There is an OpenSSL vulnerability that could allow an attacker to compromise
the IBM Endpoint Manager root server signing key. Both Windows and Linux
server deployments are affected. Note that the site admin key cannot be
compromised using this vulnerability.
* If you are using Endpoint Manager 9.0 or earlier, you are unaffected. You
should delay upgrading to 9.1 until a patch is released. We have removed the
9.1 upgrade fixlets from BES Support.
* If you are using Endpoint Manager 9.1, you can mitigate your exposure to
this vulnerability by taking the following steps until a 9.1 patch is
1) Limit network access to the root server to only trusted hosts.
2) Rotate the server signing key on the root server on a regular basis [a].
3) If any custom HTTPS keys are being used in the root server or web
reports, those keys should also be rotated.
4) Avoid sending any sensitive data via mailboxes or secure parameters to
relays or the root server.
5) Consider temporarily disconnecting any internet-facing relays.
An OpenSSL vulnerability was announced today in versions 1.0.1 and 1.0.2 of
OpenSSL. This vulnerability is officially named "TLS heartbeat read overrun
(CVE-2014-0160)" and has come to be colloquially named "The Heartbleed Bug".
Official advisory : http://www.openssl.org/news/secadv_20140407.txt
More details : http://heartbleed.com
Any software that uses an affected version of OpenSSL and is a TLS server is
This vulnerability affects IBM Endpoint Manager version 9.1. Other versions of
Endpoint Manager (9.0.* and earlier) are not affected by this vulnerability
because they use an earlier version of OpenSSL.
This vulnerability impacts IBM Endpoint Manager in several ways. An attacker
that can send network requests to the root server can read the root server's
memory and obtain the server signing private key. This key could be used, as
part of a man-in-the-middle attack, to impersonate the root server and obtain
console login credentials. It can also be used to forge actions that agents
will accept as authentic.
An attacker that can send network requests to a 9.1 relay can read the relay's
memory and obtain the private key of the agent on the relay machine. This key
can be used to read the contents of mailboxes and secure parameters sent to
the target agent. It can also be used to impersonate reports from the agent
that the server will accept as genuine.
If you are using any custom SSL certificates for a 9.1 root server or web
reports server, the private keys for those certificates could be compromised.
If you are using these keys on any other systems, you should rotate them
The IBM Endpoint Manager team is working on a patch release that will fix this
vulnerability. We will make this patch available as soon as possible, and we
recommend that you make plans to upgrade from 9.1 to the patch release as soon
as it is available.