IBM Support

Security Bulletin: WebSphere MQ is affected by the following OpenSSL vulnerabilities: CVE-2014-0224 & CVE-2014-3470

Security Bulletin


Summary

Security vulnerabilities have been discovered in OpenSSL that were reported on June 5th 2014 by the OpenSSL project.

Vulnerability Details

CVE-ID: CVE-2014-0224
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.

CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE-ID: CVE-2014-3470

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the implementation of anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

The man-in-the-middle attack vulnerability (CVE-2014-0224) is known to affect the following offerings;

  • IBM WebSphere MQ V5.3 for HP NonStop Server
  • Support Pac MAT1 - IBM WebSphere MQ client for HP Integrity NonStop Server
  • Support Pac MA9B - IBM Mobile Messaging and M2M Client Pack - Eclipse Paho MQTT C Client libraries for Linux & Windows platforms only

In addition, the denial of service vulnerability (CVE-2014-3470) is known to affect the following offerings;
  • Support Pac MA9B - IBM Mobile Messaging and M2M Client Pack - Eclipse Paho MQTT C Client libraries for Linux & Windows platforms only

Note that the Paho MQTT C client libraries provided for Linux and Windows platforms in IBM WebSphere MQ 7.1 and IBM WebSphere MQ 7.5 are also affected.


This vulnerability does NOT affect any version or release of the following offerings on any other platforms:
  • IBM WebSphere MQ Client
  • IBM WebSphere MQ Server
  • IBM WebSphere MQ Managed File Transfer
  • IBM WebSphere MQ Advanced Message Security

Remediation/Fixes

All affected product offerings and SupportPacs have been patched or updated to OpenSSL 1.0.1h.
Unless otherwise specified the openssl version command should be used to determine whether OpenSSL 1.0.1h is installed or whether fixes are required;

IBM WebSphere MQ V5.3 for HP NonStop Server Integrity



IBM WebSphere MQ V5.3 for HP NonStop Server S-Series
  • Apply the WMQv5319-PATCH4 patch which can be obtained directly from IBM Support
    (contains patched OpenSSL 0.9.7d).
    This patch can only be applied to a WMQv5319 installation
  • The vproc versioning tool provided by HP should show T0085G06_12JUN2014_V53_1_9_PATCH4 for amqcctca and amqcctca_r libraries for systems that have applied this patch

Support Pac MAT1 - IBM WebSphere MQ client for HP Integrity NonStop Server


IBM WebSphere MQ 7.1 & IBM WebSphere MQ 7.5 MQTT C Client libraries for Linux & Windows platforms only

  • Install the patched MQTT libraries provided by MA9B Support Pac client package

Support Pac MA9B - IBM Mobile Messaging and M2M Client Pack - Eclipse Paho MQTT C Client libraries for Linux & Windows platforms only

  • Reinstall client package (contains OpenSSL 1.0.1h)
  • The MQTTVersion command should be used to confirm the OpenSSL version number.

Workarounds and Mitigations

None known.

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

Acknowledgement

None

Change History

19th June 2014 - Original Version Published
1st July 2014 - Confirmed MQTT libraries provided by MQ 7.1 & MQ 7.5 should use MA9B download

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

A Japanese translation is available

Document information

More support for: WebSphere MQ
SSL

Software version: 5.3, 7.1, 7.5, 7.5.0.1, 7.5.0.2, 7.5.0.3

Operating system(s): HP-UX, Linux, Windows

Software edition: All Editions

Reference #: 1676496

Modified date: 01 July 2014


Translate this page: