IBM Support

JR45071: SECURITY APAR CVE-2012-5785 - SSL CONNECTION VULNERABLE TO MAN-IN-THE-MIDDLE-ATTACK

Fixes are available

Version 8.0.1 Fix Pack 1 for the IBM Business Process Manager products
Version 7.5.1 Fix Pack 2 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A Secure Sockets Layer (SSL) connection can be established
without host name verfication, which can make the connection
vulnerable to a man-in-the-middle attack.

Local fix

  • 



Problem summary


    

  • While obtaining an SSL connection, the IBM Business Process
Management (BPM) system does not validate the host name of the
target connection against the SubjectDN of the certificate. This
situation can make the connection vulnerable to a
man-in-the-middle attack.

CVE ID: 2012-5785
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79830
for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

    



Problem conclusion


    

  • To eliminate a man-in-the-middle attack, apply Interim Fixes
JR45329, JR45216, and JR45071, or apply a Fix Pack that contains
these APARS. These changes verify the host name against the
certificate SubjectDN value. Using the following links, download
the interim fixes from IBM Fix Central for IBM Integration
Designer, Business Space (IBM Business Monitor) and your
applicable IBM Business Process Manager product:

    IBM Integration Designer: APAR JR45329
    Business Space: APAR JR45216
    IBM Business Process Manager Standard: APAR JR45071
    IBM Business Process Manager Express: APAR JR45071
    IBM Business Process Manager Advanced: APAR JR45071


If a system is incorrectly configured, setting the host name
validation can result in the following error message:
HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector
executeWithRetry I/O exception (javax.net.ssl.SSLException)
caught when processing request: hostname in certificate didn't
match: <certificatehostname> != <targethostname>

You can rectify this error message by making sure the presented
certificate SubjectDN matches target the host name.

    



Temporary fix


    

  • Not applicable

    



Comments


    

  • 



APAR Information




    

  • APAR number
    JR45071
    • 

  • Reported component name
    BPM ADVANCED
    • 

  • Reported component ID
    5725C9400
    • 

  • Reported release
    801
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-12-10
    • 

  • Closed date
    2014-11-20
    • 

  • Last modified date
    2014-11-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
JR45216 JR45329
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R750  PSY
       UP
    • 

  • R751  PSY
       UP
    • 

  • R800  PSY
       UP
    • 

  • R801  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback