IBM HTTP Server is potentially vulnerable to local side-channel attack on ECDSA.
PI19700 resolves the following problem:
The GSKit v8 component in IBM HTTP Server 8.0 and later could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic curve Digital Signature Algorithm).
IBM HTTP Server is affected only if ALL of the following conditions are true:
- SSL is enabled
- IHS is V8R0 or later
- SSLCipherSpec has enabled ECDHE_ECDSA* ciphers
- Configured certificate uses an ECC key rather than RSA
- Configured certificate was created by a tool other than ikeyman or gskcapicmd.
IHS 8.0 and later with GSKit versions prior to 188.8.131.52 are vulnerable to a local side-channel attack on ECDSA.
The GSKit security library has been updated. The interim fix upgrades GSKit to version 184.108.40.206.
IHS 220.127.116.11 is unaffected by this issue since its GSKit version of 18.104.22.168 contains the same fix, but this iFix will apply to 22.214.171.124 in order to update the GSKit to the 126.96.36.199 version.
This fix is targeted for IBM HTTP Server fix packs:
The interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It might be necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.
The interim fix is also available from Fix Central at the link listed in the Download Package section below.
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
15 June 2018