Security Bulletin: IBM Endpoint Manager 9.1.1065 – OpenSSL Vulnerability Update (CVE-2014-0160)
A security vulnerability has been discovered in OpenSSL that affects some products in the IBM Endpoint Manager portfolio.
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not integrity or availability.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Affected Products and Versions
SUA 9.1/SCA 1.4
9.1.1082 (9.1 patch 1) is an emergency patch release to close the OpenSSL
Heartbleed vulnerability (CVE-2014-0160). This is a critical vulnerability that
affects 9.1 servers and relays. If you are running a 9.1 deployment, you
need to upgrade immediately in order to close the vulnerability.
Only deployments running 9.1.1065 are exposed to the Heartbleed vulnerability.
Earlier versions are not vulnerable. After upgrading from 9.1.1065 to 9.1.1082,
the following steps should be performed to revoke any potentially-compromised
credentials (these steps do not need to be performed if upgrading from 9.0 or
1) Rotate the server signing key:
Rotate custom SSL certificates in Web Reports or the Root Server, if
you are using them (note: this is not common)
3) Change all Console user passwords (especially master operator passwords)
4) Change any database or network proxy passwords that are in root server or relay settings.
5) Rotate the client keys for all relays, especially DMZ relays, using Fixlet 1759 in the BES Support site (or http://www-01.ibm.com/support/docview.wss?uid=swg21670787 for manual instructions).
9.1.1065 agents are also exposed to the Reverse Heartbleed vulnerability, but
can only be exploited by an attacker setting up a new relay that the agent
connects to. If you suspect this type of attack has occurred, please contact
support for recommendations.
* Detailed changelist: http://support.bigfix.com/bes/changes/fullchangelist-91.txt
* Known issues: http://www-01.ibm.com/support/docview.wss?uid=swg21667537
* Upgrade fixlets available in BES Support version 1161
Software Use Analysis / Security Compliance Analytics
If you are using SUA or SCA (any version) with an IEM version earlier than 9.1, you are unaffected.
If you are using IEM version 9.1.1065, you can remediate your exposure to this vulnerability by taking the platform actions described above to update the platform to version 9.1.1082.
MDT Bundle Creator 3.3 is affected by this vulnerability only when using an https proxy to download packages. Not using a proxy, or downloading the files ahead of time and caching will remove the use of OpenSSL and the related vulnerability.
The patched MDT Bundle Creator version 3.3.12 has been released. This version of the MDT Bundle Creator disables the proxy functionality when an https proxy is referenced. The new MDT Bundle Creator is available in OS Deployment and Bare Metal Imaging Site Version 37 or higher.
Use the following link to download the updated MDT Bundle Creator:
All Endpoint Manager integrated versions of Remote Control are affected by this vulnerability. Updated site version 23 has been updated with the patched components with Interim Fix Pack 1 for IBM Endpoint Manager for Remote Control 9.1.0.
See http://www.ibm.com/support/docview.wss?uid=swg21669668 and http://www.ibm.com/support/docview.wss?uid=swg21670744 for more details.
The following products are not affected by this vulnerability:
Operating System Patch Content
OS Patch streams are being closely monitored and patches will be released as quickly as possible
Red Hat Enterprise Linux 6
AIX (Interim Fix)
SUSE Linux Enterprise Server
Pending Update from OS Vendor
11 September 2015: Replaced CVSS Guide link to v2
21 April 2014: Updated fix details for Platform, SUA/SCA, Remote Control
15 April 2014: Updated fix details for OSD, and released OS patch Fixlets
11 April 2014: Original Copy Published
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.