Security Bulletin
Summary
Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.
Vulnerability Details
OpenSSL Security Vulnerability in DataDirect Drivers shipped with WebSphere Message Broker 8.0 and IBM Integration Bus 9.0. (CVE-2014-0224) . This only affects users of DataDirect ODBC SSL connectivity.
Links to latest fix packs
WebSphere Message Broker 8.0.0.4
IBM Integration Bus 9.0.0.2
CVE-ID: CVE-2014-0224
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Affected Products and Versions
IBM Websphere Message Broker V8.0
IBM Integration Bus V9.0
Remediation/Fixes
For all affected products and versions this requires configuring Websphere Message Broker and IBM Integration Bus to pick up the DataDirect drivers available from IBM Fix Central (APAR IT02892)
For IBM WebSphere Message Broker V8,0 an interim fix for APAR IT02892 is available from IBM Fix Central.
For IBM Integration Bus V9.0 an interim fix for APAR IT02892 available from IBM Fix Central.
For IBM WebSphere Message Broker V8.0, this fix is targeted to be available in fix pack 8.0.0.6
For IBM Integration Bus V9.0, this fix is targeted to be available in fix pack 9.0.0.3
Workarounds and Mitigations
None known
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
10 July 2014 - Original version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
OpenSSL Security Vulnerability in DataDirect Drivers shipped with WebSphere Message Broker 8.0 and IBM Integration Bus 9.0. (CVE-2014-0224) . This only affects users of DataDirect ODBC SSL connectivity.
Links to latest fix packs
WebSphere Message Broker 8.0.0.5 : http://www-01.ibm.com/support/docview.wss?uid=swg24037264
IBM Integration Bus 9.0.0.2 : http://www-01.ibm.com/support/docview.wss?uid=swg24037877
CVE-ID: CVE-2014-0224
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
For all affected products and versions this requires configuring Websphere Message Broker and IBM Integration Bus to pick up the DataDirect drivers available from IBM Fix Central (APAR IT02892)
For IBM WebSphere Message Broker V8,0 an interim fix for APAR IT02892 is available from IBM Fix Central
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT02892
For IBM Integration Bus V9.0 an interim fix for APAR IT02892 available from IBM Fix Central:
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT02892
For IBM WebSphere Message Broker V8.0, this fix is targeted to be available in fix pack 8.0.0.6
For IBM Integration Bus V9.0, this fix is targeted to be available in fix pack 9.0.0.3
Product Synonym
WMB IIB
Was this topic helpful?
Document Information
Modified date:
23 March 2020
UID
swg21677891