Security Bulletin: IBM Endpoint Manager 9.1 OpenSSL Heartbleed Vulnerability (CVE-2014-0160)
News flash for the OpenSSL Heartbleed vulnerability (CVE-2014-0160) impacting IBM Endpoint Manager 9.1
There is an OpenSSL vulnerability that could allow an attacker to compromise the IBM Endpoint Manager root server signing key. Both Windows and Linux server deployments are affected. Note that the site admin key cannot be compromised using this vulnerability.
AFFECTED PRODUCTS AND VERSIONS:
IBM Endpoint Manager 9.1.1065 is the only affected version. Previous versions are not affected, and version 9.1.1082 fixes the vulnerability.
IMMEDIATE ACTIONS REQUIRED FOR 9.1.1065:
- If you are using Endpoint Manager 9.1.1065, you should immediately upgrade to version 9.1.1082 (upgrade fixlets available in BES Support). After upgrade, follow the instructions on the 9.1.1082 announcement to rotate potentially compromised credentials.
An OpenSSL vulnerability was announced on April 7, 2014 in versions 1.0.1 and 1.0.2 of OpenSSL. This vulnerability is officially named "TLS heartbeat read overrun (CVE-2014-0160)" and has come to be colloquially named "The Heartbleed Bug".
Official advisory: http://www.openssl.org/news/secadv_20140407.txt
More details: http://heartbleed.com
Any software that uses an affected version of OpenSSL and is a TLS server is vulnerable.
This vulnerability impacts IBM Endpoint Manager in several ways. An attacker that can send network requests to the root server can read the root server's memory and obtain the server signing private key. This key could be used, as part of a man-in-the-middle attack, to impersonate the root server and obtain console login credentials. It can also be used to forge actions that agents will accept as authentic.
An attacker that can send network requests to a 9.1.1065 relay can read the relay's memory and obtain the private key of the agent on the relay machine. This key can be used to read the contents of mailboxes and secure parameters sent to the target agent. It can also be used to impersonate reports from the agent that the server will accept as genuine.
If you are using any custom SSL certificates for a 9.1.1065 root server or web reports server, the private keys for those certificates could be compromised. If you are using these keys on any other systems, you should rotate them immediately.