IBM Support

IC74203: CIPHERSUITE DOWNGRADE ATTACK AGAINST SSL SERVER WITH SESSION CACHING ENABLED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When a DataPower service acts as an SSL server with server side
    session caching
    enabled it is possible for a malicious client to modify the
    ciphersuite
    associated with a saved session in that SSL server's session
    cache.
    
    The malicious client can only change the associated ciphersuite
    to a value
    that the SSL server would support on the initial handshake which
    limits
    the severity of this attack.  The attacker cannot associate a
    weak cipher
    with the session if the server does not support weak ciphers in
    the initial
    handshake.  By default the DataPower SSL server does not support
    weak
    ciphers in the initial handshake.
    

Local fix

  • Yes.  Disabling Server-side Session Caching in a given SSL Proxy
    Profile
    object will avoid the problem for all subsequent SSL connections
    to services
    using that object.
    

Problem summary

  • Fix the ciphersuite downgrade attack.
    

Problem conclusion

  • The fix is available in 3.7.3.17, 3.8.0.11, 3.8.1.10 and
    3.8.2.2.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC74203

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    381

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-02-01

  • Closed date

    2011-02-23

  • Last modified date

    2011-02-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DATAPOWER

  • Fixed component ID

    DP1234567

Applicable component levels

  • R373 PSY

       UP

  • R380 PSY

       UP

  • R381 PSY

       UP

  • R382 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.8.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 February 2022