Fixes are available
APAR status
Closed as program error.
Error description
A Secure Sockets Layer (SSL) connection can be established without host name verfication, which can make the connection vulnerable to a man-in-the-middle attack.
Local fix
Problem summary
While obtaining an SSL connection, the IBM Business Process Management (BPM) system does not validate the host name of the target connection against the SubjectDN of the certificate. This situation can make the connection vulnerable to a man-in-the-middle attack. CVE ID: 2012-5785 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79830 for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Problem conclusion
To eliminate a man-in-the-middle attack, apply Interim Fixes JR45329, JR45216, and JR45071, or apply a Fix Pack that contains these APARS. These changes verify the host name against the certificate SubjectDN value. Using the following links, download the interim fixes from IBM Fix Central for IBM Integration Designer, Business Space (IBM Business Monitor) and your applicable IBM Business Process Manager product: IBM Integration Designer: APAR JR45329 Business Space: APAR JR45216 IBM Business Process Manager Standard: APAR JR45071 IBM Business Process Manager Express: APAR JR45071 IBM Business Process Manager Advanced: APAR JR45071 If a system is incorrectly configured, setting the host name validation can result in the following error message: HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry I/O exception (javax.net.ssl.SSLException) caught when processing request: hostname in certificate didn't match: <certificatehostname> != <targethostname> You can rectify this error message by making sure the presented certificate SubjectDN matches target the host name.
Temporary fix
Not applicable
Comments
APAR Information
APAR number
JR45071
Reported component name
BPM ADVANCED
Reported component ID
5725C9400
Reported release
801
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-12-10
Closed date
2014-11-20
Last modified date
2014-11-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
JR45216 JR45329
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R750 PSY
UP
R751 PSY
UP
R800 PSY
UP
R801 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 October 2021