Topic
  • 8 replies
  • Latest Post - ‏2014-06-22T18:53:43Z by JoeMorganNTST
JoeMorganNTST
JoeMorganNTST
427 Posts

Pinned topic OpenSSL Vulnerabilities published on 5 June 2014 - addressed by 6/19 fixpack

‏2014-06-05T19:29:48Z |

I know there are times that DataPower reports it is using OpenSSL, but, is it?  I need to determine if DataPower is vulnerable to the new OpenSSL Security vulnerability:

http://www.openssl.org/news/secadv_20140605.txt

 

Updated on 2014-06-19T21:22:24Z at 2014-06-19T21:22:24Z by HermannSW
  • KrithikaPrakash
    KrithikaPrakash
    8 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-05T21:06:40Z  

    Please contact DataPower customer support for inquiries related to Security vulnerabilities.

  • amae
    amae
    5 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-06T08:34:20Z  

    Please contact DataPower customer support for inquiries related to Security vulnerabilities.

    Come on, just tell us. 

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-06T15:53:55Z  

    Please contact DataPower customer support for inquiries related to Security vulnerabilities.

    So let me ask this another way.  Regarding the OpenSSL vulnerability noted above, is there anything we need to do within our DataPower SSL Proxies, forward or reverse, to mitigate any potential threat?

     

  • KrithikaPrakash
    KrithikaPrakash
    8 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-06T22:27:30Z  

    So let me ask this another way.  Regarding the OpenSSL vulnerability noted above, is there anything we need to do within our DataPower SSL Proxies, forward or reverse, to mitigate any potential threat?

     

    The latest information has been published in this Technote. Please check back for updates.

    http://www-01.ibm.com/support/docview.wss?uid=swg21675501

  • HermannSW
    HermannSW
    6019 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-19T21:20:20Z  

    The latest information has been published in this Technote. Please check back for updates.

    http://www-01.ibm.com/support/docview.wss?uid=swg21675501

    Technote has been updated.

    June fixpack has been released today (6/19), it containes fix for APAR IT02314.
    Security Bulletin: Websphere DataPower vulnerability in SSL ChangeCipherSpec processing (CVE-2014-0224)


    06/19/2014: Critical updates: Apply fix packs.
    http://www-01.ibm.com/support/docview.wss?uid=swg21390112#part2


    Hermann.

    Updated on 2014-06-20T19:40:20Z at 2014-06-20T19:40:20Z by HermannSW
  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-20T20:30:12Z  
    • HermannSW
    • ‏2014-06-19T21:20:20Z

    Technote has been updated.

    June fixpack has been released today (6/19), it containes fix for APAR IT02314.
    Security Bulletin: Websphere DataPower vulnerability in SSL ChangeCipherSpec processing (CVE-2014-0224)


    06/19/2014: Critical updates: Apply fix packs.
    http://www-01.ibm.com/support/docview.wss?uid=swg21390112#part2


    Hermann.

    If this was released on the 19th, how is this fix already available in the V7 firmware?

  • HermannSW
    HermannSW
    6019 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-21T00:18:49Z  

    If this was released on the 19th, how is this fix already available in the V7 firmware?

    The fixes for 5.0.0/6.0.0/6.0.1 release branches were released on 6/19.

    The fix for CVE-2014-0224 was the very last change before 7.0.0.0 was released on 6/13.

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: New SSL Vulnerability Announced - Is DataPower Affected?

    ‏2014-06-22T18:53:43Z  
    • HermannSW
    • ‏2014-06-21T00:18:49Z

    The fixes for 5.0.0/6.0.0/6.0.1 release branches were released on 6/19.

    The fix for CVE-2014-0224 was the very last change before 7.0.0.0 was released on 6/13.

    OK.  That's good news.  Thanks.