Security Bulletin: An IBM Business Process Manager SSL connection can be established without host name verification: CVE-2012-5785

Flash (Alert)


Abstract

A Secure Sockets Layer (SSL) connection can be established without host name verfication, which can make the connection vulnerable to a man-in-the-middle attack.

Content

While obtaining an SSL connection, the IBM Business Process Management (BPM) system does not validate the host name of the target connection against the SubjectDN of the certificate. This situation can make the connection vulnerable to a man-in-the-middle attack.
CVE ID: 2012-5785
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79830 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


REMEDIATION
To eliminate a man-in-the-middle attack, apply Interim Fixes JR45329, JR45216, and JR45071, or apply a Fix Pack that contains these APARS. These changes verify the host name against the certificate SubjectDN value. Using the following links, download the interim fixes from IBM Fix Central for IBM Integration Designer, Business Space (IBM Business Monitor) and your applicable IBM Business Process Manager product:


If a system is incorrectly configured, setting the host name validation can result in the following error message:
HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry I/O exception (javax.net.ssl.SSLException) caught when processing request: hostname in certificate didn't match: <certificatehostname> != <targethostname>

You can rectify this error message by making sure the presented certificate SubjectDN matches target the host name.


REFERENCES

Note: The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. You can evaluate the impact of this vulnerability in your environments by accessing the links in the Reference section of this document.


Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM Business Process Manager Standard Security AIX, Linux, Linux zSeries, Solaris, Windows 8.0.1, 8.0, 7.5.1, 7.5
Business Integration IBM Business Process Manager Express Security Linux, Linux zSeries, Windows 8.0.1, 8.0, 7.5.1, 7.5
Business Integration IBM Integration Designer Security Windows, Linux 8.0.1, 8.0, 7.5.1, 7.5
Business Integration IBM Business Monitor Security AIX, HP-UX, Linux, Linux zSeries, Solaris, Windows 8.0.1, 8.0, 7.5.1, 7.5

Product Alias/Synonym

BPM

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Business Process Manager Advanced
Security

Software version:

7.5, 7.5.1, 8.0, 8.0.1

Operating system(s):

AIX, Linux, Linux zSeries, Solaris, Windows

Reference #:

1622589

Modified date:

2013-01-30

Translate my page

Machine Translation

Content navigation