IBM Support

Critical updates for IBM DataPower Gateways

Flash (Alert)


Abstract

This document lists the critical updates, HIPER (Highly Pervasive) APAR fixes which should be applied to IBM DataPower Gateways (formerly referred to as WebSphere DataPower SOA Appliances).

Content

This document is kept current to provide you with the latest information. You can monitor for updates to this document using My Notifications. Important support information is also posted on Twitter.
This document describes Critical Actions you should take to mitigate or prevent problem and Critical Updates (including HIPER APARs which are APARs where the problem is Highly Pervasive) along with circumventions where possible.

Table of contents:

Part 1. Critical Actions

Part 2. Critical Updates




Critical Actions



Important: Create a privileged user id as a back up for the "admin" user id. This will allow you to reset the "admin" user id's password in case that password is lost or forgotten, or in case the "admin" id is locked out.

In order to increase the security features of the appliance, the lockout duration feature was added. APAR IC65339 reports a problem where the "admin" id is locked out when an incorrect password is entered multiple times for this id. The "admin" is continues to be locked out after the lock out duration has expired. Another privileged user id can reset the "admin" id's password regardless if the APAR fix is applied or not.

See: "admin" password lost or forgotten for IBM WebSphere DataPower SOA Appliances




Critical Updates


Important:


01/07/2015: Critical updates: Apply fix packs.

APAR Description Resolution
IT06055 Symptom: CVE-2014-8730 - STRICTLY ENFORCE VERIFYING TLS BLOCK CIPHER PADDING

Users Affected: Customers vulnerable to CVE-2014-8730

Circumvention: Apply fix packs 7.0.0.4, 7.1.0.2
Fixpacks:


7.1.0.x
7.0.0.x

Symptom: CVE-2014-8730 - VULNERABILITY IN TRANSPORT LAYER SECURITY (TLS) PADDING AFFECTS IBM SECURITY ACCESS MANAGER FOR DATAPOWER

Users Affected: Customers vulnerable to CVE-2014-8730 when using IBM Security Access Manager for DataPower version 8.0.0.5

Circumvention: Apply fix packs 7.1.0.2
http://www-01.ibm.com/support/docview.wss?uid=swg21692934

7.1.0.x


06/19/2014: Critical updates: Apply fix packs.

APAR Description Resolution
IT02314 Symptom: CVE-2014-0224 - VULNERABILITY IN SSL CHANGECIPHERSPEC PROCESSING

Users Affected: Customers vulnerable to CVE-2014-0224

Circumvention: Apply fix packs 7.1.0.2
http://www-01.ibm.com/support/docview.wss?uid=swg21692934
Fixpacks:


7.1.0.x

Document information

More support for: IBM DataPower Gateways
General

Software version: 7.0.0, 7.1, 7.2, 7.5, 7.5.1

Operating system(s): Firmware

Reference #: 1390112

Modified date: 19 September 2016