IBM Support

IC84088: ASN.1 PARSING VULNERABILITY IN SOME DATAPOWER SERVICES AND COMMANDS (CVE-2012-2110)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • An appliance restart or other unpredictable behavior can be
triggered by malicious ASN.1 content coming into the DataPower
appliance from a variety of entry points.

The problem can be externally triggered from malicious network
data entering services as follows:
  - compressed or signed or encrypted messages entering a B2B
Gateway
  - signed or encrypted messages entering a service with a
cryptobin action set to verify or decrypt the messages

The problem can also be triggered from certain CLI commands (and
their WebGUI/SOMA equivalents):

  - boot image (firmware upgrade action)
  - certificate (Crypto Certificate configuration)
  - crypto-import (action)
  - decrypt (deprecated S/MIME file crypto action)
  - key (Crypto Key configuration)
  - verify (deprecated S/MIME file crypto action)

This problem can also be triggered by modifying the contents of
files used by existing Crypto Key and Crypto Certificate objects
(the new file will be read at the next firmware restart or
object reconfiguration).

This problem is known as CVE-2012-2110.

Local fix

  • Restrict access to the affected CLI commands.  There is no local
fix for this problem in cryptobin and B2B Gateway services.

Problem summary

  • A vulnerability exists when parsing malicious improperly-formed
ASN.1 data.  It can cause unpredictable results including an
appliance restart.

Malicious data can enter the appliance from the network
when a service is configured to decrypt or perform
signature verification, as B2B AS1/AS2/AS3 messages to
be processed by a B2B Gateway, or as PKCX#7 or S/MIME
traffic to be processed by a cryptobin action.  In addition,
various CLI commands that refer to ASN.1-encoded data can
potentially be entrypoints for malicious data.

   This problem is known as CVE-2012-2110.

Problem conclusion

  • The fix is available in 3.8.2.14, 4.0.1.12, 4.0.2.8 and 5.0.0.0.

Temporary fix

  • Restrict access to the affected CLI commands (including commands
that can modify ASN.1 data referenced by existing objects).
There is no temporary fix for the network entrypoints.

Comments

  • 



APAR Information




    

  • APAR number
    IC84088
    • 

  • Reported component name
    DATAPOWER
    • 

  • Reported component ID
    DP1234567
    • 

  • Reported release
    402
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-06-12
    • 

  • Closed date
    2012-07-25
    • 

  • Last modified date
    2012-09-05
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    DATAPOWER
    • 

  • Fixed component ID
    DP1234567
    • 



Applicable component levels


    

  • R382  PSY
       UP
    • 

  • R401  PSY
       UP
    • 

  • R402  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 February 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback