Download
Abstract
IBM HTTP Server is potentially vulnerable to local side-channel attack on ECDSA.
Download Description
PI19700 resolves the following problem:
Error Description:
The GSKit v8 component in IBM HTTP Server 8.0 and later could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic curve Digital Signature Algorithm).
IBM HTTP Server is affected only if ALL of the following conditions are true:
- SSL is enabled
- IHS is V8R0 or later
- SSLCipherSpec has enabled ECDHE_ECDSA* ciphers
- Configured certificate uses an ECC key rather than RSA
- Configured certificate was created by a tool other than ikeyman or gskcapicmd.
Local Fix:
None
Problem Summary:
IHS 8.0 and later with GSKit versions prior to 8.0.50.20 are vulnerable to a local side-channel attack on ECDSA.
Problem Conclusion:
The GSKit security library has been updated. The interim fix upgrades GSKit to version 8.0.50.21.
IHS 8.0.0.9 is unaffected by this issue since its GSKit version of 8.0.50.20 contains the same fix, but this iFix will apply to 8.0.0.9 in order to update the GSKit to the 8.0.50.21 version.
This fix is targeted for IBM HTTP Server fix packs:
- 8.0.0.10
- 8.5.5.3
Prerequisites
None
Installation Instructions
The interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It might be necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.
The interim fix is also available from Fix Central at the link listed in the Download Package section below.
Technical Support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24037906