IBM Support

IT08435: SECURITY APAR CVE-2014-0852 - SSL/TLS SIDE CHANNEL DECRYPTION VULNERABILITY ON DATAPOWER HARDWARE SECURITY MODULE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Using side channel timing based analysis it might be possible to
    decrypt a secret SSL/TLS session key of a sniffed session of a
    DataPower device.
    

Local fix

Problem summary

  • DataPower appliances might be subject to side channel timing
    based attacks resulting in the decryption of an SSL/TLS secured
    transaction.  The attack can only be performed if the attacker
    is on the same LAN network as the DataPower device.  The
    attacker has to send several million requests to DataPower and
    monitor the response times for each of these messages in order
    to recover the PreMasterSecret used in the SSL/TLS
    communication.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IT08435

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-04-24

  • Closed date

    2015-04-24

  • Last modified date

    2015-04-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DATAPOWER

  • Fixed component ID

    DP1234567

Applicable component levels

  • R500 PSY

       UP

  • R600 PSY

       UP

  • R601 PSY

       UP

  • R700 PSY

       UP



Document information

More support for: IBM DataPower Gateways
General

Software version: 5.0.0

Reference #: IT08435

Modified date: 24 April 2015