WebSphere MQ Security Bulletin: multiple vulnerabilities in GSKit component

Flash (Alert)


Abstract

WebSphere MQ Security Vulnerability: There is the potential for invalid SSL or TLS record data to be injected by an attacker to perform a denial of service attack. There is also potential for a malicious certificate authority (CA) certificate to be injected into keystore via an import of a PKCS#12 file without authentication.

Content

VULNERABILITY DETAILS

CVE ID: CVE-2012-2191, CVE-2012-2203

DESCRIPTION:
There are two security vulnerabilities in the GSKit component of WebSphere MQ. The vulnerabilities can only be exploited if the GSKit component of MQ is being used: (a) for certificate management, or (b) to implement SSL or TLS enabled channels.

CVE-2012-2191 (CVSS 5)
An invalid data size in either SSL or TLS records could lead to segmentation violation in GSKit.

CVE-2012-2203 (CVSS 5.8)
RFC 5208 states that the message authentication code (MAC) for certificate data in PKCS#12 files is optional. A PKCS#12 file could be modified prior to being imported into GSKit keystores to contain a malicious CA certificate without having a MAC.

CVSS:

CVE-2012-2191
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2012-2203
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

AFFECTED PLATFORMS:
Certain versions of the GSKit component of WebSphere MQ are affected, refer to the remediation section for more information.

  • WebSphere MQ 7.0.1 on all platforms (except IBM i and z/OS)
  • WebSphere MQ 7.1 on all platforms (except IBM i and z/OS)
  • WebSphere MQ 7.5 on all platforms (except IBM i and z/OS)

REMEDIATION:
Fixes for both these vulnerabilities are included in GSKit versions 7.0.4.41 and 8.0.14.22 and later, provided by MQ fix packs.

WebSphere MQ 7.0.1
Apply fix pack 7.0.1.9 or later. See http://www.ibm.com/support/docview.wss?rs=171&uid=swg24033008

WebSphere MQ 7.1
Apply fix pack 7.1.0.2 when available. In the interim apply APAR IC87061

WebSphere MQ 7.5
Apply fix pack 7.5.0.1 when available. In the interim apply APAR IC87061


Mitigation
CVE-2012-2191
None known.

CVE-2012-2203
Utilize filesystem security to limit write access to PKCS#12 files to avoid a malicious CA certificate from being injected.

REFERENCES:
Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
CVE-2012-2191 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2191)
CVE-2012-2203 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2203)
WebSphere MQ 7.0.1.9 ( http://www-01.ibm.com/support/docview.wss?uid=swg21601150)

CHANGE HISTORY:
22nd October 2012: Original Copy Published

Note: 
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

WebSphere MQ WMQ

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere MQ
Security

Software version:

7.0.1, 7.0.1.1, 7.0.1.2, 7.0.1.3, 7.0.1.4, 7.0.1.5, 7.0.1.6, 7.0.1.7, 7.0.1.8, 7.1, 7.1.0.1, 7.5

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Linux Red Hat - i/p Series, Linux Red Hat - xSeries, Linux Red Hat - zSeries, Linux SUSE - xSeries, Linux SUSE - zSeries, Linux SuSE - i/p Series, Linux iSeries, Linux on Power, Linux zSeries, Solaris, UNIX, Windows

Software edition:

All Editions

Reference #:

1614483

Modified date:

2012-10-23

Translate my page

Machine Translation

Content navigation