IT14230: A VULNERABILITY IN THE SSL COMPONENT OF IBM DATAPOWER GATEWAYS. (CVE-2016-0701 CVE-2015-3197)

Fix packs for DataPower Service Gateway version 7.0
Fix packs for DataPower B2B Appliance version 7.0
Fix packs for DataPower Integration Appliance version 7.0
Fix packs for DataPower Gateway version 7.1
Fix packs for DataPower Gateway version 7.2
Fix packs for DataPower Gateway version 7.5
Fix packs for DataPower Gateway version 7.5.1

APAR status

• Closed as program error.

Error description

• SSL vulnerabilities disclosed on January 28th, 2016 include
  CVE-2015-3197.  IBM DataPower Gateways releases 7.x are affected
   by this CVE.
  
  SSL could allow a remote attacker to conduct man-in-the-middle
  attacks, caused by an error related to the negotiation of
  disabled SSLv2 ciphers by malicious SSL/TLS clients.
  (CVE-2015-3197).
  

Local fix

Problem summary

• SSL vulnerabilities disclosed on January 28th, 2016 include
  CVE-2015-3197.  IBM DataPower Gateways releases 7.x are affected
   by this CVE.
  SSL could allow a remote attacker to conduct man-in-the-middle
  attacks, caused by an error related to the negotiation of
  disabled SSLv2 ciphers by malicious SSL/TLS clients.
  (CVE-2015-3197).
  

Problem conclusion

• Fixes are available in 7.0.0.13, 7.1.0.10, 7.2.0.6 and 7.5.0.2.
  For a list of the latest fix packs available, please see:
  http://www-01.ibm.com/support/docview.wss?uid=swg21237631
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  DATAPOWER

• Fixed component ID

  DP1234567

Applicable component levels

• R700 PSY

     UP

• R710 PSY

     UP

• R720 PSY

     UP

• R750 PSY

     UP