crypto and JOSE modules might be vulnerable to the padding oracle attack in some scenarios. Any decryption operation that uses these components might face this security exposure.
Local fix
Sign the encrypted data, and put a verify operation before the decrypt operation.
Problem summary
Affects users who decrypt untrusted data using either the JWE decrypt action or GatewayScript programs that perform decrypt operations that use the crypto or JOSE modules. The JWE decrypt action and GatewayScript crypto and JOSE modules may be vulnerable to the 'padding oracle attack' in some scenarios. Any decryption operation that uses these components faces this security exposure.
Problem conclusion
Fix is available in 7.2.0.1
Temporary fix
Comments
APAR Information
APAR number
IT10701
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
720
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-08-17
Closed date
2015-10-27
Last modified date
2015-10-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R720 PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateways"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.2"}]
Document Information
Modified date:
26 September 2021