IBM Support

PM85211: TLS spec vulnerability (CVE-2013-0169)

Download


Abstract

This interim fix upgrades the GSKit shipped with IBM HTTP Server to resolve the CVE-2013-0169 TLS vulnerability.

Download Description

PM85211 resolves the following problem:

USERS AFFECTED:
IBM HTTP Servers using CBC ciphers

PROBLEM DESCRIPTION:
TLS spec vulnerability (CVE-2013-0169)

RECOMMENDATION:
Apply this fix if using CBC ciphers.

LOCAL FIX:
Disable CBC ciphers.


PROBLEM CONCLUSION:
The GSKit security library was updated to resolve the exposure.

This fix is targeted for IBM HTTP Server fixpacks/releases:

- 6.1.0.47
- 7.0.0.29
- 8.0.0.7
- 8.5.5.0


IBM HTTP Server is distributing an updated GSKit security library as an interim fix.
No configuration is required once GSKit is updated to 7.0.4.45 or 8.0.14.27.

Note: This GSKit update also resolves a potential memory leak in httpd processes
when the 'SSLCacheDisable' directive has not been specified for distributed non-Windows
platforms (IHS 8.0 and later only).


For IHS version 8.0 and 8.5:

The interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It is necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.
The interim fix is also available from Fix Central at the link listed in the Download Package section below.

For IHS versions prior to 8.0:

This standalone GSKit update has been published to the IBM HTTP Server Fixes download site,
and are located under the 'GSKit Version 7' section for your platform. Click 'here' to be taken to the login page.

For IBM HTTP Server 6.x releases, download the GSKit 7.0.4.45 package and Readme
under the section labeled 'PM85211 - IHS Version 6'

For IBM HTTP Server 7.0 releases, download the GSKit 7.0.4.45 package and Readme
under the section labeled 'PM85211 - IHS Version 7'

Installation Instructions

Review the readme.txt available with the fix for installation instructions.

Download Package

IMPORTANT NOTE: This fix has been superseded by PI09443. It is highly recommended that you install that fix instead of the one available for this APAR. The GSKit installed by that interim fix is newer and also includes the fix for PM85211.

On
[{"DNLabel":"Fix for 8.0.0.0 - 8.0.0.6","DNDate":"23 May 2013","DNLang":"US English","DNSize":"142299011","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.0-WS-WASIHS_GSKit-MultiOS-IFPM85211&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ","DDURL":null},{"DNLabel":"Fix for 8.5.0.0 - 8.5.0.2","DNDate":"23 May 2013","DNLang":"US English","DNSize":"142239112","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.5.0.0-WS-WASIHS_GSKit-MultiOS-IFPM85211&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":" ","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5;8.0;7.0;6.1","Edition":"Advanced;Base;Enterprise;Express;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24035061