IBM Support

Security Bulletin: Some versions of IBM Security Access Manager for Web are affected by the Heartbleed vulnerability (CVE-2014-0160)

Security Bulletin


Summary

IBM Security Access Manager (ISAM) for Web v8.0 introduced a layer 7 front end load balancer. The SSL framework used by this component exposes the 'heartbeat' TLS extension implemented through an affected version of OpenSSL and is therefore susceptible to the Heartbleed vulnerability.

Vulnerability Details

CVE ID:
CVE-2014-0160

DESCRIPTION:
A vulnerability in OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. An attacker can repeatedly expose additional 64k chunks of memory. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not integrity or availability.

An affected version of OpenSSL is used by the front end load balancer provided with ISAM for Web starting with version 8.0. ISAM for Web 8.0 is only vulnerable if the front end load balancer is enabled and the SSL Proxy for Layer-7 capability is enabled. Instructions for determining if this is the case are provided at the end of this bulletin.

The vulnerable front end load balancer was not provided with previous versions of the product, and they are not susceptible to the vulnerability.


CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.

Affected Products and Versions

ISAM for Web v8.0, firmware versions 8.0.0.2 and 8.0.0.3

Remediation/Fixes

Step 1) Apply Patches


IBM has provided firmware updates containing the fix. Affected systems should be patched immediately. Patches and installation instructions are provided at the URLs listed below.

Applying the patch by using the local management interface.
1. Download the .pkg file.
2. In the local management interface, select Manage System Settings > Updates and Licensing > Available Updates.
3. Click Upload. The New Update dialog opens.
4. Click Select Update.
5. Browse to the .pkg file.
6. Click Open.
7. Click Save Configuration. The upload process might take several minutes.
8. Select the new firmware and click Install.

Note: The installation of the new firmware takes a few minutes to complete. After the update is successfully applied to the system, the appliance reboots automatically.

Applying the patch by using a USB drive.
1. Download the .pkg file.
2. Copy the firmware update onto a USB flash drive. The flash drive must be formatted with a FAT file system.
3. Insert the USB flash drive into the hardware appliance.
4. Log in as admin in the appliance console or use secure shell.
5. Type updates and then press Enter.
6. Type install and then press Enter. The following options must be selected.
· 1: For a firmware update
· 1: To install the update from a USB drive
· YES: To confirm that the USB drive is plugged into the appliance
· <index>: Select the appliance firmware from the list
· YES: To confirm the update and start the update process

Note: The installation of the new firmware takes a few minutes to complete. After the update is successfully applied to the system, the appliance reboots automatically.


Step 2) Replace SSL Certificates.

Because existing SSL certificates could be compromised, you should revoke existing SSL certificates and reissue new certificates. Be sure not to generate the new certificates using the old private key. Instead, create a new private key and use that new private key to create the new certificate signing request (CSR).

Step 3) Reset User Credentials

Because password information could have been compromised, you should force users to reset their passwords. You should also revoke any authentication or session related cookies set prior to the time OpenSSL was upgraded and force users to re-authenticate.

Warning: Your environment may require additional fixes for other products, including non-IBM products. Please replace SSL certificates and reset user credentials after applying the necessary fixes to your environment.


DETERMINING IF YOUR SYSTEM IS VULNERABLE:
As stated above, ISAM for Web 8.0 is only vulnerable if the front end load balancer is enabled and the SSL Proxy for Layer-7 capability is enabled. Follow these steps to determine if this is the case:
1. Authenticate to the Local Management Interface.
2. Click the "Manage System Settings" top menu item.
3. Look for the "Front End Load Balancer" option under Network Settings. If this option is not present, your system is not vulnerable.
4. Click the "Front End Load Balancer" option to open the administration panel for the load balancer" and ensure that you are viewing the General tab.
5. Look for a checkbox next to "Enabled" at the top of the panel. If this checkbox is not checked, your system is not vulnerable.
6. Look for a checkbox next to "Enable SSL Proxy for Layer-7". If this option is not present or the checkbox is not checked, your system is not vulnerable.
7. Click on the 'Servers' tab, and then check to see if any virtual servers have SSL enabled. This is achieved by selecting each server in turn, pressing the 'edit' button for the server, and looking at the 'Layer 7 SSL Enabled' checkbox. If this checkbox is not checked for ANY server, your system is not vulnerable.

Workarounds and Mitigations

Follow the directions in the "Determining if your system is vulnerable" section above to perform one or both of the following two options:

1. Disable SSL termination for all of the virtual servers and the entire front end load balancer.
· Click on the 'Servers' tab and, for each virtual server, edit the server connection, and if the 'Layer 7 SSL Enabled' check box is selected, uncheck it.
· Navigate to the General tab of the front end load balancer and uncheck the checkbox next to "Enable SSL Proxy for Layer-7"
· Save your changes and deploy.
2. Disable the front end load balancer completely.
· Navigate to the General tab of the front end balancer.
· Uncheck the checkbox next to "Enabled" to disable the entire front end load balancer
· Save your changes and deploy.
Both of these workarounds will require changes to your environment in order to support operations. These changes are beyond the scope of this document.

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

ISAM WebSEAL Web Gateway Appliance

Document information

More support for: IBM Security Access Manager for Web

Software version: 8.0.0.2

Operating system(s): Appliance

Reference #: 1670164

Modified date: 11 April 2014