IBM Support

IT15454: VULNERABILITIES IN THE SSL COMPONENT OF IBM DATAPOWER GATEWAYS.

Fixes are available

Fix packs for DataPower Service Gateway version 7.0
Fix packs for DataPower B2B Appliance version 7.0
Fix packs for DataPower Integration Appliance version 7.0
Fix packs for DataPower Gateway version 7.1
Fix packs for DataPower Gateway version 7.2
Fix packs for DataPower Gateway version 7.5
Fix packs for DataPower Gateway version 7.5.1

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Multiple vulnerabilities in SSL were announced on May 3rd, 2016.

Memory corruption in the ASN.1 encoder (CVE-2016-2108)
Padding oracle in attack could allow traffic to be decrypted
(CVE-2016-2107)
Possible encoding or encryption overflow (CVE-2016-2105,
CVE-2016-2106)
Possible excessive memory allocation (CVE-2016-2109)
Possible memory overread (CVE-2016-2176)

Local fix

  • 



Problem summary


    

  • Multiple vulnerabilities in SSL were announced on May 3rd, 2016.
Memory corruption in the ASN.1 encoder (CVE-2016-2108)
Padding oracle in attack could allow traffic to be decrypted
(CVE-2016-2107)
Possible encoding or encryption overflow (CVE-2016-2105,
CVE-2016-2106)
Possible excessive memory allocation (CVE-2016-2109)
Possible memory overread (CVE-2016-2176)

    



Problem conclusion


    

  • Fixes are available in 7.0.0.14, 7.1.0.11, 7.2.0.7, 7.5.0.2 and
7.5.1.1

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT15454
    • 

  • Reported component name
    DATAPOWER
    • 

  • Reported component ID
    DP1234567
    • 

  • Reported release
    720
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-05-25
    • 

  • Closed date
    2016-07-21
    • 

  • Last modified date
    2016-07-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • None
0

    



Fix information


    

  • Fixed component name
    DATAPOWER
    • 

  • Fixed component ID
    DP1234567
    • 



Applicable component levels


    

  • R751  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 February 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback