IBM Support

Security Bulletin: IBM Endpoint Manager 9.1.1065 – OpenSSL Vulnerability Update (CVE-2014-0160)

Flash (Alert)


Abstract

A security vulnerability has been discovered in OpenSSL that affects some products in the IBM Endpoint Manager portfolio.

Content

Vulnerability Details

CVE-ID: CVE-2014-0160

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not integrity or availability.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Affected Products and Versions

Platform 9.1.1065
SUA 9.1/SCA 1.4
OSD 3.3
Remote Control

Remediation/Fixes

IEM Platform

9.1.1082 (9.1 patch 1) is an emergency patch release to close the OpenSSL
Heartbleed vulnerability (CVE-2014-0160). This is a critical vulnerability that
affects 9.1 servers and relays. If you are running a 9.1 deployment, you
need to upgrade immediately in order to close the vulnerability.

Only deployments running 9.1.1065 are exposed to the Heartbleed vulnerability.
Earlier versions are not vulnerable. After upgrading from 9.1.1065 to 9.1.1082,
the following steps should be performed to revoke any potentially-compromised
credentials (these steps do not need to be performed if upgrading from 9.0 or
earlier):

1) Rotate the server signing key:
http://www-01.ibm.com/support/docview.wss?uid=swg21669587
Rotate custom SSL certificates in Web Reports or the Root Server, if
you are using them (note: this is not common)
3) Change all Console user passwords (especially master operator passwords)
4) Change any database or network proxy passwords that are in root server or relay settings.
5) Rotate the client keys for all relays, especially DMZ relays, using Fixlet 1759 in the BES Support site (or http://www-01.ibm.com/support/docview.wss?uid=swg21670787 for manual instructions).

9.1.1065 agents are also exposed to the Reverse Heartbleed vulnerability, but
can only be exploited by an attacker setting up a new relay that the agent
connects to. If you suspect this type of attack has occurred, please contact
support for recommendations.

* Detailed changelist: http://support.bigfix.com/bes/changes/fullchangelist-91.txt
* Known issues: http://www-01.ibm.com/support/docview.wss?uid=swg21667537
* Upgrade fixlets available in BES Support version 1161

Software Use Analysis / Security Compliance Analytics


If you are using SUA or SCA (any version) with an IEM version earlier than 9.1, you are unaffected.

If you are using IEM version 9.1.1065, you can remediate your exposure to this vulnerability by taking the platform actions described above to update the platform to version 9.1.1082.

OS Deployment



MDT Bundle Creator 3.3 is affected by this vulnerability only when using an https proxy to download packages. Not using a proxy, or downloading the files ahead of time and caching will remove the use of OpenSSL and the related vulnerability.

The patched MDT Bundle Creator version 3.3.12 has been released. This version of the MDT Bundle Creator disables the proxy functionality when an https proxy is referenced. The new MDT Bundle Creator is available in OS Deployment and Bare Metal Imaging Site Version 37 or higher.

Use the following link to download the updated MDT Bundle Creator:
http://software.bigfix.com/download/osd/MDTBundleCreator-3.3.12.zip

Remote Control

All Endpoint Manager integrated versions of Remote Control are affected by this vulnerability. Updated site version 23 has been updated with the patched components with Interim Fix Pack 1 for IBM Endpoint Manager for Remote Control 9.1.0.

See http://www.ibm.com/support/docview.wss?uid=swg21669668 and http://www.ibm.com/support/docview.wss?uid=swg21670744 for more details.

Unaffected Products

The following products are not affected by this vulnerability:

  • Mobile Device Management
  • Software Distribution
  • Server Automation
  • Patch Management
  • Power Management
  • Core Protection
  • Security Configuration Management

    Operating System Patch Content

    OS Patch streams are being closely monitored and patches will be released as quickly as possible

    Released Fixlets  
    Red Hat Enterprise Linux 6  
    AIX (Interim Fix)
    CentOS 6 
    Ubuntu 
     
    Not Vulnerable  
    ESXi 4.x/5.0/5.1
    Solaris 
    SUSE Linux Enterprise Server 
    Windows 
     
    Pending Update from OS Vendor  
    HP-UX

    Reference

  • Complete CVSS v2Guide
  • On-line Calculator V2
  • OpenSSL Project vulnerability website
  • Heartbleed

    Related Information

    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog

    Acknowledgement

    None

    Change History

    11 September 2015: Replaced CVSS Guide link to v2
    21 April 2014: Updated fix details for Platform, SUA/SCA, Remote Control
    15 April 2014: Updated fix details for OSD, and released OS patch Fixlets
    11 April 2014: Original Copy Published

    Disclaimer

    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

  • Document information

    More support for: IBM BigFix family

    Software version: Version Independent

    Operating system(s): Platform Independent

    Reference #: 1670161

    Modified date: 23 March 2017


    Translate this page: