IBM Support

IT01111: SECURITY CVE-2014-0852 SSL/TLS SIDE CHANNEL DECRYPTION VULNERABILITY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Using side channel timing based analysis it might be possible to
    decrypt a secret SSL/TLS session key of a sniffed session of a
    DataPower device.
    

Local fix

Problem summary

  • DataPower appliances might be subject to side channel timing
    based attacks resulting in the decryption of an SSL/TLS secured
    transaction.  This can only occur if the attacker is on the same
    LAN network as the DataPower device.  The attacker has to send
    several million requests to DataPower and monitor the responses.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IT01111

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    401

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-04-22

  • Closed date

    2014-07-29

  • Last modified date

    2014-08-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DATAPOWER

  • Fixed component ID

    DP1234567

Applicable component levels

  • R500 PSY

       UP

  • R600 PSY

       UP

  • R601 PSY

       UP



Document information

More support for: IBM DataPower Gateways
General

Software version: 4.0.1

Reference #: IT01111

Modified date: 05 August 2014