Notice of security vulnerabilities which impacts TPM for OSd / TPM for Images 7.1.1.X along with instructions to resolve the issues.
Resolving the problem
1. PKCS#12 Trust Anchor Insertion Vulnerability (CVE-2012-2203)
2. GSKit SID Length Vulnerability (CVE-2012-2190)
2. GSKit Encrypted Record Length Vulnerability (CVE-2012-2191)
CVE ID: CVE-2012-2203
IBM Global Security Kit (aka GSKit) before 184.108.40.206 uses the PKCS #12 file format for certificate objects without enforcing file integrity, which makes it easier for remote attackers to spoof SSL servers.
CVE ID: CVE-2012-2190
When a client attempts to establish an SSL/TLS connection, the client and server negotiate what type of cypher suite to use and whether to trust each other. This negotiation is called the "handshake". TPM for OSd / TPM for Images use GSKit 7 for SSL/TLS connections. GSKit before 220.127.116.11 is vulnerable to an attack from a specifically crafted malformed SSL/TLS data packet during the handshake. An attacker would need to send a malformed data packet to the server during the SSL/TLS handshake negotiation. Were an attacker able to do so, they could cause the TPM for OSd / TPM for Images server process to crash. The attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, however accessibility of the system could be compromised.
CVE ID: CVE-2012-2191
IBM Global Security Kit (aka GSKit) before 18.104.22.168 does not properly validate data, which allows remote attackers to cause a denial of service (application crash) via crafted values in the TLS Record Layer, a different vulnerability than CVE-2012-2333.
TPM for OSD / TPM for Images 7.1.1.X customers should upgrade to GSKIT version 22.214.171.124 or later.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.