IBM Support

Security Bulletin : IBM Websphere Message Broker and IBM Integration Bus are affected by SSL Vulnerability in DataDirect ODBC drivers ( CVE-2014-0224)

Security Bulletin


Summary

Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.

Vulnerability Details

OpenSSL Security Vulnerability in DataDirect Drivers shipped with WebSphere Message Broker 8.0 and IBM Integration Bus 9.0. (CVE-2014-0224) . This only affects users of DataDirect ODBC SSL connectivity.

Links to latest fix packs
WebSphere Message Broker 8.0.0.4
IBM Integration Bus 9.0.0.2

CVE-ID: CVE-2014-0224

DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.

CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM Websphere Message Broker V8.0

IBM Integration Bus V9.0

Remediation/Fixes

For all affected products and versions this requires configuring Websphere Message Broker and IBM Integration Bus to pick up the DataDirect drivers available from IBM Fix Central (APAR IT02892)

For IBM WebSphere Message Broker V8,0 an interim fix for APAR IT02892 is available from IBM Fix Central.

For IBM Integration Bus V9.0 an interim fix for APAR IT02892 available from IBM Fix Central.

For IBM WebSphere Message Broker V8.0, this fix is targeted to be available in fix pack 8.0.0.6

For IBM Integration Bus V9.0, this fix is targeted to be available in fix pack 9.0.0.3


Workarounds and Mitigations

None known

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

10 July 2014 - Original version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

OpenSSL Security Vulnerability in DataDirect Drivers shipped with WebSphere Message Broker 8.0 and IBM Integration Bus 9.0. (CVE-2014-0224) . This only affects users of DataDirect ODBC SSL connectivity.



Links to latest fix packs
WebSphere Message Broker 8.0.0.5 : http://www-01.ibm.com/support/docview.wss?uid=swg24037264
IBM Integration Bus 9.0.0.2 : http://www-01.ibm.com/support/docview.wss?uid=swg24037877

CVE-ID: CVE-2014-0224

DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.

CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

For all affected products and versions this requires configuring Websphere Message Broker and IBM Integration Bus to pick up the DataDirect drivers available from IBM Fix Central (APAR IT02892)



For IBM WebSphere Message Broker V8,0 an interim fix for APAR IT02892 is available from IBM Fix Central
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT02892

For IBM Integration Bus V9.0 an interim fix for APAR IT02892 available from IBM Fix Central:
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT02892

For IBM WebSphere Message Broker V8.0, this fix is targeted to be available in fix pack 8.0.0.6

For IBM Integration Bus V9.0, this fix is targeted to be available in fix pack 9.0.0.3

[{"Product":{"code":"SSKM8N","label":"WebSphere Message Broker"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web User Interface","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WMB IIB

Document Information

Modified date:
23 March 2020

UID

swg21677891