IBM Support

PI19700: CVE-2014-0076: Local side-channel attack on ECDSA

Download


Abstract

IBM HTTP Server is potentially vulnerable to local side-channel attack on ECDSA.

Download Description

PI19700 resolves the following problem:


Error Description:
The GSKit v8 component in IBM HTTP Server 8.0 and later could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic curve Digital Signature Algorithm).


IBM HTTP Server is affected only if ALL of the following conditions are true:

  • SSL is enabled
  • IHS is V8R0 or later
  • SSLCipherSpec has enabled ECDHE_ECDSA* ciphers
  • Configured certificate uses an ECC key rather than RSA
  • Configured certificate was created by a tool other than ikeyman or gskcapicmd.


Local Fix:
None

Problem Summary:
IHS 8.0 and later with GSKit versions prior to 8.0.50.20 are vulnerable to a local side-channel attack on ECDSA.

Problem Conclusion:
The GSKit security library has been updated. The interim fix upgrades GSKit to version 8.0.50.21.

IHS 8.0.0.9 is unaffected by this issue since its GSKit version of 8.0.50.20 contains the same fix, but this iFix will apply to 8.0.0.9 in order to update the GSKit to the 8.0.50.21 version.

This fix is targeted for IBM HTTP Server fix packs:
- 8.0.0.10
- 8.5.5.3

Prerequisites

None

Installation Instructions

The interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It might be necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.

The interim fix is also available from Fix Central at the link listed in the Download Package section below.

On
[{"DNLabel":"Fix for 8.5.0.0 - 8.5.5.2","DNDate":"1 Jul 2014","DNLang":"US English","DNSize":"151595274","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.0.0-WS-WASIHS_GSKit-MultiOS-IFPI19700&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":" "},{"DNLabel":"Fix for 8.0.0.0 - 8.0.0.9","DNDate":"3 Jul 2014","DNLang":"US English","DNSize":"151648618","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.0-WS-WASIHS_GSKit-MultiOS-IFPI19700&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":" "}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5.2;8.5.5.1;8.5.5;8.5.0.2;8.5.0.1;8.5;8.0.0.8;8.0.0.7;8.0.0.6;8.0.0.5;8.0.0.4;8.0.0.3;8.0.0.2;8.0.0.1;8.0;8.0.0.9","Edition":"Advanced;Base;Enterprise;Express;Network Deployment;Single Server","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24037906