Thursday, 31 January 2013

Security Bulletin: An IBM Business Process Manager SSL connection can be established without host name verification: CVE-2012-5785

I'm reposting this from this IBM Flash: -

Security Bulletin: An IBM Business Process Manager SSL connection can be established without host name verification: CVE-2012-5785

Abstract

A Secure Sockets Layer (SSL) connection can be established without host name verfication, which an make the connection vulnerable to a man-in-the-middle attack.

Content

While obtaining an SSL connection, the IBM Business Process Management (BPM) system does not validate the host name of the target connection against the SubjectDN of the certificate. This situation can make the connection vulnerable to a man-in-the-middle attack.

CVE ID: 2012-5785
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79830 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

REMEDIATION

To eliminate a man-in-the-middle attack, apply Interim Fixes JR45329, JR45216, and JR45071, or apply a Fix Pack that contains these APARS. These changes verify the host name against the certificate SubjectDN value. Using the following links, download the interim fixes from IBM Fix Central for IBM Integration Designer, Business Space (IBM Business Monitor) and your applicable IBM Business Process Manager product:
• IBM Integration Designer: APAR JR45329
• Business Space: APAR JR45216
• IBM Business Process Manager Standard: APAR JR45071
• IBM Business Process Manager Express: APAR JR45071
• IBM Business Process Manager Advanced: APAR JR45071

Please please refer the IBM Flash for further details, including the recommended fixes.

No comments: