IT02314: CVE-2014-0224 - VULNERABILITY IN SSL CHANGECIPHERSPEC PROCESSING

Fix packs for DataPower XML Security Gateway version 6.0
Fix packs for DataPower B2B Appliance version 6.0
Fix packs for DataPower Integration Appliance version 6.0
Fix packs for DataPower Low Latency Appliance version 6.0
Fix packs for DataPower Service Gateway version 6.0
Fix packs for DataPower Service Gateway version 6.0.1
Fix packs for DataPower B2B Appliance version 6.0.1
Fix packs for DataPower Integration Appliance version 6.0.1

APAR status

• Closed as program error.

Error description

• A security vulnerability in ChangeCipherSpec processing allows
  intermediate nodes to intercept encrypted data and decrypt them
  and can force the use of weak keying material in SSL/TLS clients
  and servers.
  

Local fix

Problem summary

• An attacker using a carefully crafted handshake can force the
  use of weak keying material in SSL/TLS clients and servers. This
   can be exploited by a Man-in-the-middle (MITM) attack where the
   attacker can decrypt and modify traffic from the attacked
  client and server. The attack can only be performed between a
  vulnerable client *and* server.
  

Problem conclusion

• Fix is available in 5.0.0.15, 6.0.0.7, 6.0.1.3 and 7.0.0.0
  
  For a list of the latest fix packs available, please see:
  http://www-01.ibm.com/support/docview.wss?uid=swg21237631
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  DATAPOWER

• Fixed component ID

  DP1234567

Applicable component levels

• R500 PSY

     UP

• R600 PSY

     UP

• R601 PSY

     UP

• R700 PSY

     UP