Security Bulletin: IBM Endpoint Manager 9.1.1065 – OpenSSL Vulnerability Update (CVE-2014-0160)

Flash (Alert)


Abstract

A security vulnerability has been discovered in OpenSSL that affects some products in the IBM Endpoint Manager portfolio.

Content

Vulnerability Details

CVE-ID: CVE-2014-0160

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not integrity or availability.


Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Affected Products and Versions


    Platform 9.1.1065
    SUA 9.1/SCA 1.4
    OSD 3.3
    Remote Control


Remediation/Fixes

IEM Platform

9.1.1082 (9.1 patch 1) is an emergency patch release to close the OpenSSL
Heartbleed vulnerability (CVE-2014-0160). This is a critical vulnerability that
affects 9.1 servers and relays. If you are running a 9.1 deployment, you
need to upgrade immediately in order to close the vulnerability.

Only deployments running 9.1.1065 are exposed to the Heartbleed vulnerability.
Earlier versions are not vulnerable. After upgrading from 9.1.1065 to 9.1.1082,
the following steps should be performed to revoke any potentially-compromised
credentials (these steps do not need to be performed if upgrading from 9.0 or
earlier):

    1) Rotate the server signing key: Rotate custom SSL certificates in Web Reports or the Root Server, if
    you are using them (note: this is not common)
    3) Change all Console user passwords (especially master operator passwords)
    4) Change any database or network proxy passwords that are in root server or relay settings.
    5) Rotate the client keys for all relays, especially DMZ relays, using Fixlet 1759 in the BES Support site (or http://www-01.ibm.com/support/docview.wss?uid=swg21670787 for manual instructions).

9.1.1065 agents are also exposed to the Reverse Heartbleed vulnerability, but
can only be exploited by an attacker setting up a new relay that the agent
connects to. If you suspect this type of attack has occurred, please contact
support for recommendations.

* Detailed changelist: http://support.bigfix.com/bes/changes/fullchangelist-91.txt
* Known issues: http://www-01.ibm.com/support/docview.wss?uid=swg21667537
* Upgrade fixlets available in BES Support version 1161

Software Use Analysis / Security Compliance Analytics


If you are using SUA or SCA (any version) with an IEM version earlier than 9.1, you are unaffected.

If you are using IEM version 9.1.1065, you can remediate your exposure to this vulnerability by taking the platform actions described above to update the platform to version 9.1.1082.

OS Deployment



MDT Bundle Creator 3.3 is affected by this vulnerability only when using an https proxy to download packages. Not using a proxy, or downloading the files ahead of time and caching will remove the use of OpenSSL and the related vulnerability.

The patched MDT Bundle Creator version 3.3.12 has been released. This version of the MDT Bundle Creator disables the proxy functionality when an https proxy is referenced. The new MDT Bundle Creator is available in OS Deployment and Bare Metal Imaging Site Version 37 or higher.

Use the following link to download the updated MDT Bundle Creator:
http://software.bigfix.com/download/osd/MDTBundleCreator-3.3.12.zip

Remote Control

All Endpoint Manager integrated versions of Remote Control are affected by this vulnerability. Updated site version 23 has been updated with the patched components with Interim Fix Pack 1 for IBM Endpoint Manager for Remote Control 9.1.0.

See http://www-01.ibm.com/support/docview.wss?uid=swg21669668 and http://www-01.ibm.com/support/docview.wss?uid=swg21670744 for more details.

Unaffected Products

The following products are not affected by this vulnerability:

  • Mobile Device Management
  • Software Distribution
  • Server Automation
  • Patch Management
  • Power Management
  • Core Protection
  • Security Configuration Management

Operating System Patch Content

OS Patch streams are being closely monitored and patches will be released as quickly as possible

Released Fixlets  

    Red Hat Enterprise Linux 6  
    AIX (Interim Fix)
    CentOS 6 
    Ubuntu 
     
Not Vulnerable  
    ESXi 4.x/5.0/5.1
    Solaris 
    SUSE Linux Enterprise Server 
    Windows 
     
Pending Update from OS Vendor  
    HP-UX

Reference

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

21 April 2014: Updated fix details for Platform, SUA/SCA, Remote Control
15 April 2014: Updated fix details for OSD, and released OS patch Fixlets
11 April 2014: Original Copy Published

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Endpoint Manager

Software version:

Version Independent

Operating system(s):

Platform Independent

Reference #:

1670161

Modified date:

2014-04-11

Translate my page

Machine Translation

Content navigation