Critical Security Patch (9.1.1117) for IBM Endpoint Manager Platform
DanielHwang 270005RBGE Visits (2081)
IBM Endpoint Manager 9.1.1117 (9.1 patch 3) is an emergency patch release to close a recently announced vulnerability (CVE-2014-0224) in the OpenSSL library used by IEM. This patch contains a new release of the OpenSSL library that closes this vulnerability. IEM 9.1 customers should upgrade to this new patch release in order to close the vulnerability. All IEM components have been upgraded with OpenSSL-1.0.1h and are available for upgrade.
IEM 9.1 (9.1.1065, 9.1.1082, and 9.1.1088) is the only version affected. Previous versions (8.1, 8.2, and 9.0) are not affected.
This vulnerability can be exploited by a Man-in-the-middle (MITM) attack allowing an attacker to eavesdrop and make modifications between Root Server, Web Reports, Relay, and Proxy Agent communications. An eavesdropping attacker can obtain console login credentials. (Note that neither the site admin key nor the server signing private key are exposed by this vulnerability, so it is not necessary to rotate keys after upgrade.)
For the official OpenSSL advisory, check:
This vulnerability is known as the ChangeCipherSpec (CCS) Injection Vulnerability. For more details about it, check:
The IBM Security Bulletin for this patch is located here: