Security Bulletin: IBM Endpoint Manager 9.1.1065 – OpenSSL Vulnerability Update (CVE-2014-0160)
APTNinja 270003VJ12 Visits (4289)
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not integrity or availability.
CVSS Base Score: 5
Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.
* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Affected Products and Versions
"If you are using version 9.1.1065 of the IBM Endpoint Manager Platform, you should upgrade to 9.1.1082.
Software Use Analysis / Security Compliance Analytics
If you are using SUA 1.x, SUA 2.x/9.x, or SCA with IEM version earlier than 9.1, you are unaffected.
If you are using SUA 2.2 Patch 3 (only if deployed on IEM platform 9.1), SUA 9.1 or SCA (if deployed on IEM platform 9.1), you can mitigate your exposure to this vulnerability by taking the following steps:
If you have already downloaded the product, we recommend that you not install it, and delete the packages.
If you have already installed it, follow the recommendations outlined in the security vulnerability note and apply a patch as soon as it becomes available.
Packages with the vulnerability have been already removed from the IBM site. A patch will be published shortly.
MDT Bundle Creator 3.3 is affected by this vulnerability only when using an https proxy to download packages. Not using a proxy, or downloading the files ahead of time and caching will remove the use of OpenSSL and the related vulnerability.
The patched MDT Bundle Creator version 3.3.12 has been released. This version of the MDT Bundle Creator disables the proxy functionality when an https proxy is referenced. The new MDT Bundle Creator is available in OS Deployment and Bare Metal Imaging Site Version 37 or higher.
All Endpoint Manager integrated versions of Remote Control are affected by this vulnerability. Hotfixes will be released as soon as they are available.
The following products are not affected by this vulnerability:
Operating System Patch Content
OS Patch streams are being closely monitored and patches will be released as quickly as possible.
Red Hat Enterprise Linux 6
AIX (Interim Fix)
SUSE Linux Enterprise Server
Pending Update from OS Vendor
11 April 2014: Original Copy Published
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.