APAR status
Closed as program error.
Error description
An appliance restart or other unpredictable behavior can be triggered by malicious ASN.1 content coming into the DataPower appliance from a variety of entry points. The problem can be externally triggered from malicious network data entering services as follows: - compressed or signed or encrypted messages entering a B2B Gateway - signed or encrypted messages entering a service with a cryptobin action set to verify or decrypt the messages The problem can also be triggered from certain CLI commands (and their WebGUI/SOMA equivalents): - boot image (firmware upgrade action) - certificate (Crypto Certificate configuration) - crypto-import (action) - decrypt (deprecated S/MIME file crypto action) - key (Crypto Key configuration) - verify (deprecated S/MIME file crypto action) This problem can also be triggered by modifying the contents of files used by existing Crypto Key and Crypto Certificate objects (the new file will be read at the next firmware restart or object reconfiguration). This problem is known as CVE-2012-2110.
Local fix
Restrict access to the affected CLI commands. There is no local fix for this problem in cryptobin and B2B Gateway services.
Problem summary
A vulnerability exists when parsing malicious improperly-formed ASN.1 data. It can cause unpredictable results including an appliance restart. Malicious data can enter the appliance from the network when a service is configured to decrypt or perform signature verification, as B2B AS1/AS2/AS3 messages to be processed by a B2B Gateway, or as PKCX#7 or S/MIME traffic to be processed by a cryptobin action. In addition, various CLI commands that refer to ASN.1-encoded data can potentially be entrypoints for malicious data. This problem is known as CVE-2012-2110.
Problem conclusion
The fix is available in 3.8.2.14, 4.0.1.12, 4.0.2.8 and 5.0.0.0.
Temporary fix
Restrict access to the affected CLI commands (including commands that can modify ASN.1 data referenced by existing objects). There is no temporary fix for the network entrypoints.
Comments
APAR Information
APAR number
IC84088
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
402
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-06-12
Closed date
2012-07-25
Last modified date
2012-09-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R382 PSY
UP
R401 PSY
UP
R402 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022